| <!DOCTYPE html> |
| <html lang="en"> |
| <head> |
| <meta charset="UTF-8"> |
| <meta name="viewport" content="width=device-width, initial-scale=1.0"> |
| <meta http-equiv="X-UA-Compatible" content="ie=edge"> |
| <title>ActiveMQ</title> |
| <link rel="icon" type="image/png" href="/assets/img/favicon.png"> |
| |
| <link rel="stylesheet" href="/css/main.css"> |
| <script defer src="/js/fontawesome-all.min.js" integrity="sha384-rOA1PnstxnOBLzCLMcre8ybwbTmemjzdNlILg8O7z1lUkLXozs4DHonlDtnE7fpc"></script> |
| <script src="/js/jquery.slim.min.js" integrity="sha384-5AkRS45j4ukf+JbWAfHL8P4onPA9p0KwwP7pUdjSQA3ss9edbJUJc/XcYAiheSSz"></script> |
| <script src="/js/popper.min.js" integrity="sha384-ApNbgh9B+Y1QKtv3Rn7W3mgPxhU9K/ScQsAP7hUibX39j7fakFPskvXusvfa0b4Q"></script> |
| <script src="/js/bootstrap.min.js" integrity="sha384-JZR6Spejh4U02d8jOt6vLEHfe/JQGiRRSQQxSfFWpi1MquVdAyjUar5+76PVCmYl"></script> |
| </head> |
| |
| <body> |
| <nav class="navbar navbar-expand-lg navbar-light fixed-top"> |
| <div class="container"> |
| <!-- <a class="navbar-brand mr-auto" href="#"><img style="height: 50px" src="assets/img/apache-feather.png" /></a> --> |
| <a class="navbar-brand mr-auto" href="/"><img src="/assets/img/activemq_logo_black_small.png" style="height: 50px"/></a> |
| <button class="navbar-toggler ml-auto" type="button" data-toggle="collapse" data-target="#navbarContent" aria-controls="navbarContent" aria-expanded="false" aria-label="Toggle navigation"> |
| <span class="navbar-toggler-icon"></span> |
| </button> |
| |
| <div class="ml-auto collapse navbar-collapse" id="navbarContent"> |
| <ul class="navbar-nav ml-auto"> |
| <li class="nav-item"> |
| <a class="nav-link active" href="/news">News</a> |
| </li> |
| <li class="nav-item dropdown"> |
| <a class="nav-link" id="navbarDropdownComponents" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Components<span class="caret"></span></a> |
| <ul class="dropdown-menu dropdown-menu-center" aria-labelledby="navbarDropdownComponents"> |
| <div class="row"> |
| <div class="col-12"> |
| <ul class="multi-column-dropdown"> |
| <li class="nav-item"><a class="dropdown-item" href="/components/classic">ActiveMQ Classic</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/components/artemis/">ActiveMQ Artemis</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/components/nms">NMS Clients</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/components/cms">CMS Client</a></li> |
| </ul> |
| </div> |
| </div> |
| </ul> |
| </li> |
| <li class="nav-item dropdown"> |
| <a class="nav-link" id="navbarDropdownCommunity" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false">Community<span class="caret"></span></a> |
| <ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownCommunity"> |
| <div class="row"> |
| <div class="col-12"> |
| <ul class="multi-column-dropdown"> |
| <li class="nav-item"><a class="dropdown-item" href="/contact">Contact Us</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/contributing">Contribute</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/issues">Report Issues</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/support">Get Support</a></li> |
| </ul> |
| </div> |
| </div> |
| </ul> |
| </li> |
| <li class="nav-item dropdown"> |
| <a class="nav-link" id="navbarDropdownTeam" data-target="#" href="" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"><img src="/assets/img/feather.png" style="height:20px">Apache<span class="caret"></span></a> |
| <ul class="dropdown-menu dropdown-menu-center multi-column columns-1" aria-labelledby="navbarDropdownTeam"> |
| <div class="row"> |
| <div class="col-sm-12"> |
| <ul class="multi-column-dropdown"> |
| <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org">The Apache Software Foundation</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/licenses/">License</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/foundation/thanks.html">Thanks</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="/security-advisories">Security</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://www.apache.org/events/current-event">Events</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://people.apache.org/phonebook.html?pmc=activemq">PMC & Committers</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://whimsy.apache.org/board/minutes/ActiveMQ.html">Board Reports</a></li> |
