Google Git
Sign in
apache / activemq-website / af4a61cb651abe6c4edde33efe7608b09db26594 / . / src / components / artemis / documentation / latest / masking-passwords.html
blob: c7edb9d4f4b8bbc53435ec45afa1969261f437f9 [file] [log] [blame]
<!DOCTYPE HTML>
<html lang="" >
<head>
<meta charset="UTF-8">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
<title>Masking Passwords ยท ActiveMQ Artemis Documentation</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="generator" content="GitBook 3.2.3">
<link rel="stylesheet" href="gitbook/style.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css">
<link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css">
<meta name="HandheldFriendly" content="true"/>
<meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no">
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black">
<link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png">
<link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon">
<link rel="next" href="broker-plugins.html" />
<link rel="prev" href="security.html" />
</head>
<body>
<div class="book">
<div class="book-summary">
<div id="book-search-input" role="search">
<input type="text" placeholder="Type to search" />
</div>
<nav role="navigation">
<ul class="summary">
<li class="chapter " data-level="1.1" data-path="./">
<a href="./">
Introduction
</a>
</li>
<li class="chapter " data-level="1.2" data-path="notice.html">
<a href="notice.html">
Legal Notice
</a>
</li>
<li class="chapter " data-level="1.3" data-path="preface.html">
<a href="preface.html">
Preface
</a>
</li>
<li class="chapter " data-level="1.4" data-path="project-info.html">
<a href="project-info.html">
Project Info
</a>
</li>
<li class="chapter " data-level="1.5" data-path="versions.html">
<a href="versions.html">
Versions
</a>
</li>
<li class="chapter " data-level="1.6" data-path="messaging-concepts.html">
<a href="messaging-concepts.html">
Messaging Concepts
</a>
</li>
<li class="chapter " data-level="1.7" data-path="architecture.html">
<a href="architecture.html">
Architecture
</a>
</li>
<li class="chapter " data-level="1.8" data-path="using-server.html">
<a href="using-server.html">
Using the Server
</a>
</li>
<li class="chapter " data-level="1.9" data-path="upgrading.html">
<a href="upgrading.html">
Upgrading
</a>
</li>
<li class="chapter " data-level="1.10" >
<span>
Address
</span>
<ul class="articles">
<li class="chapter " data-level="1.10.1" data-path="address-model.html">
<a href="address-model.html">
Model
</a>
</li>
<li class="chapter " data-level="1.10.2" data-path="address-settings.html">
<a href="address-settings.html">
Settings
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="1.11" data-path="protocols-interoperability.html">
<a href="protocols-interoperability.html">
Protocols and Interoperability
</a>
</li>
<li class="chapter " data-level="1.12" data-path="amqp.html">
<a href="amqp.html">
AMQP
</a>
<ul class="articles">
<li class="chapter " data-level="1.12.1" data-path="amqp-broker-connections.html">
<a href="amqp-broker-connections.html">
Broker Connections
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="1.13" data-path="mqtt.html">
<a href="mqtt.html">
MQTT
</a>
</li>
<li class="chapter " data-level="1.14" data-path="stomp.html">
<a href="stomp.html">
STOMP
</a>
</li>
<li class="chapter " data-level="1.15" data-path="openwire.html">
<a href="openwire.html">
OpenWire
</a>
</li>
<li class="chapter " data-level="1.16" data-path="core.html">
<a href="core.html">
Core
</a>
</li>
<li class="chapter " data-level="1.17" data-path="jms-core-mapping.html">
<a href="jms-core-mapping.html">
Mapping JMS Concepts to the Core API
</a>
</li>
<li class="chapter " data-level="1.18" data-path="using-jms.html">
<a href="using-jms.html">
Using JMS
</a>
</li>
<li class="chapter " data-level="1.19" data-path="client-classpath.html">
<a href="client-classpath.html">
The Client Classpath
</a>
<ul class="articles">
<li class="chapter " data-level="1.19.1" data-path="client-classpath-jms.html">
<a href="client-classpath-jms.html">
JMS
</a>
</li>
<li class="chapter " data-level="1.19.2" data-path="client-classpath-jakarta.html">
<a href="client-classpath-jakarta.html">
Jakarta
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="1.20" data-path="examples.html">
<a href="examples.html">
Examples
</a>
</li>
<li class="chapter " data-level="1.21" data-path="wildcard-routing.html">
<a href="wildcard-routing.html">
Routing Messages With Wild Cards
</a>
</li>
<li class="chapter " data-level="1.22" data-path="wildcard-syntax.html">
<a href="wildcard-syntax.html">
Wildcard Syntax
</a>
</li>
<li class="chapter " data-level="1.23" data-path="filter-expressions.html">
<a href="filter-expressions.html">
Filter Expressions
</a>
</li>
<li class="chapter " data-level="1.24" data-path="persistence.html">
<a href="persistence.html">
Persistence
</a>
</li>
<li class="chapter " data-level="1.25" data-path="configuring-transports.html">
<a href="configuring-transports.html">
Configuring Transports
</a>
</li>
<li class="chapter " data-level="1.26" data-path="config-reload.html">
<a href="config-reload.html">
Configuration Reload
</a>
</li>
<li class="chapter " data-level="1.27" data-path="connection-ttl.html">
<a href="connection-ttl.html">
Detecting Dead Connections
