diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
index 235cdf6044..79e241e204 100644
--- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
+++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java
@@ -60,7 +60,7 @@ public class ManagementFactory {
       return createJmxAclConfiguration(new URI(configuration), artemisHome, artemisInstance, artemisURIInstance);
    }
 
-   public static ManagementContext create(ManagementContextDTO config) {
+   public static ManagementContext create(ManagementContextDTO config) throws Exception {
       ManagementContext context = new ManagementContext();
 
       if (config.getAuthorisation() != null) {
diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
index 617a570529..bd78481d8a 100644
--- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
+++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java
@@ -22,6 +22,8 @@ import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.bind.annotation.XmlAttribute;
 import javax.xml.bind.annotation.XmlRootElement;
 
+import org.apache.activemq.artemis.utils.PasswordMaskingUtil;
+
 @XmlRootElement(name = "connector")
 @XmlAccessorType(XmlAccessType.FIELD)
 public class JMXConnectorDTO {
@@ -62,6 +64,9 @@ public class JMXConnectorDTO {
    @XmlAttribute (name = "trust-store-password")
    String trustStorePassword;
 
+   @XmlAttribute (name = "password-codec")
+   String passwordCodec;
+
    public String getConnectorHost() {
       return connectorHost;
    }
@@ -94,8 +99,8 @@ public class JMXConnectorDTO {
       return keyStorePath;
    }
 
-   public String getKeyStorePassword() {
-      return keyStorePassword;
+   public String getKeyStorePassword() throws Exception {
+      return getPassword(keyStorePassword);
    }
 
    public String getTrustStoreProvider() {
@@ -106,7 +111,11 @@ public class JMXConnectorDTO {
       return trustStorePath;
    }
 
-   public String getTrustStorePassword() {
-      return trustStorePassword;
+   public String getTrustStorePassword() throws Exception {
+      return getPassword(trustStorePassword);
+   }
+
+   private String getPassword(String password) throws Exception {
+      return PasswordMaskingUtil.resolveMask(null, password, this.passwordCodec);
    }
 }
diff --git a/docs/user-manual/en/management.md b/docs/user-manual/en/management.md
index 82bf14251c..90546a2e71 100644
--- a/docs/user-manual/en/management.md
+++ b/docs/user-manual/en/management.md
@@ -444,7 +444,7 @@ You can also configure the connector using the following:
    
 - `key-store-password`
    
-  The keystore password.
+  The keystore password. This can be [masked](masking-passwords.md).
    
 - `key-store-provider`
 
@@ -456,12 +456,18 @@ You can also configure the connector using the following:
    
 - `trust-store-password`
    
-  The trustore password.
+  The trustore password. This can be [masked](masking-passwords.md).
    
 - `trust-store-provider`
    
   The provider; `JKS` by default.
 
+- `password-codec`
+
+  The fully qualified class name of the password codec to use. See the
+  [password masking](masking-passwords.md) documentation for more details on
+  how this works.
+
 > **Note:**
 >
 > It is important to note that the rmi registry will pick an ip address to bind
diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md
index c7332c78b9..7824b11fec 100644
--- a/docs/user-manual/en/masking-passwords.md
+++ b/docs/user-manual/en/masking-passwords.md
@@ -155,6 +155,29 @@ codec other than the default one. For example
 </web>
 ```
 
+#### Passwords in management.xml
+
+The broker embeds a JMX connector which is used for management. The connector can
+be secured using SSL and it can be configured with a keystore password and/or
+truststore password which by default are specified in plain text forms.
+
+To mask these passwords you need to use `ENC()` syntax. The `mask-password`
+boolean is not supported here.
+
+You can also set the `password-codec` attribute if you want to use a password
+codec other than the default one. For example
+
+```xml
+<connector
+      connector-port="1099"
+      connector-host="localhost"
+      secured="true"
+      key-store-path="myKeystore.jks"
+      key-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d"
+      trust-store-path="myTruststore.jks"
+      trust-store-password="ENC(3a34fd21b82bf2a822fa49a8d8fa115d)"/>
+```
+
 ### Passwords for the JCA Resource Adapter
 
 Both ra.xml and MDB activation configuration have a `password` property that