| <li class="nav-item"><a class="dropdown-item" href="https://privacy.apache.org/policies/privacy-policy-public.html">Privacy Policy</a></li> |
| </ul> |
| </div> |
| </div> |
| </ul> |
| </li> |
| </ul> |
| </div> |
| </div> |
| </nav> |
| |
| <div class="content"> |
| <div class="page-title-classic"> |
| <div class="container"> |
| <h1>Encrypted passwords</h1> |
| </div> |
| </div> |
| <div class="container" > |
| <div class="row" style="margin-top: 30px"> |
| <div class="col-12 classic"> |
| <p><a href="features">Features</a> > <a href="security">Security</a> > <a href="encrypted-passwords">Encrypted passwords</a></p> |
| |
| <p>As of ActiveMQ Classic 5.4.1 you can encrypt your passwords and safely store them in configuration files. To encrypt the password, you can use the newly added <code class="language-plaintext highlighter-rouge">encrypt</code> command like:</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ bin/activemq encrypt --password activemq --input mypassword |
| ... |
| Encrypted text: eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp |
| </code></pre></div></div> |
| <p>Where the password you want to encrypt is passed with the <code class="language-plaintext highlighter-rouge">input</code> argument, while the <code class="language-plaintext highlighter-rouge">password</code> argument is a secret used by the encryptor. In a similar fashion you can test-out your passwords like:</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ bin/activemq decrypt --password activemq --input eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp |
| ... |
| Decrypted text: mypassword |
| </code></pre></div></div> |
| <p><strong>Note:</strong> It is recommended that you use only alphanumeric characters for the password. Special characters, such as <code class="language-plaintext highlighter-rouge">$/^&</code>, are not supported.</p> |
| |
| <p>As of the 5.16.0 release, support has been added to specify an algorithm |
| parameter to the “encrypt” and “decrypt” commands. By default, the algorithm |
| that is used is “PBEWithMD5AndDES”. To use a more modern encryption algorithm |
| you can specify:</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ bin/activemq encrypt --password activemq --input mypassword --algorithm PBEWITHHMACSHA256ANDAES_256 |
| ... |
| Encrypted text: h/cWj/ZZelMt3Y7NSzUG2vHYSnfWK561qjNg9Ywyr9yT72ru7pR4IEUnHLIdLSOb |
| </code></pre></div></div> |
| |
| <p>The next step is to add the password to the appropriate configuration file, <code class="language-plaintext highlighter-rouge">$ACTIVEMQ_HOME/conf/credentials-enc.properties</code> by default.</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>activemq.username=system |
| activemq.password=ENC(mYRkg+4Q4hua1kvpCCI2hg==) |
| guest.password=ENC(Cf3Jf3tM+UrSOoaKU50od5CuBa8rxjoL) |
| ... |
| jdbc.password=ENC(eeWjNyX6FY8Fjp3E+F6qTytV11bZItDp) |
| </code></pre></div></div> |
| <p>Note that we used <code class="language-plaintext highlighter-rouge">ENC()</code> to wrap our encrypted passwords. You can mix plain and encrypted passwords in your properties files, so encrypted ones must be wrapped this way.</p> |
| |
| <p>Finally, you need to instruct your property loader to encrypt variables when it loads properties to the memory. Instead of standard property loader we’ll use the special one (see <code class="language-plaintext highlighter-rouge">\$ACTIVEMQ_HOME/conf/activemq-security.xml</code>) to achieve this.</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><bean id="environmentVariablesConfiguration" class="org.jasypt.encryption.pbe.config.EnvironmentStringPBEConfig"> |
| <property name="algorithm" value="PBEWithMD5AndDES" /> |
| <property name="passwordEnvName" value="ACTIVEMQ\_ENCRYPTION\_PASSWORD" /> |
| </bean> |
| |
| <bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> |
| <property name="config" ref="environmentVariablesConfiguration" /> |
| </bean> |
| |
| <bean id="propertyConfigurer" class="org.jasypt.spring31.properties.EncryptablePropertyPlaceholderConfigurer"> |
| <constructor-arg ref="configurationEncryptor" /> |
