ARTEMIS-3488 add system property for setting key in DefaultSensitiveStringCodec

This commit is contained in:
Justin Bertram 2021-10-06 11:12:41 -05:00
parent 481b73c8ca
commit 1740f9cfef
No known key found for this signature in database
GPG Key ID: F41830B875BB8633
4 changed files with 66 additions and 18 deletions

View File

@ -132,5 +132,6 @@ exec "$JAVACMD" \
-Dartemis.instance.etc="$ARTEMIS_INSTANCE_ETC" \ -Dartemis.instance.etc="$ARTEMIS_INSTANCE_ETC" \
-Djava.util.logging.manager="$ARTEMIS_LOG_MANAGER" \ -Djava.util.logging.manager="$ARTEMIS_LOG_MANAGER" \
-Dlogging.configuration="$ARTEMIS_LOGGING_CONF" \ -Dlogging.configuration="$ARTEMIS_LOGGING_CONF" \
-Dartemis.default.sensitive.string.codec.key="$ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY" \
$DEBUG_ARGS \ $DEBUG_ARGS \
org.apache.activemq.artemis.boot.Artemis "$@" org.apache.activemq.artemis.boot.Artemis "$@"

View File

@ -68,6 +68,8 @@ set JVM_ARGS=%JVM_ARGS% -Ddata.dir=%ARTEMIS_DATA_DIR%
set JVM_ARGS=%JVM_ARGS% -Dartemis.instance.etc=%ARTEMIS_INSTANCE_ETC% set JVM_ARGS=%JVM_ARGS% -Dartemis.instance.etc=%ARTEMIS_INSTANCE_ETC%
set JVM_ARGS=%JVM_ARGS% -Djava.util.logging.manager=%ARTEMIS_LOG_MANAGER% set JVM_ARGS=%JVM_ARGS% -Djava.util.logging.manager=%ARTEMIS_LOG_MANAGER%
set JVM_ARGS=%JVM_ARGS% -Dlogging.configuration=%ARTEMIS_LOGGING_CONF% set JVM_ARGS=%JVM_ARGS% -Dlogging.configuration=%ARTEMIS_LOGGING_CONF%
set JVM_ARGS=%JVM_ARGS% -Dartemis.default.sensitive.string.codec.key=%ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY%
if not "%DEBUG_ARGS%"=="" set JVM_ARGS=%JVM_ARGS% %DEBUG_ARGS% if not "%DEBUG_ARGS%"=="" set JVM_ARGS=%JVM_ARGS% %DEBUG_ARGS%
"%_JAVACMD%" %JVM_ARGS% org.apache.activemq.artemis.boot.Artemis %* "%_JAVACMD%" %JVM_ARGS% org.apache.activemq.artemis.boot.Artemis %*

View File

@ -52,6 +52,7 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
public static final String BLOWFISH_KEY = "key"; public static final String BLOWFISH_KEY = "key";
public static final String ONE_WAY = "one-way"; public static final String ONE_WAY = "one-way";
public static final String TWO_WAY = "two-way"; public static final String TWO_WAY = "two-way";
public static final String KEY_SYSTEM_PROPERTY = "artemis.default.sensitive.string.codec.key";
private CodecAlgorithm algorithm = new BlowfishAlgorithm(Collections.EMPTY_MAP); private CodecAlgorithm algorithm = new BlowfishAlgorithm(Collections.EMPTY_MAP);
@ -128,11 +129,18 @@ public class DefaultSensitiveStringCodec implements SensitiveDataCodec<String> {
private byte[] internalKey = "clusterpassword".getBytes(); private byte[] internalKey = "clusterpassword".getBytes();
BlowfishAlgorithm(Map<String, String> params) { BlowfishAlgorithm(Map<String, String> params) {
super(params); super(params);
String key = params.get(BLOWFISH_KEY); String key = params.get(BLOWFISH_KEY);
if (key != null) { if (key != null) {
updateKey(key); updateKey(key);
} else {
key = System.getProperty(KEY_SYSTEM_PROPERTY);
if (key != null && key.trim().length() > 0) {
logger.trace("Set key from system property " + KEY_SYSTEM_PROPERTY);
updateKey(key);
}
} }
} }

