blob: bde8d1af947551e319fda0ee1005a481f6652f51 [file] [log] [blame]
<div class="wiki-content maincontent"><p>As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code>encrypt</code> command like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ bin/activemq encrypt --password activemq --input mypassword
...
Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp</pre>
</div></div><p>Where the password you want to encrypt is passed with the <code>input</code> argument, while the <code>password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ bin/activemq decrypt --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
...
Decrypted text: mypassword</pre>
</div></div><p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code>$/^&amp;</code>, are not supported.</p><p>The next step is to add the password to the appropriate configuration file, <code>$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">activemq.username=system
activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
...
jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)
</pre>
</div></div><p>Note that we used <code>ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p><p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see <code>\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"&gt;
&lt;property name="algorithm" value="PBEWithMD5AndDES" /&gt;
&lt;property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" /&gt;
&lt;/bean&gt;
&lt;bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"&gt;
&lt;property name="config" ref="environmentVariablesConfiguration" /&gt;
&lt;/bean&gt;
&lt;bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"&gt;
&lt;constructor-arg ref="configurationEncryptor" /&gt;
&lt;property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/&gt;
&lt;/bean&gt;</pre>
</div></div><p>With this configuration ActiveMQ will try to load your encryptor password from the <code>ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code>credential-enc.properties</code> file.</p><p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"&gt;
&lt;property name="algorithm" value="PBEWithMD5AndDES"/&gt;
&lt;property name="password" value="activemq"/&gt;
&lt;/bean&gt;</pre>
</div></div><p>but with that you'll lose the secrecy of the encryptor's secret. You may also consult <a shape="rect" class="external-link" href="http://www.jasypt.org/advancedconfiguration.html" rel="nofollow">http://www.jasypt.org/advancedconfiguration.html</a> for more ideas on how to configure Jasypt.</p><p>Finally, we can use properties like we'd normally do</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;simpleAuthenticationPlugin&gt;
&lt;users&gt;
&lt;authenticationUser username="system" password="${activemq.password}"
groups="users,admins"/&gt;
&lt;authenticationUser username="user" password="${guest.password}"
groups="users"/&gt;
&lt;authenticationUser username="guest" password="${guest.password}" groups="guests"/&gt;
&lt;/users&gt;
&lt;/simpleAuthenticationPlugin&gt;</pre>
</div></div><p>or</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">&lt;bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close"&gt;
&lt;property name="driverClassName" value="com.mysql.jdbc.Driver"/&gt;
&lt;property name="url" value="jdbc:mysql://localhost/activemq?relaxAutoCommit=true"/&gt;
&lt;property name="username" value="activemq"/&gt;
&lt;property name="password" value="${jdbc.password}"/&gt;
&lt;property name="maxActive" value="200"/&gt;
&lt;property name="poolPreparedStatements" value="true"/&gt;
&lt;/bean&gt;</pre>
</div></div><p>If you want to run the broker with this configuration, you need to do the following:</p><ul><li><p>Set environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq</pre>
</div></div></li><li><p>Start the broker:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ bin/activemq start xbean:conf/activemq-security.xml</pre>
</div></div></li><li><p>Unset the environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
<pre class="brush: java; gutter: false; theme: Default" style="font-size:12px;">$ unset ACTIVEMQ_ENCRYPTION_PASSWORD</pre>
</div></div></li></ul><p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p></div>