| |
| <!DOCTYPE HTML> |
| <html lang="" > |
| <head> |
| <title>Masking Passwords ยท ActiveMQ Artemis Documentation</title> |
| <meta charset="UTF-8"> |
| <meta http-equiv="X-UA-Compatible" content="IE=edge" /> |
| <meta content="text/html; charset=utf-8" http-equiv="Content-Type"> |
| <meta name="description" content=""> |
| <meta name="generator" content="GitBook 3.1.1"> |
| |
| |
| |
| |
| <link rel="stylesheet" href="gitbook/style.css"> |
| |
| |
| |
| |
| <link rel="stylesheet" href="gitbook/gitbook-plugin-highlight/website.css"> |
| |
| |
| |
| <link rel="stylesheet" href="gitbook/gitbook-plugin-search/search.css"> |
| |
| |
| |
| <link rel="stylesheet" href="gitbook/gitbook-plugin-fontsettings/website.css"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <meta name="HandheldFriendly" content="true"/> |
| <meta name="viewport" content="width=device-width, initial-scale=1, user-scalable=no"> |
| <meta name="apple-mobile-web-app-capable" content="yes"> |
| <meta name="apple-mobile-web-app-status-bar-style" content="black"> |
| <link rel="apple-touch-icon-precomposed" sizes="152x152" href="gitbook/images/apple-touch-icon-precomposed-152.png"> |
| <link rel="shortcut icon" href="gitbook/images/favicon.ico" type="image/x-icon"> |
| |
| |
| <link rel="next" href="broker-plugins.html" /> |
| |
| |
| <link rel="prev" href="security.html" /> |
| |
| |
| </head> |
| <body> |
| |
| <div class="book"> |
| <div class="book-summary"> |
| |
| |
| <div id="book-search-input" role="search"> |
| <input type="text" placeholder="Type to search" /> |
| </div> |
| |
| |
| <nav role="navigation"> |
| |
| |
| |
| <ul class="summary"> |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| <li class="chapter " data-level="1.1" data-path="./"> |
| |
| <a href="./"> |
| |
| |
| Introduction |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.2" data-path="notice.html"> |
| |
| <a href="notice.html"> |
| |
| |
| Legal Notice |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.3" data-path="preface.html"> |
| |
| <a href="preface.html"> |
| |
| |
| Preface |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.4" data-path="project-info.html"> |
| |
| <a href="project-info.html"> |
| |
| |
| Project Info |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.5" data-path="versions.html"> |
| |
| <a href="versions.html"> |
| |
| |
| Versions |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.6" data-path="messaging-concepts.html"> |
| |
| <a href="messaging-concepts.html"> |
| |
| |
| Messaging Concepts |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.7" data-path="architecture.html"> |
| |
| <a href="architecture.html"> |
| |
| |
| Architecture |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.8" data-path="using-server.html"> |
| |
| <a href="using-server.html"> |
| |
| |
| Using the Server |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.9" data-path="upgrading.html"> |
| |
| <a href="upgrading.html"> |
| |
| |
| Upgrading |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.10" data-path="address-model.html"> |
| |
| <a href="address-model.html"> |
| |
| |
| Address Model |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.11" data-path="protocols-interoperability.html"> |
| |
| <a href="protocols-interoperability.html"> |
| |
| |
| Protocols and Interoperability |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.12" data-path="amqp.html"> |
| |
| <a href="amqp.html"> |
| |
| |
| AMQP |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.13" data-path="mqtt.html"> |
| |
| <a href="mqtt.html"> |
| |
| |
| MQTT |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.14" data-path="stomp.html"> |
| |
| <a href="stomp.html"> |
| |
| |
| STOMP |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.15" data-path="openwire.html"> |
| |
| <a href="openwire.html"> |
| |
| |
| OpenWire |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.16" data-path="core.html"> |
| |
| <a href="core.html"> |
| |
| |
| Core |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.17" data-path="jms-core-mapping.html"> |
| |
| <a href="jms-core-mapping.html"> |
| |
| |
| Mapping JMS Concepts to the Core API |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.18" data-path="using-jms.html"> |
| |
| <a href="using-jms.html"> |
| |
| |
| Using JMS |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.19" data-path="client-classpath.html"> |
| |
| <a href="client-classpath.html"> |
| |
| |
| The Client Classpath |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.20" data-path="examples.html"> |
| |
| <a href="examples.html"> |
| |
| |
| Examples |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.21" data-path="wildcard-routing.html"> |
