[ https://issues.apache.org/jira/browse/ARTEMIS-3488?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Valeriy Ak updated ARTEMIS-3488: -------------------------------- Description: Currently all passwords could be masked in broker.xml, bootstap.xml However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129) Also DefaultSensitiveStringCodec (release has only this implementation) has option to change initKey, but it look too silly: broker.xml {code:java} <configuration> <core xmlns="urn:activemq:core"> <mask-password>true</mask-password> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig</password-codec> <acceptors> <acceptor name="artemis"> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10 </acceptor> </acceptors> </core> </configuration> {code} bootstrap.xml {code:java} <broker xmlns="http://activemq.org/schema"> <web bind="https://0.0.0.0:8161" path="web" keyStorePath="/var/run/stores//keystore/keystore.jks" passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig" keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)"> </web> </broker> {code} So .. it just added another step for hacker to get all passwords. For examle - it easy to get all passwords uses tool like - [http://blowfish.online-domain-tools.com/]) What need to do: # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD) # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it was: Currently all passwords could be masked in broker.xml, bootstap.xml However for simmetric password used BlowfishAlgorithm it use default internalKey= *clusterpassword* (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129) Also DefaultSensitiveStringCodec (image has only this implementation) has option to change initKey, but it look too silly: broker.xml {code:java} <configuration> <core xmlns="urn:activemq:core"> <mask-password>true</mask-password> <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig</password-codec> <acceptors> <acceptor name="artemis"> tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10 </acceptor> </acceptors> </core> </configuration> {code} bootstrap.xml {code:java} <broker xmlns="http://activemq.org/schema"> <web bind="https://0.0.0.0:8161" path="web" keyStorePath="/var/run/stores//keystore/keystore.jks" passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig" keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)"> </web> </broker> {code} So .. it just added another step for hacker to get all passwords. For examle - it easy to get all passwords uses tool like - http://blowfish.online-domain-tools.com/) What need to do: # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, AMQ_PASSWORD) # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as initKey by default. If key passed - use it > Create env variable AMQ_PASSWORD_CODEC_INIT_KEY > ----------------------------------------------- > > Key: ARTEMIS-3488 > URL: https://issues.apache.org/jira/browse/ARTEMIS-3488 > Project: ActiveMQ Artemis > Issue Type: New Feature > Components: Configuration > Affects Versions: 2.18.0 > Reporter: Valeriy Ak > Priority: Major > Labels: password, security > > Currently all passwords could be masked in broker.xml, bootstap.xml > However for simmetric password used BlowfishAlgorithm it use default > internalKey= *clusterpassword* > (org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec.BlowfishAlgorithm:129) > > Also DefaultSensitiveStringCodec (release has only this implementation) has > option to change initKey, but it look too silly: > broker.xml > {code:java} > <configuration> > <core xmlns="urn:activemq:core"> > <mask-password>true</mask-password> > > <password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig</password-codec> > <acceptors> > <acceptor name="artemis"> > > tcp://0.0.0.0:61616?keyStorePassword=2490b5e188dbee2b6ad98b1650ed3d10 > </acceptor> > </acceptors> > </core> > </configuration> > {code} > bootstrap.xml > {code:java} > <broker xmlns="http://activemq.org/schema"> > <web bind="https://0.0.0.0:8161" path="web" > keyStorePath="/var/run/stores//keystore/keystore.jks" > > passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=changeig" > keyStorePassword="ENC(2490b5e188dbee2b6ad98b1650ed3d10)"> > </web> > </broker> {code} > > So .. it just added another step for hacker to get all passwords. > For examle - it easy to get all passwords uses tool like - > [http://blowfish.online-domain-tools.com/]) > > What need to do: > # Add optional param AMQ_PASSWORD_CODEC_INIT_KEY (like AMQ_USER, > AMQ_PASSWORD) > # DefaultSensitiveStringCodec.BlowfishAlgorithm get this parameter as > initKey by default. If key passed - use it > > -- This message was sent by Atlassian Jira (v8.3.4#803005)