Uploaded image for project: 'Qpid'
  1. Qpid
  2. QPID-8135

[JMS AMQP 0-x] Connection URL options for end-to-end encryption keystore/trustore passwords can be logged when log level for 'org.apache.qpid' loggers is lower than 'warn'

    XMLWordPrintableJSON

Details

    Description

      The connection URL password options can be logged when log level for 'org.apache.qpid' loggers is lower than 'warn'.

      The following cases are identified when password is logged

      1. when encryption keystore/trustore parameters are declared as part of broker URL , 'org.apache.qpid' loggers log level is set to ''info' or lower threshold and connectivity is not established, the encryption_key_store_password or encryption_trust_store_password can be logged with info log level as below 
        2018-03-16 12:56:02,196 INFO  [main] o.a.q.c.AMQConnection Unable to connect to broker at tcp://localhost:5672?encryption_trust_store='/path/to/trustore.jks'&encryption_trust_store_password='password'
org.apache.qpid.transport.TransportException: Error connecting to broker
	at org.apache.qpid.transport.network.io.IoNetworkTransport.connectTcp(IoNetworkTransport.java:151)
...
2018-03-16 12:56:02,196 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers ==== Checking failoverAllowed() ====
2018-03-16 12:56:02,197 INFO  [main] o.a.q.j.f.FailoverRoundRobinServers Cycle Servers:
Cycle Retries:20
Current Cycle:20
Server Retries:0
Current Retry:0
Current Broker:0
>tcp://localhost:5672?encryption_trust_store='/path/to/trsutsore.jks'&encryption_trust_store_password='password'
      2. when encryption keystore/trustore parameters or/and SSL trust store parameters or/and SSL client-auth parameters are declared as part of connection URL and 'org.apache.qpid' loggers log level is set to 'debug' or lower threshold, the password options can be logged with DEBUG log level as below: 
        2018-03-16 13:03:20,879 DEBUG [main] o.a.q.c.AMQConnection Connection(1):amqp://admin:********@consumer/?encryption_trust_store='/path/to/keystore.jks'&trust_store='/path/to/trsustore.ts'&key_store_password='secret'&encryption_trust_store_password='password'&key_store='/path/to/keystore.ks'&trust_store_password='secret'&brokerlist='tcp://localhost:5672'&failover='roundrobin?cyclecount='20''

      The work around for the issue would be to set debug log level to warn at least for the following loggers:

      • org.apache.qpid.client.AMQConnection
      • org.apache.qpid.jms.failover.FailoverRoundRobinServers

      Attachments

        Activity

          People

            Unassigned Unassigned
            orudyy Alex Rudyy
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: