encrypted-passwords.xml - activemq-web - Git at Google

 <div class="wiki-content maincontent"><p>As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code>encrypt</code> command like:</p><structured-macro ac:macro-id="a4cfbc62-bc63-4654-8acd-24413d0aa390" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq encrypt --password activemq --input mypassword
 ...
 Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp</plain-text-body></structured-macro><p>Where the password you want to encrypt is passed with the <code>input</code> argument, while the <code>password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p><structured-macro ac:macro-id="c62647f7-a774-4f0c-ace3-f26dc2e9ebc9" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq decrypt  --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
 ...
 Decrypted text: mypassword</plain-text-body></structured-macro><p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code>$/^&amp;</code>, are not supported.</p><p>The next step is to add the password to the appropriate configuration file, <code>$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p><structured-macro ac:macro-id="ee57e0c3-7e0c-4121-ba74-e8b2dc5b7b16" ac:name="code" ac:schema-version="1"><plain-text-body>activemq.username=system
 activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
 guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
 ...
 jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)
 </plain-text-body></structured-macro><p>Note that we used <code>ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p><p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see <code>\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p><structured-macro ac:macro-id="d8068f39-1db7-41d5-8520-5716dfa54be5" ac:name="code" ac:schema-version="1"><plain-text-body>&lt;bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"&gt;
   &lt;property name="algorithm" value="PBEWithMD5AndDES" /&gt;
   &lt;property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" /&gt;
 &lt;/bean&gt;

 &lt;bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"&gt;
   &lt;property name="config" ref="environmentVariablesConfiguration" /&gt;
 &lt;/bean&gt;

 &lt;bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"&gt;
   &lt;constructor-arg ref="configurationEncryptor" /&gt;
   &lt;property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/&gt;
 &lt;/bean&gt;</plain-text-body></structured-macro><p>With this configuration ActiveMQ will try to load your encryptor password from the <code>ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code>credential-enc.properties</code> file.</p><p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p><structured-macro ac:macro-id="ed075f5b-2bb9-4b47-b0a2-6f7374fa0824" ac:name="code" ac:schema-version="1"><plain-text-body>&lt;bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"&gt;
   &lt;property name="algorithm" value="PBEWithMD5AndDES"/&gt;
   &lt;property name="password" value="activemq"/&gt;
 &lt;/bean&gt;</plain-text-body></structured-macro><p>but with that you'll lose the secrecy of the encryptor's secret. You may also consult <a shape="rect" href="http://www.jasypt.org/advancedconfiguration.html">http://www.jasypt.org/advancedconfiguration.html</a> for more ideas on how to configure Jasypt.</p><p>Finally, we can use properties like we'd normally do</p><structured-macro ac:macro-id="bc584b96-e1c6-4a03-bb9e-3a9b1a29a870" ac:name="code" ac:schema-version="1"><plain-text-body>&lt;simpleAuthenticationPlugin&gt;
   &lt;users&gt;
     &lt;authenticationUser username="system" password="${activemq.password}"
       groups="users,admins"/&gt;
     &lt;authenticationUser username="user" password="${guest.password}"
       groups="users"/&gt;
     &lt;authenticationUser username="guest" password="${guest.password}" groups="guests"/&gt;
   &lt;/users&gt;
 &lt;/simpleAuthenticationPlugin&gt;</plain-text-body></structured-macro><p>or</p><structured-macro ac:macro-id="2a8d90c3-6bb9-480f-9fb8-164c7d94761f" ac:name="code" ac:schema-version="1"><plain-text-body>&lt;bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close"&gt;
   &lt;property name="driverClassName" value="com.mysql.jdbc.Driver"/&gt;
   &lt;property name="url" value="jdbc:mysql://localhost/activemq?relaxAutoCommit=true"/&gt;
   &lt;property name="username" value="activemq"/&gt;
   &lt;property name="password" value="${jdbc.password}"/&gt;
   &lt;property name="maxActive" value="200"/&gt;
   &lt;property name="poolPreparedStatements" value="true"/&gt;
 &lt;/bean&gt;</plain-text-body></structured-macro><p>If you want to run the broker with this configuration, you need to do the following:</p><ul><li><p>Set environment variable:</p><structured-macro ac:macro-id="1ca2acff-d7df-4c4c-b8e9-4a4424beb0f1" ac:name="code" ac:schema-version="1"><plain-text-body>$ export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq</plain-text-body></structured-macro></li><li><p>Start the broker:</p><structured-macro ac:macro-id="e3f2412b-28b1-4ecb-8821-0d369beb278b" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq start xbean:conf/activemq-security.xml</plain-text-body></structured-macro></li><li><p>Unset the environment variable:</p><structured-macro ac:macro-id="4c104818-b20f-4a2f-80bc-f80afc233850" ac:name="code" ac:schema-version="1"><plain-text-body>$ unset ACTIVEMQ_ENCRYPTION_PASSWORD</plain-text-body></structured-macro></li></ul><p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p></div>
	<div class="wiki-content maincontent"><p>As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code>encrypt</code> command like:</p><structured-macro ac:macro-id="a4cfbc62-bc63-4654-8acd-24413d0aa390" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq encrypt --password activemq --input mypassword
	...
	Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp</plain-text-body></structured-macro><p>Where the password you want to encrypt is passed with the <code>input</code> argument, while the <code>password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p><structured-macro ac:macro-id="c62647f7-a774-4f0c-ace3-f26dc2e9ebc9" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq decrypt --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
	...
	Decrypted text: mypassword</plain-text-body></structured-macro><p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code>$/^&</code>, are not supported.</p><p>The next step is to add the password to the appropriate configuration file, <code>$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p><structured-macro ac:macro-id="ee57e0c3-7e0c-4121-ba74-e8b2dc5b7b16" ac:name="code" ac:schema-version="1"><plain-text-body>activemq.username=system
	activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
	guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
	...
	jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)
	</plain-text-body></structured-macro><p>Note that we used <code>ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p><p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see <code>\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p><structured-macro ac:macro-id="d8068f39-1db7-41d5-8520-5716dfa54be5" ac:name="code" ac:schema-version="1"><plain-text-body><bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
	<property name="algorithm" value="PBEWithMD5AndDES" />
	<property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" />
	</bean>

