Repository: activemq-artemis Updated Branches: refs/heads/2.6.x f90afad1b -> 1fd1c798b
ARTEMIS-2087 support masked passwords in management.xml (cherry picked from commit 07e14c1582c44409ed778805ff5c0018f8671544) Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/1fd1c798 Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/1fd1c798 Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/1fd1c798 Branch: refs/heads/2.6.x Commit: 1fd1c798bd8347878358838bea3fc3adc5f3286e Parents: f90afad Author: Justin Bertram <[email protected]> Authored: Thu Sep 13 16:50:07 2018 -0500 Committer: Clebert Suconic <[email protected]> Committed: Fri Sep 21 11:51:00 2018 -0400 ---------------------------------------------------------------------- .../cli/factory/jmx/ManagementFactory.java | 2 +- .../activemq/artemis/dto/JMXConnectorDTO.java | 17 +++++++++++---- docs/user-manual/en/management.md | 10 +++++++-- docs/user-manual/en/masking-passwords.md | 23 ++++++++++++++++++++ 4 files changed, 45 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java ---------------------------------------------------------------------- diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java index 235cdf6..79e241e 100644 --- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java +++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java @@ -60,7 +60,7 @@ public class ManagementFactory { return createJmxAclConfiguration(new URI(configuration), artemisHome, artemisInstance, artemisURIInstance); } - public static ManagementContext create(ManagementContextDTO config) { + public static ManagementContext create(ManagementContextDTO config) throws Exception { ManagementContext context = new ManagementContext(); if (config.getAuthorisation() != null) { http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java ---------------------------------------------------------------------- diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java index 617a570..bd78481 100644 --- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java +++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java @@ -22,6 +22,8 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlAttribute; import javax.xml.bind.annotation.XmlRootElement; +import org.apache.activemq.artemis.utils.PasswordMaskingUtil; + @XmlRootElement(name = "connector") @XmlAccessorType(XmlAccessType.FIELD) public class JMXConnectorDTO { @@ -62,6 +64,9 @@ public class JMXConnectorDTO { @XmlAttribute (name = "trust-store-password") String trustStorePassword; + @XmlAttribute (name = "password-codec") + String passwordCodec; + public String getConnectorHost() { return connectorHost; } @@ -94,8 +99,8 @@ public class JMXConnectorDTO { return keyStorePath; } - public String getKeyStorePassword() { - return keyStorePassword; + public String getKeyStorePassword() throws Exception { + return getPassword(keyStorePassword); } public String getTrustStoreProvider() { @@ -106,7 +111,11 @@ public class JMXConnectorDTO { return trustStorePath; } - public String getTrustStorePassword() { - return trustStorePassword; + public String getTrustStorePassword() throws Exception { + return getPassword(trustStorePassword); + } + + private String getPassword(String password) throws Exception { + return PasswordMaskingUtil.resolveMask(null, password, this.passwordCodec); } } http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/docs/user-manual/en/management.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/management.md b/docs/user-manual/en/management.md index 071af6d..d415e98 100644 --- a/docs/user-manual/en/management.md +++ b/docs/user-manual/en/management.md @@ -444,7 +444,7 @@ You can also configure the connector using the following: - `key-store-password` - The keystore password. + The keystore password. This can be [masked](masking-passwords.md). - `key-store-provider` @@ -456,12 +456,18 @@ You can also configure the connector using the following: - `trust-store-password` - The trustore password. + The trustore password. This can be [masked](masking-passwords.md). - `trust-store-provider` The provider; `JKS` by default. +- `password-codec` + + The fully qualified class name of the password codec to use. See the + [password masking](masking-passwords.md) documentation for more details on + how this works. + > **Note:** > > It is important to note that the rmi registry will pick an ip address to bind http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/docs/user-manual/en/masking-passwords.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md index c7332c7..7824b11 100644 --- a/docs/user-manual/en/masking-passwords.md +++ b/docs/user-manual/en/masking-passwords.md @@ -155,6 +155,29 @@ codec other than the default one. For example </web> ``` +#### Passwords in management.xml + +The broker embeds a JMX connector which is used for management. The connector can +be secured using SSL and it can be configured with a keystore password and/or +truststore password which by default are specified in plain text forms. + +To mask these passwords you need to use `ENC()` syntax. The `mask-password` +boolean is not supported here. + +You can also set the `password-codec` attribute if you want to use a password +codec other than the default one. For example + +```xml +<connector + connector-port="1099" + connector-host="localhost" + secured="true" + key-store-path="myKeystore.jks" + key-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d" + trust-store-path="myTruststore.jks" + trust-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d)"/> +``` + ### Passwords for the JCA Resource Adapter Both ra.xml and MDB activation configuration have a `password` property that