</a>
</li>
<li class="chapter " data-level="1.28" data-path="slow-consumers.html">
<a href="slow-consumers.html">
Detecting Slow Consumers
</a>
</li>
<li class="chapter " data-level="1.29" data-path="network-isolation.html">
<a href="network-isolation.html">
Avoiding Network Isolation
</a>
</li>
<li class="chapter " data-level="1.30" data-path="critical-analysis.html">
<a href="critical-analysis.html">
Detecting Broker Issues (Critical Analysis)
</a>
</li>
<li class="chapter " data-level="1.31" data-path="transaction-config.html">
<a href="transaction-config.html">
Resource Manager Configuration
</a>
</li>
<li class="chapter " data-level="1.32" data-path="flow-control.html">
<a href="flow-control.html">
Flow Control
</a>
</li>
<li class="chapter " data-level="1.33" data-path="send-guarantees.html">
<a href="send-guarantees.html">
Guarantees of sends and commits
</a>
</li>
<li class="chapter " data-level="1.34" data-path="undelivered-messages.html">
<a href="undelivered-messages.html">
Message Redelivery and Undelivered Messages
</a>
</li>
<li class="chapter " data-level="1.35" data-path="message-expiry.html">
<a href="message-expiry.html">
Message Expiry
</a>
</li>
<li class="chapter " data-level="1.36" data-path="large-messages.html">
<a href="large-messages.html">
Large Messages
</a>
</li>
<li class="chapter " data-level="1.37" data-path="paging.html">
<a href="paging.html">
Paging
</a>
</li>
<li class="chapter " data-level="1.38" data-path="scheduled-messages.html">
<a href="scheduled-messages.html">
Scheduled Messages
</a>
</li>
<li class="chapter " data-level="1.39" data-path="last-value-queues.html">
<a href="last-value-queues.html">
Last-Value Queues
</a>
</li>
<li class="chapter " data-level="1.40" data-path="non-destructive-queues.html">
<a href="non-destructive-queues.html">
Non-Destructive Queues
</a>
</li>
<li class="chapter " data-level="1.41" data-path="ring-queues.html">
<a href="ring-queues.html">
Ring Queues
</a>
</li>
<li class="chapter " data-level="1.42" data-path="retroactive-addresses.html">
<a href="retroactive-addresses.html">
Retroactive Addresses
</a>
</li>
<li class="chapter " data-level="1.43" data-path="exclusive-queues.html">
<a href="exclusive-queues.html">
Exclusive Queues
</a>
</li>
<li class="chapter " data-level="1.44" data-path="message-grouping.html">
<a href="message-grouping.html">
Message Grouping
</a>
</li>
<li class="chapter " data-level="1.45" data-path="consumer-priority.html">
<a href="consumer-priority.html">
Consumer Priority
</a>
</li>
<li class="chapter " data-level="1.46" data-path="pre-acknowledge.html">
<a href="pre-acknowledge.html">
Extra Acknowledge Modes
</a>
</li>
<li class="chapter " data-level="1.47" data-path="management.html">
<a href="management.html">
Management
</a>
</li>
<li class="chapter " data-level="1.48" data-path="management-console.html">
<a href="management-console.html">
Management Console
</a>
</li>
<li class="chapter " data-level="1.49" data-path="metrics.html">
<a href="metrics.html">
Metrics
</a>
</li>
<li class="chapter " data-level="1.50" data-path="security.html">
<a href="security.html">
Security
</a>
</li>
<li class="chapter active" data-level="1.51" data-path="masking-passwords.html">
<a href="masking-passwords.html">
Masking Passwords
</a>
</li>
<li class="chapter " data-level="1.52" data-path="broker-plugins.html">
<a href="broker-plugins.html">
Broker Plugins
</a>
</li>
<li class="chapter " data-level="1.53" data-path="resource-limits.html">
<a href="resource-limits.html">
Resource Limits
</a>
</li>
<li class="chapter " data-level="1.54" data-path="jms-bridge.html">
<a href="jms-bridge.html">
The JMS Bridge
</a>
</li>
<li class="chapter " data-level="1.55" data-path="client-reconnection.html">
<a href="client-reconnection.html">
Client Reconnection and Session Reattachment
</a>
</li>
<li class="chapter " data-level="1.56" data-path="diverts.html">
<a href="diverts.html">
Diverting and Splitting Message Flows
</a>
</li>
<li class="chapter " data-level="1.57" data-path="core-bridges.html">
<a href="core-bridges.html">
Core Bridges
</a>
</li>
<li class="chapter " data-level="1.58" data-path="transformers.html">
<a href="transformers.html">
Transformers
</a>
</li>
<li class="chapter " data-level="1.59" data-path="duplicate-detection.html">
<a href="duplicate-detection.html">
Duplicate Message Detection
</a>
</li>
<li class="chapter " data-level="1.60" data-path="clusters.html">
<a href="clusters.html">
Clusters
</a>
</li>
<li class="chapter " data-level="1.61" data-path="federation.html">
<a href="federation.html">
Federation
</a>
<ul class="articles">
<li class="chapter " data-level="1.61.1" data-path="federation-address.html">
<a href="federation-address.html">
Address Federation
</a>
</li>
<li class="chapter " data-level="1.61.2" data-path="federation-queue.html">
<a href="federation-queue.html">
Queue Federation
</a>
</li>
</ul>
</li>
<li class="chapter " data-level="1.62" data-path="ha.html">
<a href="ha.html">
High Availability and Failover
</a>
</li>
<li class="chapter " data-level="1.63" data-path="connection-routers.html">
<a href="connection-routers.html">
Connection Routers
</a>
</li>
<li class="chapter " data-level="1.64" data-path="graceful-shutdown.html">
<a href="graceful-shutdown.html">