| <property name="location" value="file:${activemq.base}/conf/credentials-enc.properties"/> |
| </bean> |
| </code></pre></div></div> |
| <p>With this configuration ActiveMQ Classic will try to load your encryptor password from the <code class="language-plaintext highlighter-rouge">ACTIVEMQ_ENCRYPTION_PASSWORD</code> environment variable and then use it to decrypt passwords from <code class="language-plaintext highlighter-rouge">credential-enc.properties</code> file.</p> |
| |
| <p>Alternative is to use a simple variant and store encryptor password in the xml file, like this</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><bean id="configurationEncryptor" class="org.jasypt.encryption.pbe.StandardPBEStringEncryptor"> |
| <property name="algorithm" value="PBEWithMD5AndDES"/> |
| <property name="password" value="activemq"/> |
| </bean> |
| </code></pre></div></div> |
| <p>but with that you’ll lose the secrecy of the encryptor’s secret. You may also consult <a href="http://www.jasypt.org/advancedCommunity/FAQ/configuration">http://www.jasypt.org/advancedCommunity/FAQ/configuration.md</a> for more ideas on how to configure Jasypt.</p> |
| |
| <p>Finally, we can use properties like we’d normally do</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><simpleAuthenticationPlugin> |
| <users> |
| <authenticationUser username="system" password="${activemq.password}" |
| groups="users,admins"/> |
| <authenticationUser username="user" password="${guest.password}" |
| groups="users"/> |
| <authenticationUser username="guest" password="${guest.password}" groups="guests"/> |
| </users> |
| </simpleAuthenticationPlugin> |
| </code></pre></div></div> |
| <p>or</p> |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code><bean id="mysql-ds" class="org.apache.commons.dbcp.BasicDataSource" destroy-method="close"> |
| <property name="driverClassName" value="com.mysql.jdbc.Driver"/> |
| <property name="url" value="jdbc:mysql://localhost/activemq?relaxAutoCommit=true"/> |
| <property name="username" value="activemq"/> |
| <property name="password" value="${jdbc.password}"/> |
| <property name="maxActive" value="200"/> |
| <property name="poolPreparedStatements" value="true"/> |
| </bean> |
| </code></pre></div></div> |
| <p>If you want to run the broker with this configuration, you need to do the following:</p> |
| |
| <ul> |
| <li>Set environment variable: |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ export ACTIVEMQ\_ENCRYPTION\_PASSWORD=activemq |
| </code></pre></div> </div> |
| </li> |
| <li>Start the broker: |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ bin/activemq start xbean:conf/activemq-security.xml |
| </code></pre></div> </div> |
| </li> |
| <li>Unset the environment variable: |
| <div class="language-plaintext highlighter-rouge"><div class="highlight"><pre class="highlight"><code>$ unset ACTIVEMQ\_ENCRYPTION\_PASSWORD |
| </code></pre></div> </div> |
| </li> |
| </ul> |
| |
| <p>In this way your encryptor secret is never saved on your system and your encrypted passwords are safely stored in the configuration files.</p> |
| |
| </div> |
| </div> |
| </div> |
| </div> |
| <div class="row sitemap"> |
| <div class="col-sm-12"> |
| <div class="container"> |
| <div class="row"> |
| <div class="col-sm-12"> |
| <div class="row"> |
| <div class="col-sm-3"> |
| <div > |
| <img class="float-left" style="max-height: 100px" src="/assets/img/activemq_logo_white_vertical_small.png"/> |
| </div> |
| </div> |
| <div style="text-align: center; margin-bottom: 0px; margin-top: 30px; font-size: 65%" class="col-sm-6"> |
| <p><a href="https://www.apache.org/foundation/marks/list/">Apache, ActiveMQ, Apache ActiveMQ</a>, the Apache feather logo, and the Apache ActiveMQ project logo are trademarks of The Apache Software Foundation. Copyright © 2024, The Apache Software Foundation. Licensed under <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache License 2.0</a>.</p> |
| </div> |
| <div class="col-sm-3"> |
| <div > |
| <a href="https://www.apache.org"><img class="float-right" style="margin-top: 10px; max-height: 80px" src="/assets/img/apache-logo-small.png"/></a> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| </div> |
| |
| </body> |
| </html> |