[
https://issues.apache.org/jira/browse/AMQ-9746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18009147#comment-18009147
]
Nagaraju commented on AMQ-9746:
-------------------------------
We have identified a limitation in the
[{{EncryptionSupport}}|https://github.com/apache/activemq/blob/main/activemq-jaas/src/main/java/org/apache/activemq/jaas/EncryptionSupport.java]
class that affects the flexibility of providing encryption passwords for JAAS
modules like {{{}PropertiesLoginModule{}}}.
Currently, in {{{}EncryptionSupport{}}}, the encryption password is hardcoded
to be read only from the environment variable
{{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}}:
public static StandardPBEStringEncryptor createEncryptor(String algorithm) {
StandardPBEStringEncryptor encryptor = new StandardPBEStringEncryptor();
EnvironmentStringPBEConfig config = new EnvironmentStringPBEConfig();
if (algorithm != null) {
encryptor.setAlgorithm(algorithm);
// From Jasypt: for PBE-AES-based algorithms, the IV generator is
MANDATORY"
if (algorithm.startsWith("PBE") && algorithm.contains("AES")) {
encryptor.setIvGenerator(new RandomIvGenerator());
}
}
{color:#FF0000}*config.setPasswordEnvName("ACTIVEMQ_ENCRYPTION_PASSWORD");*{color}
encryptor.setConfig(config);
return encryptor;
}
This ignores the fact that {{EnvironmentStringPBEConfig}} (used internally)
*already supports fetching the password from a system property* via:
config.setPasswordSysPropertyName("some.system.property.name");
In fact, the implementation in {{EnvironmentStringPBEConfig}} prioritizes
{{System.getProperty(...)}} if the {{passwordSysPropertyName}} is set:
public void setPasswordSysPropertyName(String passwordSysPropertyName) {
this.passwordSysPropertyName = passwordSysPropertyName;
if (passwordSysPropertyName == null) {
super.setPassword((String) null);
} else {
this.passwordEnvName = null;
super.setPassword(System.getProperty(passwordSysPropertyName));
}
}
However, since {{EncryptionSupport}} hardcodes the environment variable path
and doesn't expose a way to configure either the system property or even
override the env var name, this feature is effectively blocked.
> Request for Securing ACTIVEMQ_ENCRYPTION_PASSWORD in ActiveMQ 6.1.7
> WebConsole Configuration
> --------------------------------------------------------------------------------------------
>
> Key: AMQ-9746
> URL: https://issues.apache.org/jira/browse/AMQ-9746
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Web Console
> Environment: h3. *ActiveMQ Version:*
> {{6.1.7}}
> Reporter: Nagaraju
> Priority: Major
>
> We are currently configuring the *webconsole login* in ActiveMQ 6.1.7 using
> {{EncryptedPropertiesLogin}} via JAAS, with {{users-enc.properties}}
> containing encrypted passwords.
> This configuration requires the use of the environment variable
> {{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}}, which must currently be stored in
> *plaintext* as either:
> * A system environment variable
> * A system property (e.g., via {{{}System.setProperty(){}}})
> This approach raises {*}security concerns{*}, as the encryption key is
> exposed in plaintext, especially when starting the broker via scripts or
> containerized environments.
> *login.config*
> EncryptedPropertiesLogin {
> org.apache.activemq.jaas.PropertiesLoginModule required
>
>
> org.apache.activemq.jaas.properties.user="users-enc.properties"
>
> org.apache.activemq.jaas.properties.group="groups.properties"
> decrypt=true;
> };
> Is there a supported or recommended mechanism in ActiveMQ 6.1.7 to *avoid
> using a plain-text encryption password*
> ({{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}})?
> Specifically:
> * Can we *store the encryption password securely in a file* (e.g.,
> {{{}activemq_enc_pwd.properties{}}}) and have ActiveMQ or the JAAS module
> {*}read and decrypt it at runtime{*}?
> * Is it possible to plug in a custom {{StringPBEConfig}} implementation or
> extend {{PropertiesLoginModule}} to load the encryption password
> programmatically?
>
> We would like to keep {{users-enc.properties}} encrypted for security,
> *without exposing {{ACTIVEMQ_ENCRYPTION_PASSWORD}} in plain text* on disk or
> environment variables.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