Graceful Server Shutdown
</a>
</li>
<li class="chapter " data-level="1.65" data-path="libaio.html">
<a href="libaio.html">
Libaio Native Libraries
</a>
</li>
<li class="chapter " data-level="1.66" data-path="thread-pooling.html">
<a href="thread-pooling.html">
Thread management
</a>
</li>
<li class="chapter " data-level="1.67" data-path="web-server.html">
<a href="web-server.html">
Embedded Web Server
</a>
</li>
<li class="chapter " data-level="1.68" data-path="logging.html">
<a href="logging.html">
Logging
</a>
</li>
<li class="chapter " data-level="1.69" data-path="rest.html">
<a href="rest.html">
REST Interface
</a>
</li>
<li class="chapter " data-level="1.70" data-path="embedding-activemq.html">
<a href="embedding-activemq.html">
Embedding the Broker
</a>
</li>
<li class="chapter " data-level="1.71" data-path="karaf.html">
<a href="karaf.html">
Apache Karaf
</a>
</li>
<li class="chapter " data-level="1.72" data-path="tomcat.html">
<a href="tomcat.html">
Apache Tomcat
</a>
</li>
<li class="chapter " data-level="1.73" data-path="spring-integration.html">
<a href="spring-integration.html">
Spring Integration
</a>
</li>
<li class="chapter " data-level="1.74" data-path="cdi-integration.html">
<a href="cdi-integration.html">
CDI Integration
</a>
</li>
<li class="chapter " data-level="1.75" data-path="intercepting-operations.html">
<a href="intercepting-operations.html">
Intercepting Operations
</a>
</li>
<li class="chapter " data-level="1.76" data-path="data-tools.html">
<a href="data-tools.html">
Data Tools
</a>
</li>
<li class="chapter " data-level="1.77" data-path="activation-tools.html">
<a href="activation-tools.html">
Activation Tools
</a>
</li>
<li class="chapter " data-level="1.78" data-path="maven-plugin.html">
<a href="maven-plugin.html">
Maven Plugin
</a>
</li>
<li class="chapter " data-level="1.79" data-path="unit-testing.html">
<a href="unit-testing.html">
Unit Testing
</a>
</li>
<li class="chapter " data-level="1.80" data-path="perf-tuning.html">
<a href="perf-tuning.html">
Troubleshooting and Performance Tuning
</a>
</li>
<li class="chapter " data-level="1.81" data-path="perf-tools.html">
<a href="perf-tools.html">
Performance Tools
</a>
</li>
<li class="chapter " data-level="1.82" data-path="configuration-index.html">
<a href="configuration-index.html">
Configuration Reference
</a>
</li>
<li class="chapter " data-level="1.83" data-path="restart-sequence.html">
<a href="restart-sequence.html">
Restart Sequence
</a>
</li>
<li class="divider"></li>
<li>
<a href="https://www.gitbook.com" target="blank" class="gitbook-link">
Published with GitBook
</a>
</li>
</ul>
</nav>
</div>
<div class="book-body">
<div class="body-inner">
<div class="book-header" role="navigation">
<!-- Title -->
<h1>
<i class="fa fa-circle-o-notch fa-spin"></i>
<a href="." >Masking Passwords</a>
</h1>
</div>
<div class="page-wrapper" tabindex="-1" role="main">
<div class="page-inner">
<div id="book-search-results">
<div class="search-noresults">
<section class="normal markdown-section">
<h1 id="masking-passwords">Masking Passwords</h1>
<p>By default all passwords in Apache ActiveMQ Artemis server&apos;s configuration
files are in plain text form. This usually poses no security issues as those
files should be well protected from unauthorized accessing. However, in some
circumstances a user doesn&apos;t want to expose its passwords to more eyes than
necessary.</p>
<p>Apache ActiveMQ Artemis can be configured to use &apos;masked&apos; passwords in its
configuration files. A masked password is an obscure string representation of a
real password. To mask a password a user will use an &apos;codec&apos;. The codec
takes in the real password and outputs the masked version. A user can then
replace the real password in the configuration files with the new masked
password. When Apache ActiveMQ Artemis loads a masked password it uses the
codec to decode it back into the real password.</p>
<p>Apache ActiveMQ Artemis provides a default codec. Optionally users can use
or implement their own codec for masking the passwords.</p>
<p>In general, a masked password can be identified using one of two ways. The
first one is the <code>ENC()</code> syntax, i.e. any string value wrapped in <code>ENC()</code> is to
be treated as a masked password. For example</p>
<p><code>ENC(xyz)</code></p>
<p>The above indicates that the password is masked and the masked value is <code>xyz</code>.</p>
<p>The <code>ENC()</code> syntax is the <strong>preferred way</strong> of masking a password and is
universally supported in every password configuration in Artemis.</p>
<p>The other, legacy way is to use a <code>mask-password</code> attribute to tell that a
password in a configuration file should be treated as &apos;masked&apos;. For example:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">mask-password</span>&gt;</span>true<span class="hljs-tag">&lt;/<span class="hljs-name">mask-password</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">cluster-password</span>&gt;</span>xyz<span class="hljs-tag">&lt;/<span class="hljs-name">cluster-password</span>&gt;</span>
</code></pre>
<p>This method is now <strong>deprecated</strong> and exists only to maintain
backward-compatibility. Newer configurations may not support it.</p>
<h2 id="generating-a-masked-password">Generating a Masked Password</h2>
