I'm looking at the documentation for storing encrypted passwords in config files (http://activemq.apache.org/encrypted-passwords.html) and need to work around some… uh… questionable choices in the way it is implemented by default. Some of this may just be my misunderstanding how it works (I hope so!), so I thought I'd ask for some advice here first before doing custom work.
First, I'll just mention a scary error in the docs. At the end, mention is made of using an environment variable so that "your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files", but if you follow the example they give, this is not true. That export command, with its plaintext password, would be written to your history file. If you imbedded that export into a script, you shouldn't have that problem. The same problem also exists with the "bin/activemq encrypt" command, but is actually even worse. Though this command is quick, the run time is long enough that anyone can capture the plaintext password in a process list using "ps aux | grep password". The preferred solution to this problem (see, for example, how MySql dealt with it) is not to put the --input parameter on the command line, but rather ask the user for it at run time. The workaround is to find an alternative to the encrypt command, which, I think, turns out to be necessary anyway. Which brings me to my questions. The encryption algorithm used in the example (PBEWithMD5AndDES) is terrible, so I want to use a different algorithm. As the example indicates, there is a nice place in the config where you can change this, I've run into a couple problems with this. 1) You can point activemq to your altered config file at launch time by using xbean:conf/myconfig.xml; however, it doesn't seem you can do this with the encrypt command. It seems to ignore the xbean: parameter entirely. Looking at the code of that command, it seems like it is essentially hard-coded to use the PBEWithMD5AndDES algorithm. Is this true? If not, how do you get this command to use a different algorithm? 2) The example code uses org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig to set the algorithm. If you look at the jasypt FAQ, it says "Jasypt by itself does not implement any algorithms, but it lets you use any JCE provider of your choice". As far as I can tell, by default, ActiveMQ relies on the standard JDK to provide the algorithms. That would mean the choices of algorithms are limited to "PBEWithSHA1AndRC2_40", "PBEWithMD5AndDES" and "PBEWithMD5AndTripleDES". All those options are terrible. (These days, a typical high end video card can crack DES in minutes.) So, is it true that the algorithms come from the JDK by default? Is it true that these are the only algorithms supported? 3) The org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig object supports a random salt option by adding: <property name="saltGeneratorClassName" value="org.jasypt.salt.RandomSaltGenerator"/> Has anyone had any success in getting this to work? 4) Assuming my conclusions in #2 are correct, it would seem that a good fix would be to supply a different JCE provider (maybe jBCrypt or PBKDF2) using Spring injection. Has anyone done this? If so, can you supply the magic config entries? -- View this message in context: http://activemq.2283324.n4.nabble.com/Working-around-defaults-in-encrypted-password-system-tp4662473.html Sent from the ActiveMQ - User mailing list archive at Nabble.com.
