encrypted-passwords.xml - activemq-web - Git at Google

 <div class="wiki-content maincontent"><p>As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code>encrypt</code> command like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq encrypt --password activemq --input mypassword
 ...
 Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp]]></script>
 </div></div><p>Where the password you want to encrypt is passed with the <code>input</code> argument, while the <code>password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq decrypt  --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
 ...
 Decrypted text: mypassword]]></script>
 </div></div><p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code>$/^&amp;</code>, are not supported.</p><p>The next step is to add the password to the appropriate configuration file, <code>$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[activemq.username=system
 activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
 guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
 ...
 jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)
 ]]></script>
 </div></div><p>Note that we used <code>ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p><p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see <code>\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[&lt;bean id=&quot;environmentVariablesConfiguration&quot; class=&quot;org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig&quot;&gt;
   &lt;property name=&quot;algorithm&quot; value=&quot;PBEWithMD5AndDES&quot; /&gt;
   &lt;property name=&quot;passwordEnvName&quot; value=&quot;ACTIVEMQ_ENCRYPTION_PASSWORD&quot; /&gt;
 &lt;/bean&gt;

 &lt;bean id=&quot;configurationEncryptor&quot; class=&quot;org.jasypt.encryption.pbe.StandardPBEStringEncryptor&quot;&gt;
   &lt;property name=&quot;config&quot; ref=&quot;environmentVariablesConfiguration&quot; /&gt;
 &lt;/bean&gt;

 &lt;bean id=&quot;propertyConfigurer&quot; class=&quot;org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer&quot;&gt;
   &lt;constructor-arg ref=&quot;configurationEncryptor&quot; /&gt;
   &lt;property name=&quot;location&quot; value=&quot;file:${activemq.base}/conf/credentials-enc.properties&quot;/&gt;
 &lt;/bean&gt;]]></script>
 </div></div><p>With this configuration ActiveMQ will try to load your encryptor password from the <code>ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code>credential-enc.properties</code> file.</p><p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[&lt;bean id=&quot;configurationEncryptor&quot; class=&quot;org.jasypt.encryption.pbe.StandardPBEStringEncryptor&quot;&gt;
   &lt;property name=&quot;algorithm&quot; value=&quot;PBEWithMD5AndDES&quot;/&gt;
   &lt;property name=&quot;password&quot; value=&quot;activemq&quot;/&gt;
 &lt;/bean&gt;]]></script>
 </div></div><p>but with that you'll lose the secrecy of the encryptor's secret. You may also consult <a shape="rect" class="external-link" href="http://www.jasypt.org/advancedconfiguration.html" rel="nofollow">http://www.jasypt.org/advancedconfiguration.html</a> for more ideas on how to configure Jasypt.</p><p>Finally, we can use properties like we'd normally do</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[&lt;simpleAuthenticationPlugin&gt;
   &lt;users&gt;
     &lt;authenticationUser username=&quot;system&quot; password=&quot;${activemq.password}&quot;
       groups=&quot;users,admins&quot;/&gt;
     &lt;authenticationUser username=&quot;user&quot; password=&quot;${guest.password}&quot;
       groups=&quot;users&quot;/&gt;
     &lt;authenticationUser username=&quot;guest&quot; password=&quot;${guest.password}&quot; groups=&quot;guests&quot;/&gt;
   &lt;/users&gt;
 &lt;/simpleAuthenticationPlugin&gt;]]></script>
 </div></div><p>or</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[&lt;bean id=&quot;mysql-ds&quot; class=&quot;org.apache.commons.dbcp.BasicDataSource&quot; destroy-method=&quot;close&quot;&gt;
   &lt;property name=&quot;driverClassName&quot; value=&quot;com.mysql.jdbc.Driver&quot;/&gt;
   &lt;property name=&quot;url&quot; value=&quot;jdbc:mysql://localhost/activemq?relaxAutoCommit=true&quot;/&gt;
   &lt;property name=&quot;username&quot; value=&quot;activemq&quot;/&gt;
   &lt;property name=&quot;password&quot; value=&quot;${jdbc.password}&quot;/&gt;
   &lt;property name=&quot;maxActive&quot; value=&quot;200&quot;/&gt;
   &lt;property name=&quot;poolPreparedStatements&quot; value=&quot;true&quot;/&gt;
 &lt;/bean&gt;]]></script>
 </div></div><p>If you want to run the broker with this configuration, you need to do the following:</p><ul><li><p>Set environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq]]></script>
 </div></div></li><li><p>Start the broker:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq start xbean:conf/activemq-security.xml]]></script>
 </div></div></li><li><p>Unset the environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
 <script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ unset ACTIVEMQ_ENCRYPTION_PASSWORD]]></script>
 </div></div></li></ul><p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p></div>
	<div class="wiki-content maincontent"><p>As of ActiveMQ 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code>encrypt</code> command like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq encrypt --password activemq --input mypassword
	...
	Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp]]></script>
	</div></div><p>Where the password you want to encrypt is passed with the <code>input</code> argument, while the <code>password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq decrypt --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp
	...
	Decrypted text: mypassword]]></script>
	</div></div><p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code>$/^&</code>, are not supported.</p><p>The next step is to add the password to the appropriate configuration file, <code>$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[activemq.username=system
	activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==)
	guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL)
	...
	jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp)
	]]></script>
	</div></div><p>Note that we used <code>ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p><p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we'll use the special one (see <code>\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[<bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig">
	<property name="algorithm" value="PBEWithMD5AndDES" />
	<property name="passwordEnvName" value="ACTIVEMQ_ENCRYPTION_PASSWORD" />
	</bean>