<p>To mask a password use the <code>mask</code> command from the <code>bin</code> directory
of your Artemis <em>instance</em>. This command will not work from the
Artemis home. </p>
<p>The <code>mask</code> command uses <a href="#the-default-codec">the default codec</a>
unless <a href="#using-a-custom-codec">a custom codec</a> is defined in
<code>broker.xml</code> and the <code>--password-codec</code> option is <code>true</code>. Here&apos;s
a simple example:</p>
<pre><code class="lang-sh">./artemis mask &lt;plaintextPassword&gt;
</code></pre>
<p>You&apos;ll get something like:</p>
<pre><code>result: 32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360
</code></pre><p>Just copy <code>32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360</code> and replace your
plaintext password with it using the <code>ENC()</code> syntax, e.g.
<code>ENC(32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360)</code>.</p>
<p>You can also use the <code>--key</code> parameter with the default codec. Read more about
<a href="#the-default-codec">the default codec</a> for further details about this
parameter.</p>
<p>This process works for passwords in:</p>
<ul>
<li><code>broker.xml</code></li>
<li><code>login.config</code></li>
<li><code>bootstrap.xml</code></li>
<li><code>management.xml</code></li>
</ul>
<p>This process does <strong>not</strong> work for passwords in:</p>
<ul>
<li><code>artemis-users.properties</code></li>
</ul>
<p>Masked passwords for <code>artemis-users.properties</code> <em>can</em> be generated using the
<code>mask</code> command using the <code>--hash</code> command-line option. However, this is also
possible using the set of tools provided by the <code>user</code> command described below.</p>
<h2 id="masking-configuration">Masking Configuration</h2>
<p>Besides supporting the <code>ENC()</code> syntax, the server configuration file (i.e.
broker.xml) has a property that defines the default masking behaviors over the
entire file scope.</p>
<p><code>mask-password</code>: this boolean type property indicates if a password should be
masked or not. Set it to <code>true</code> if you want your passwords masked. The default
value is <code>false</code>. As noted above, this configuration parameter is deprecated
in favor of the <code>ENC()</code> syntax.</p>
<p><code>password-codec</code>: this string type property identifies the name of the class
which will be used to decode the masked password within the broker. If not
specified then the default
<code>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec</code> will be used.
Read more about <a href="#using-a-custom-codec">using a custom codec</a>.</p>
<h3 id="artemis-usersproperties">artemis-users.properties</h3>
<p>Apache ActiveMQ Artemis&apos; default JAAS security manager uses plain properties
files where the user passwords are specified in a hashed form by default. Note,
the passwords are technically <em>hashed</em> rather than masked in this context. The
default <code>PropertiesLoginModule</code> will not decode the passwords in
<code>artemis-users.properties</code> but will instead hash the input and compare the two
hashed values for password verification.</p>
<p>Use the following command from the CLI of the Artemis <em>instance</em> you wish to
add the user/password to. This command will not work from the Artemis home
used to create the instance, and it will also not work unless the broker has
been started. For example:</p>
<pre><code class="lang-sh">./artemis user add --user-command-user guest --user-command-password guest --role admin
</code></pre>
<p>This will use the default codec to perform a &quot;one-way&quot; hash of the password
and alter both the <code>artemis-users.properties</code> and <code>artemis-roles.properties</code>
files with the specified values.</p>
<p>Passwords in <code>artemis-users.properties</code> are automatically detected as hashed or
not by looking for the syntax <code>ENC(&lt;hash&gt;)</code>. The <code>mask-password</code> parameter does
not need to be <code>true</code> to use hashed passwords here.</p>
<blockquote>
<p><strong>Warning</strong></p>
<p>Management and CLI operations to manipulate user &amp; role data are only available
when using the <code>PropertiesLoginModule</code>.</p>
<p>In general, using properties files and broker-centric user management for
anything other than very basic use-cases is not recommended. The broker is
designed to deal with messages. It&apos;s not in the business of managing users,
although that functionality is provided at a limited level for convenience. LDAP
is recommended for enterprise level production use-cases.</p>
</blockquote>
<h3 id="cluster-password">cluster-password</h3>
<p>If it is specified in <code>ENC()</code> syntax it will be treated as masked, or
if <code>mask-password</code> is <code>true</code> the <code>cluster-password</code> will be treated as masked.</p>
<h3 id="connectors--acceptors">Connectors &amp; Acceptors</h3>
<p>In broker.xml <code>connector</code> and <code>acceptor</code> configurations sometimes needs to
specify passwords. For example, if a user wants to use an <code>acceptor</code> with
<code>sslEnabled=true</code> it can specify <code>keyStorePassword</code> and <code>trustStorePassword</code>.
