[
https://issues.apache.org/jira/browse/AMQ-9746?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18024735#comment-18024735
]
ASF subversion and git services commented on AMQ-9746:
------------------------------------------------------
Commit fbc3456a5764c0323c069ee41d2888e060de852e in activemq's branch
refs/heads/activemq-6.1.x from JB Onofré
[ https://gitbox.apache.org/repos/asf?p=activemq.git;h=fbc3456a57 ]
AMQ-9746: Upgrade to Jolokia 2.3.0 (#1502)
> Request for Securing ACTIVEMQ_ENCRYPTION_PASSWORD in ActiveMQ 6.1.7
> WebConsole Configuration
> --------------------------------------------------------------------------------------------
>
> Key: AMQ-9746
> URL: https://issues.apache.org/jira/browse/AMQ-9746
> Project: ActiveMQ Classic
> Issue Type: Bug
> Components: Web Console
> Environment: h3. *ActiveMQ Version:*
> {{6.1.7}}
> Reporter: Nagaraju
> Priority: Major
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> We are currently configuring the *webconsole login* in ActiveMQ 6.1.7 using
> {{EncryptedPropertiesLogin}} via JAAS, with {{users-enc.properties}}
> containing encrypted passwords.
> This configuration requires the use of the environment variable
> {{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}}, which must currently be stored in
> *plaintext* as either:
> * A system environment variable
> * A system property (e.g., via {{{}System.setProperty(){}}})
> This approach raises {*}security concerns{*}, as the encryption key is
> exposed in plaintext, especially when starting the broker via scripts or
> containerized environments.
> *login.config*
> EncryptedPropertiesLogin {
> org.apache.activemq.jaas.PropertiesLoginModule required
>
>
> org.apache.activemq.jaas.properties.user="users-enc.properties"
>
> org.apache.activemq.jaas.properties.group="groups.properties"
> decrypt=true;
> };
> Is there a supported or recommended mechanism in ActiveMQ 6.1.7 to *avoid
> using a plain-text encryption password*
> ({{{}ACTIVEMQ_ENCRYPTION_PASSWORD{}}})?
> Specifically:
> * Can we *store the encryption password securely in a file* (e.g.,
> {{{}activemq_enc_pwd.properties{}}}) and have ActiveMQ or the JAAS module
> {*}read and decrypt it at runtime{*}?
> * Is it possible to plug in a custom {{StringPBEConfig}} implementation or
> extend {{PropertiesLoginModule}} to load the encryption password
> programmatically?
>
> We would like to keep {{users-enc.properties}} encrypted for security,
> *without exposing {{ACTIVEMQ_ENCRYPTION_PASSWORD}} in plain text* on disk or
> environment variables.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
For further information, visit: https://activemq.apache.org/contact