	<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
	<property name="config" ref="environmentVariablesConfiguration" />
	</bean>

	<bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer">
	<constructor-arg ref="configurationEncryptor" />
	<property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/>
	</bean>]]></script>
	</div></div><p>With this configuration ActiveMQ will try to load your encryptor password from the <code>ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code>credential-enc.properties</code> file.</p><p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[<bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor">
	<property name="algorithm" value="PBEWithMD5AndDES"/>
	<property name="password" value="activemq"/>
	</bean>]]></script>
	</div></div><p>but with that you'll lose the secrecy of the encryptor's secret. You may also consult <a shape="rect" class="external-link" href="http://www.jasypt.org/advancedconfiguration.html" rel="nofollow">http://www.jasypt.org/advancedconfiguration.html</a> for more ideas on how to configure Jasypt.</p><p>Finally, we can use properties like we'd normally do</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[<simpleAuthenticationPlugin>
	<users>
	<authenticationUser username="system" password="${activemq.password}"
	groups="users,admins"/>
	<authenticationUser username="user" password="${guest.password}"
	groups="users"/>
	<authenticationUser username="guest" password="${guest.password}" groups="guests"/>
	</users>
	</simpleAuthenticationPlugin>]]></script>
	</div></div><p>or</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[<bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close">
	<property name="driverClassName" value="com.mysql.jdbc.Driver"/>
	<property name="url" value="jdbc:mysql://localhost/activemq?relaxAutoCommit=true"/>
	<property name="username" value="activemq"/>
	<property name="password" value="${jdbc.password}"/>
	<property name="maxActive" value="200"/>
	<property name="poolPreparedStatements" value="true"/>
	</bean>]]></script>
	</div></div><p>If you want to run the broker with this configuration, you need to do the following:</p><ul><li><p>Set environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ export ACTIVEMQ_ENCRYPTION_PASSWORD=activemq]]></script>
	</div></div></li><li><p>Start the broker:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ bin/activemq start xbean:conf/activemq-security.xml]]></script>
	</div></div></li><li><p>Unset the environment variable:</p><div class="code panel pdl" style="border-width: 1px;"><div class="codeContent panelContent pdl">
	<script class="brush: java; gutter: false; theme: Default" type="syntaxhighlighter"><![CDATA[$ unset ACTIVEMQ_ENCRYPTION_PASSWORD]]></script>
	</div></div></li></ul><p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p></div>