Because Acceptors and Connectors are pluggable implementations, each transport
will have different password masking needs.</p>
<p>The preferred way is simply to use the <code>ENC()</code> syntax.</p>
<p>If using the legacy <code>mask-password</code> and <code>password-codec</code> values then when a
<code>connector</code> or <code>acceptor</code> is initialised, Apache ActiveMQ Artemis will add
these values to the parameters using the keys <code>activemq.usemaskedpassword</code>
and <code>activemq.passwordcodec</code> respectively. The Netty and InVM implementations
will use these as needed and any other implementations will have access to
these to use if they so wish.</p>
<h3 id="core-bridges">Core Bridges</h3>
<p>Core Bridges are configured in the server configuration file and so the masking
of its <code>password</code> properties follows the same rules as that of
<code>cluster-password</code>. It supports <code>ENC()</code> syntax.</p>
<p>For using <code>mask-password</code> property, the following table summarizes the
relations among the above-mentioned properties</p>
<table>
<thead>
<tr>
<th>mask-password</th>
<th>cluster-password</th>
<th>acceptor/connector passwords</th>
<th>bridge password</th>
</tr>
</thead>
<tbody>
<tr>
<td>absent</td>
<td>plain text</td>
<td>plain text</td>
<td>plain text</td>
</tr>
<tr>
<td>false</td>
<td>plain text</td>
<td>plain text</td>
<td>plain text</td>
</tr>
<tr>
<td>true</td>
<td>masked</td>
<td>masked</td>
<td>masked</td>
</tr>
</tbody>
</table>
<p>It is recommended that you use the <code>ENC()</code> syntax for new applications/deployments.</p>
<h4 id="examples">Examples</h4>
<p><strong>Note:</strong> In the following examples if related attributed or properties are
absent, it means they are not specified in the configure file.</p>
<ul>
<li><p>Unmasked</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">cluster-password</span>&gt;</span>bbc<span class="hljs-tag">&lt;/<span class="hljs-name">cluster-password</span>&gt;</span>
</code></pre>
<p>This indicates the cluster password is a plain text value <code>bbc</code>.</p>
</li>
<li><p>Masked 1</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">cluster-password</span>&gt;</span>ENC(80cf731af62c290)<span class="hljs-tag">&lt;/<span class="hljs-name">cluster-password</span>&gt;</span>
</code></pre>
<p>This indicates the cluster password is a masked value <code>80cf731af62c290</code>.</p>
</li>
<li><p>Masked 2</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">mask-password</span>&gt;</span>true<span class="hljs-tag">&lt;/<span class="hljs-name">mask-password</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">cluster-password</span>&gt;</span>80cf731af62c290<span class="hljs-tag">&lt;/<span class="hljs-name">cluster-password</span>&gt;</span>
</code></pre>
<p>This indicates the cluster password is a masked value and Apache ActiveMQ
Artemis will use <a href="#the-default-codec">the default codec</a> to decode it. All
other passwords in the configuration file, Connectors, Acceptors and Bridges,
will also use masked passwords.</p>
</li>
</ul>
<h3 id="bootstrapxml">bootstrap.xml</h3>
<p>The broker embeds a web-server for hosting some web applications such as a
management console. It is configured in <code>bootstrap.xml</code> as a web component. The
web server can be secured using the <code>https</code> protocol, and it can be configured
with a keystore password and/or truststore password which by default are
specified in plain text forms.</p>
<p>To mask these passwords you need to use <code>ENC()</code> syntax. The <code>mask-password</code>
boolean is not supported here.</p>
<p>You can also set the <code>passwordCodec</code> attribute if you want to use a password
codec other than the default one. For example</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">web</span> <span class="hljs-attr">path</span>=<span class="hljs-string">&quot;web&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">binding</span> <span class="hljs-attr">uri</span>=<span class="hljs-string">&quot;https://localhost:8443&quot;</span>
<span class="hljs-attr">keyStorePassword</span>=<span class="hljs-string">&quot;ENC(-5a2376c61c668aaf)&quot;</span>
<span class="hljs-attr">trustStorePassword</span>=<span class="hljs-string">&quot;ENC(3d617352d12839eb71208edf41d66b34)&quot;</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">app</span> <span class="hljs-attr">url</span>=<span class="hljs-string">&quot;activemq-branding&quot;</span> <span class="hljs-attr">war</span>=<span class="hljs-string">&quot;activemq-branding.war&quot;</span>/&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">binding</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">web</span>&gt;</span>