	<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
	<property name="config" ref="environmentVariablesConfiguration" />
	</bean>

	<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
	<constructor-arg ref="configurationEncryptor" />
	<property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/>
	</bean></plain-text-body></structured-macro><p>With this configuration ActiveMQ will try to load your encryptor password from the <code>ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code>credential-enc.properties</code> file.</p><p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p><structured-macro ac:macro-id="ed075f5b-2bb9-4b47-b0a2-6f7374fa0824" ac:name="code" ac:schema-version="1"><plain-text-body><bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
	<property name="algorithm" value="PBEWithMD5AndDES"/>
	<property name="password" value="activemq"/>
	</bean></plain-text-body></structured-macro><p>but with that you'll lose the secrecy of the encryptor's secret. You may also consult <a shape="rect" href="http://www.jasypt.org/advancedconfiguration.html">http://www.jasypt.org/advancedconfiguration.html</a> for more ideas on how to configure Jasypt.</p><p>Finally, we can use properties like we'd normally do</p><structured-macro ac:macro-id="bc584b96-e1c6-4a03-bb9e-3a9b1a29a870" ac:name="code" ac:schema-version="1"><plain-text-body><simpleAuthenticationPlugin>
	<users>
	<authenticationUser username="system" password="${activemq.password}"
	groups="users,admins"/>
	<authenticationUser username="user" password="${guest.password}"
	groups="users"/>
	<authenticationUser username="guest" password="${guest.password}" groups="guests"/>
	</users>
	</simpleAuthenticationPlugin></plain-text-body></structured-macro><p>or</p><structured-macro ac:macro-id="2a8d90c3-6bb9-480f-9fb8-164c7d94761f" ac:name="code" ac:schema-version="1"><plain-text-body><bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
	<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
	<property name="url" value="jdbc:mysql://localhost/activemq?relaxAutoCommit=true"/>
	<property name="username" value="activemq"/>
	<property name="password" value="${jdbc.password}"/>
	<property name="maxActive" value="200"/>
	<property name="poolPreparedStatements" value="true"/>
	</bean></plain-text-body></structured-macro><p>If you want to run the broker with this configuration, you need to do the following:</p><ul><li><p>Set environment variable:</p><structured-macro ac:macro-id="1ca2acff-d7df-4c4c-b8e9-4a4424beb0f1" ac:name="code" ac:schema-version="1"><plain-text-body>$ export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq</plain-text-body></structured-macro></li><li><p>Start the broker:</p><structured-macro ac:macro-id="e3f2412b-28b1-4ecb-8821-0d369beb278b" ac:name="code" ac:schema-version="1"><plain-text-body>$ bin/activemq start xbean:conf/activemq-security.xml</plain-text-body></structured-macro></li><li><p>Unset the environment variable:</p><structured-macro ac:macro-id="4c104818-b20f-4a2f-80bc-f80afc233850" ac:name="code" ac:schema-version="1"><plain-text-body>$ unset ACTIVEMQ_ENCRYPTION_PASSWORD</plain-text-body></structured-macro></li></ul><p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p></div>