View File

@ -41,15 +41,20 @@ backward-compatibility. Newer configurations may not support it.
## Generating a Masked Password ## Generating a Masked Password
To get a mask for a password using the broker's default codec run the To mask a password use the `mask` command from the `bin` directory
`mask` command from your Artemis *instance*. This command will not work of your Artemis *instance*. This command will not work from the
from the Artemis home: Artemis home.
The `mask` command uses [the default codec](#the-default-codec)
unless [a custom codec](#using-a-custom-codec) is defined in
`broker.xml` and the `--password-codec` option is `true`. Here's
a simple example:
```sh ```sh
./artemis mask <plaintextPassword> ./artemis mask <plaintextPassword>
``` ```
You'll get something like You'll get something like:
``` ```
result: 32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360 result: 32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360
@ -59,6 +64,10 @@ Just copy `32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360` and replace your
plaintext password with it using the `ENC()` syntax, e.g. plaintext password with it using the `ENC()` syntax, e.g.
`ENC(32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360)`. `ENC(32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360)`.
You can also use the `--key` parameter with the default codec. Read more about
[the default codec](#the-default-codec) for further details about this
parameter.
This process works for passwords in: This process works for passwords in:
- `broker.xml` - `broker.xml`
@ -81,19 +90,21 @@ broker.xml) has a property that defines the default masking behaviors over the
entire file scope. entire file scope.
`mask-password`: this boolean type property indicates if a password should be `mask-password`: this boolean type property indicates if a password should be
masked or not. Set it to "true" if you want your passwords masked. The default masked or not. Set it to `true` if you want your passwords masked. The default
value is "false". As noted above, this configuration parameter is deprecated. value is `false`. As noted above, this configuration parameter is deprecated
in favor of the `ENC()` syntax.
`password-codec`: this string type property identifies the name of the class `password-codec`: this string type property identifies the name of the class
which will be used to decode the masked password within the broker. If not which will be used to decode the masked password within the broker. If not
specified then the default specified then the default
`org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec` will be used. `org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec` will be used.
Read more about [using a custom codec](#using-a-custom-codec).
### artemis-users.properties ### artemis-users.properties
Apache ActiveMQ Artemis's built-in security manager uses plain properties files Apache ActiveMQ Artemis' default JAAS security manager uses plain properties
where the user passwords are specified in a hashed form by default. Note, the files where the user passwords are specified in a hashed form by default. Note,
passwords are technically *hashed* rather than masked in this context. The the passwords are technically *hashed* rather than masked in this context. The
default `PropertiesLoginModule` will not decode the passwords in default `PropertiesLoginModule` will not decode the passwords in
`artemis-users.properties` but will instead hash the input and compare the two `artemis-users.properties` but will instead hash the input and compare the two
hashed values for password verification. hashed values for password verification.
@ -194,9 +205,9 @@ absent, it means they are not specified in the configure file.
``` ```
This indicates the cluster password is a masked value and Apache ActiveMQ This indicates the cluster password is a masked value and Apache ActiveMQ
Artemis will use its built-in codec to decode it. All other passwords in the Artemis will use [the default codec](#the-default-codec) to decode it. All
configuration file, Connectors, Acceptors and Bridges, will also use masked other passwords in the configuration file, Connectors, Acceptors and Bridges,
passwords. will also use masked passwords.
### bootstrap.xml ### bootstrap.xml
@ -249,15 +260,15 @@ to be in masked form.
### login.config ### login.config
Artemis supports LDAP login modules to be configured in JAAS configuration file Artemis supports LDAP login modules to be configured in JAAS configuration file
(default name is `login.config`). When connecting to a LDAP server usually you (default name is `login.config`). When connecting to an LDAP server usually you
need to supply a connection password in the config file. By default this need to supply a connection password in the config file. By default this
password is in plain text form. password is in plain text form.
To mask it you need to configure the passwords in your login module using To mask it you need to configure the passwords in your login module using
`ENC()` syntax. To specify a codec using the following property: `ENC()` syntax. To specify a codec using the following property:
`passwordCodec` - the password codec class name. (the default codec will be `passwordCodec` - the password codec class name. ([the default codec](#the-default-codec)
used if it is absent) will be used if it is absent)
For example: For example:
@ -345,7 +356,7 @@ algorithm used for decoding must match that for encoding. Otherwise the
decoding may not be successful. decoding may not be successful.
For user's convenience Apache ActiveMQ Artemis provides a default codec. For user's convenience Apache ActiveMQ Artemis provides a default codec.
However a user can implement their own if they wish. However, a user can implement their own if they wish.
### The Default Codec ### The Default Codec
@ -354,7 +365,33 @@ is used. The class name for the default codec is
`org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec`. It has `org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec`. It has
hashing, encoding, and decoding capabilities. It uses `java.crypto.Cipher` hashing, encoding, and decoding capabilities. It uses `java.crypto.Cipher`
utilities to hash or encode a plaintext password and also to decode a masked utilities to hash or encode a plaintext password and also to decode a masked
string using the same algorithm and key. string using the same algorithm and "key."
The "key" used here is important since the *same* key **must** be used to both
mask and unmask the password. The key is just a string of characters which the
codec feeds to the underlying algorithm. There is a default key in
`org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec`, but using the
default key leaves open the possibility that nefarious actors could also use
that key to unmask the password(s). Therefore, it is possible to supply your
*own* key, and there are a few ways to do this.
1. Specify the key in the codec configuration using the `key=value` syntax.
Depending on which password you're trying to mask the configuration
specifics will differ slightly, but this can be done, for example, in
`broker.xml` with `<password-codec>`:
```xml
<password-codec>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=myKey</password-codec>
```
Similar configurations are possible in any file that supports password
masking, e.g. `boostrap.xml`, `login.config`, `management.xml`, etc. The
main drawback with this method is that the key will be stored in plain-text
in the configuration file(s).
2. Set the environment property `ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY`.
This will be read by the startup script, set as a Java system property, and
ultimately read by the default codec. The benefit of using this method is
that the key is more obscure since it will not exist in any configuration
file. It can be set immediately *before* the broker starts and then cleared
from the environment immediately *after* the broker finishes starting.
### Using a custom codec ### Using a custom codec
@ -418,7 +455,7 @@ public class MyCodec implements SensitiveDataCodec<String> {
@Override @Override
public String encode(Object secret) throws Exception { public String encode(Object secret) throws Exception {
// Mask the clear text password. // Mask the clear text password.
return "the masked password""; return "the masked password";
} }
@Override @Override