</code></pre>
<h3 id="managementxml">management.xml</h3>
<p>The broker embeds a JMX connector which is used for management. The connector can
be secured using SSL and it can be configured with a keystore password and/or
truststore password which by default are specified in plain text forms.</p>
<p>To mask these passwords you need to use <code>ENC()</code> syntax. The <code>mask-password</code>
boolean is not supported here.</p>
<p>You can also set the <code>password-codec</code> attribute if you want to use a password
codec other than the default one. For example</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">connector</span>
<span class="hljs-attr">connector-port</span>=<span class="hljs-string">&quot;1099&quot;</span>
<span class="hljs-attr">connector-host</span>=<span class="hljs-string">&quot;localhost&quot;</span>
<span class="hljs-attr">secured</span>=<span class="hljs-string">&quot;true&quot;</span>
<span class="hljs-attr">key-store-path</span>=<span class="hljs-string">&quot;myKeystore.jks&quot;</span>
<span class="hljs-attr">key-store-password</span>=<span class="hljs-string">&quot;ENC(3a34fd21b82bf2a822fa49a8d8fa115d&quot;</span>
<span class="hljs-attr">trust-store-path</span>=<span class="hljs-string">&quot;myTruststore.jks&quot;</span>
<span class="hljs-attr">trust-store-password</span>=<span class="hljs-string">&quot;ENC(3a34fd21b82bf2a822fa49a8d8fa115d)&quot;</span>/&gt;</span>
</code></pre>
<p>With this configuration, both passwords in ra.xml and all of its MDBs will have
to be in masked form.</p>
<h3 id="propertiesloginmodule">PropertiesLoginModule</h3>
<p>Artemis supports Properties login module to be configured in JAAS configuration file
(default name is <code>login.config</code>). By default, the passwords of the users are in plain text
or masked with the <a href="#the-default-codec">the default codec</a>.</p>
<p>To use a custom codec class, set the <code>org.apache.activemq.jaas.properties.password.codec</code> property to the class name
e.g. to use the <code>com.example.MySensitiveDataCodecImpl</code> codec class:</p>
<pre><code>PropertiesLoginWithPasswordCodec {
org.apache.activemq.artemis.spi.core.security.jaas.PropertiesLoginModule required
debug=true
org.apache.activemq.jaas.properties.user=&quot;users.properties&quot;
org.apache.activemq.jaas.properties.role=&quot;roles.properties&quot;
org.apache.activemq.jaas.properties.password.codec=&quot;com.example.MySensitiveDataCodecImpl&quot;;
};
</code></pre><h3 id="ldaploginmodule">LDAPLoginModule</h3>
<p>Artemis supports LDAP login modules to be configured in JAAS configuration file
(default name is <code>login.config</code>). When connecting to an LDAP server usually you
need to supply a connection password in the config file. By default this
password is in plain text form.</p>
<p>To mask it you need to configure the passwords in your login module using
<code>ENC()</code> syntax. To specify a codec using the following property:</p>
<p><code>passwordCodec</code> - the password codec class name. (<a href="#the-default-codec">the default codec</a>
will be used if it is absent)</p>
<p>For example:</p>
<pre><code>LDAPLoginExternalPasswordCodec {
org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required
debug=true
initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory
connectionURL=&quot;ldap://localhost:1024&quot;
connectionUsername=&quot;uid=admin,ou=system&quot;
connectionPassword=&quot;ENC(-170b9ef34d79ed12)&quot;
passwordCodec=&quot;org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=helloworld&quot;
connectionProtocol=s
authentication=simple
userBase=&quot;ou=system&quot;
userSearchMatching=&quot;(uid={0})&quot;
userSearchSubtree=false
roleBase=&quot;ou=system&quot;
roleName=dummyRoleName
roleSearchMatching=&quot;(uid={1})&quot;
roleSearchSubtree=false
;
};
</code></pre><h3 id="jca-resource-adapter">JCA Resource Adapter</h3>
<p>Both ra.xml and MDB activation configuration have a <code>password</code> property that
can be masked preferably using <code>ENC()</code> syntax.</p>
<p>Alternatively it can use an optional attribute in ra.xml to indicate that a
password is masked:</p>
<p><code>UseMaskedPassword</code> -- If setting to &quot;true&quot; the passwords are masked. Default
is false.</p>
<p>There is another property in ra.xml that can specify a codec:</p>
<p><code>PasswordCodec</code> -- Class name and its parameters for the codec used to decode
the masked password. Ignored if UseMaskedPassword is false. The format of this
property is a full qualified class name optionally followed by key/value pairs.
It is the same format as that for JMS Bridges. Example:</p>
<p>Example 1 Using the <code>ENC()</code> syntax:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-name</span>&gt;</span>password<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-name</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-type</span>&gt;</span>String<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-type</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-value</span>&gt;</span>ENC(80cf731af62c290)<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-value</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-name</span>&gt;</span>PasswordCodec<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-name</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-type</span>&gt;</span>java.lang.String<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-type</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-value</span>&gt;</span>com.foo.ACodec;key=helloworld<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-value</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">config-property</span>&gt;</span>
</code></pre>
<p>Example 2 Using the &quot;UseMaskedPassword&quot; property:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-name</span>&gt;</span>UseMaskedPassword<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-name</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-type</span>&gt;</span>boolean<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-type</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-value</span>&gt;</span>true<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-value</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-name</span>&gt;</span>password<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-name</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-type</span>&gt;</span>String<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-type</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-value</span>&gt;</span>80cf731af62c290<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-value</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-name</span>&gt;</span>PasswordCodec<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-name</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-type</span>&gt;</span>java.lang.String<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-type</span>&gt;</span>
<span class="hljs-tag">&lt;<span class="hljs-name">config-property-value</span>&gt;</span>com.foo.ACodec;key=helloworld<span class="hljs-tag">&lt;/<span class="hljs-name">config-property-value</span>&gt;</span>
<span class="hljs-tag">&lt;/<span class="hljs-name">config-property</span>&gt;</span>
</code></pre>
<h2 id="choosing-a-codec-for-password-masking">Choosing a codec for password masking</h2>
<p>As described in the previous sections, all password masking requires a codec.
A codec uses an algorithm to convert a masked password into its original
clear text form in order to be used in various security operations. The
algorithm used for decoding must match that for encoding. Otherwise the
decoding may not be successful.</p>
<p>For user&apos;s convenience Apache ActiveMQ Artemis provides a default codec.
However, a user can implement their own if they wish.</p>
<h3 id="the-default-codec">The Default Codec</h3>
<p>Whenever no codec is specified in the configuration, the default codec
is used. The class name for the default codec is
<code>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec</code>. It has
hashing, encoding, and decoding capabilities. It uses <code>java.crypto.Cipher</code>
utilities to hash or encode a plaintext password and also to decode a masked
string using the same algorithm and &quot;key.&quot;</p>
<p>The &quot;key&quot; used here is important since the <em>same</em> key <strong>must</strong> be used to both
mask and unmask the password. The key is just a string of characters which the
codec feeds to the underlying algorithm. There is a default key in
<code>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec</code>, but using the
default key leaves open the possibility that nefarious actors could also use
that key to unmask the password(s). Therefore, it is possible to supply your
<em>own</em> key, and there are a few ways to do this.</p>
<ol>
<li>Specify the key in the codec configuration using the <code>key=value</code> syntax.
Depending on which password you&apos;re trying to mask the configuration
specifics will differ slightly, but this can be done, for example, in
<code>broker.xml</code> with <code>&lt;password-codec&gt;</code>:<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">password-codec</span>&gt;</span>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=myKey<span class="hljs-tag">&lt;/<span class="hljs-name">password-codec</span>&gt;</span>
</code></pre>
Similar configurations are possible in any file that supports password
masking, e.g. <code>boostrap.xml</code>, <code>login.config</code>, <code>management.xml</code>, etc. The
main drawback with this method is that the key will be stored in plain-text
in the configuration file(s).</li>
<li>Set the environment property <code>ARTEMIS_DEFAULT_SENSITIVE_STRING_CODEC_KEY</code>.
This will be read by the startup script, set as a Java system property, and
ultimately read by the default codec. The benefit of using this method is
that the key is more obscure since it will not exist in any configuration
file. It can be set immediately <em>before</em> the broker starts and then cleared
from the environment immediately <em>after</em> the broker finishes starting.</li>
</ol>
<h3 id="using-a-custom-codec">Using a custom codec</h3>
<p>It is possible to use a custom codec rather than the built-in one. Simply
make sure the codec is in Apache ActiveMQ Artemis&apos;s classpath. The custom
codec can also be service loaded rather than class loaded, if the codec&apos;s
service provider is installed in the classpath. Then configure the server to
use it as follows:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">password-codec</span>&gt;</span>com.foo.SomeCodec;key1=value1;key2=value2<span class="hljs-tag">&lt;/<span class="hljs-name">password-codec</span>&gt;</span>
</code></pre>
<p>If your codec needs params passed to it you can do this via key/value pairs
when configuring. For instance if your codec needs say a &quot;key-location&quot;
parameter, you can define like so:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">password-codec</span>&gt;</span>com.foo.NewCodec;key-location=/some/url/to/keyfile<span class="hljs-tag">&lt;/<span class="hljs-name">password-codec</span>&gt;</span>
</code></pre>
<p>Then configure your cluster-password like this:</p>
<pre><code class="lang-xml"><span class="hljs-tag">&lt;<span class="hljs-name">cluster-password</span>&gt;</span>ENC(masked_password)<span class="hljs-tag">&lt;/<span class="hljs-name">cluster-password</span>&gt;</span>
</code></pre>
<p>When Apache ActiveMQ Artemis reads the cluster-password it will initialize the
<code>NewCodec</code> and use it to decode &quot;mask_password&quot;. It also process all passwords
using the new defined codec.</p>
<h4 id="implementing-custom-codecs">Implementing Custom Codecs</h4>
<p>To use a different codec than the built-in one, you either pick one from
existing libraries or you implement it yourself. All codecs must implement
the <code>org.apache.activemq.artemis.utils.SensitiveDataCodec&lt;String&gt;</code> interface.
So a new codec would be defined like</p>
<pre><code class="lang-java"><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">class</span> <span class="hljs-title">MyCodec</span> <span class="hljs-keyword">implements</span> <span class="hljs-title">SensitiveDataCodec</span>&lt;<span class="hljs-title">String</span>&gt; </span>{
<span class="hljs-meta">@Override</span>
<span class="hljs-function"><span class="hljs-keyword">public</span> String <span class="hljs-title">decode</span><span class="hljs-params">(Object mask)</span> <span class="hljs-keyword">throws</span> Exception </span>{
<span class="hljs-comment">// Decode the mask into clear text password.</span>
<span class="hljs-keyword">return</span> <span class="hljs-string">&quot;the password&quot;</span>;
}
<span class="hljs-meta">@Override</span>
<span class="hljs-function"><span class="hljs-keyword">public</span> String <span class="hljs-title">encode</span><span class="hljs-params">(Object secret)</span> <span class="hljs-keyword">throws</span> Exception </span>{
<span class="hljs-comment">// Mask the clear text password.</span>
<span class="hljs-keyword">return</span> <span class="hljs-string">&quot;the masked password&quot;</span>;
}
<span class="hljs-meta">@Override</span>
<span class="hljs-function"><span class="hljs-keyword">public</span> <span class="hljs-keyword">void</span> <span class="hljs-title">init</span><span class="hljs-params">(Map&lt;String, String&gt; params)</span> </span>{
<span class="hljs-comment">// Initialization done here. It is called right after the codec has been created.</span>
}
<span class="hljs-meta">@Override</span>
<span class="hljs-function"><span class="hljs-keyword">public</span> <span class="hljs-keyword">boolean</span> <span class="hljs-title">verify</span><span class="hljs-params">(<span class="hljs-keyword">char</span>[] value, String encodedValue)</span> </span>{
<span class="hljs-comment">// Return true if the value matches the encodedValue.</span>
<span class="hljs-keyword">return</span> checkValueMatchesEncoding(value, encodedValue);
}
}
</code></pre>
<p>Last but not least, once you get your own codec please <a href="using-server.html#adding-runtime-dependencies">add it to the
classpath</a> otherwise the broker
will fail to load it!</p>
</section>
</div>
<div class="search-results">
<div class="has-results">
<h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1>
<ul class="search-results-list"></ul>
</div>
<div class="no-results">
<h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1>
</div>
</div>
</div>
</div>
</div>
</div>
<a href="security.html" class="navigation navigation-prev " aria-label="Previous page: Security">
<i class="fa fa-angle-left"></i>
</a>
<a href="broker-plugins.html" class="navigation navigation-next " aria-label="Next page: Broker Plugins">
<i class="fa fa-angle-right"></i>
</a>
</div>
<script>
var gitbook = gitbook || [];
gitbook.push(function() {
gitbook.page.hasChanged({"page":{"title":"Masking Passwords","level":"1.51","depth":1,"next":{"title":"Broker Plugins","level":"1.52","depth":1,"path":"broker-plugins.md","ref":"broker-plugins.md","articles":[]},"previous":{"title":"Security","level":"1.50","depth":1,"path":"security.md","ref":"security.md","articles":[]},"dir":"ltr"},"config":{"plugins":[],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000,"ignoreSpecialCharacters":false},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"github":"apache/activemq-artemis","theme":"default","githubHost":"https://github.com/","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"version":"2.24.0","title":"ActiveMQ Artemis Documentation","links":{"home":"http://activemq.apache.org/artemis","issues":"https://issues.apache.org/jira/browse/ARTEMIS","contribute":"http://activemq.apache.org/contributing.html"},"gitbook":"3.x.x","description":"ActiveMQ Artemis User Guide and Reference Documentation"},"file":{"path":"masking-passwords.md","mtime":"2022-08-08T16:17:30.742Z","type":"markdown"},"gitbook":{"version":"3.2.3","time":"2022-08-08T16:18:17.607Z"},"basePath":".","book":{"language":""}});
});
</script>
</div>
<script src="gitbook/gitbook.js"></script>
<script src="gitbook/theme.js"></script>
<script src="gitbook/gitbook-plugin-search/search-engine.js"></script>
<script src="gitbook/gitbook-plugin-search/search.js"></script>
<script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script>
<script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script>
<script src="gitbook/gitbook-plugin-sharing/buttons.js"></script>
<script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script>
</body>
</html>