| |
| <a href="wildcard-routing.html"> |
| |
| |
| Routing Messages With Wild Cards |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.22" data-path="wildcard-syntax.html"> |
| |
| <a href="wildcard-syntax.html"> |
| |
| |
| Wildcard Syntax |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.23" data-path="filter-expressions.html"> |
| |
| <a href="filter-expressions.html"> |
| |
| |
| Filter Expressions |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.24" data-path="persistence.html"> |
| |
| <a href="persistence.html"> |
| |
| |
| Persistence |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.25" data-path="configuring-transports.html"> |
| |
| <a href="configuring-transports.html"> |
| |
| |
| Configuring Transports |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.26" data-path="config-reload.html"> |
| |
| <a href="config-reload.html"> |
| |
| |
| Configuration Reload |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.27" data-path="connection-ttl.html"> |
| |
| <a href="connection-ttl.html"> |
| |
| |
| Detecting Dead Connections |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.28" data-path="slow-consumers.html"> |
| |
| <a href="slow-consumers.html"> |
| |
| |
| Detecting Slow Consumers |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.29" data-path="network-isolation.html"> |
| |
| <a href="network-isolation.html"> |
| |
| |
| Avoiding Network Isolation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.30" data-path="critical-analysis.html"> |
| |
| <a href="critical-analysis.html"> |
| |
| |
| Detecting Broker Issues (Critical Analysis) |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.31" data-path="transaction-config.html"> |
| |
| <a href="transaction-config.html"> |
| |
| |
| Resource Manager Configuration |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.32" data-path="flow-control.html"> |
| |
| <a href="flow-control.html"> |
| |
| |
| Flow Control |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.33" data-path="send-guarantees.html"> |
| |
| <a href="send-guarantees.html"> |
| |
| |
| Guarantees of sends and commits |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.34" data-path="undelivered-messages.html"> |
| |
| <a href="undelivered-messages.html"> |
| |
| |
| Message Redelivery and Undelivered Messages |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.35" data-path="message-expiry.html"> |
| |
| <a href="message-expiry.html"> |
| |
| |
| Message Expiry |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.36" data-path="large-messages.html"> |
| |
| <a href="large-messages.html"> |
| |
| |
| Large Messages |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.37" data-path="paging.html"> |
| |
| <a href="paging.html"> |
| |
| |
| Paging |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.38" data-path="scheduled-messages.html"> |
| |
| <a href="scheduled-messages.html"> |
| |
| |
| Scheduled Messages |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.39" data-path="last-value-queues.html"> |
| |
| <a href="last-value-queues.html"> |
| |
| |
| Last-Value Queues |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.40" data-path="ring-queues.html"> |
| |
| <a href="ring-queues.html"> |
| |
| |
| Ring Queues |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.41" data-path="retroactive-addresses.html"> |
| |
| <a href="retroactive-addresses.html"> |
| |
| |
| Retroactive Addresses |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.42" data-path="exclusive-queues.html"> |
| |
| <a href="exclusive-queues.html"> |
| |
| |
| Exclusive Queues |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.43" data-path="message-grouping.html"> |
| |
| <a href="message-grouping.html"> |
| |
| |
| Message Grouping |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.44" data-path="consumer-priority.html"> |
| |
| <a href="consumer-priority.html"> |
| |
| |
| Consumer Priority |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.45" data-path="pre-acknowledge.html"> |
| |
| <a href="pre-acknowledge.html"> |
| |
| |
| Extra Acknowledge Modes |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.46" data-path="management.html"> |
| |
| <a href="management.html"> |
| |
| |
| Management |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.47" data-path="management-console.html"> |
| |
| <a href="management-console.html"> |
| |
| |
| Management Console |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.48" data-path="metrics.html"> |
| |
| <a href="metrics.html"> |
| |
| |
| Metrics |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.49" data-path="security.html"> |
| |
| <a href="security.html"> |
| |
| |
| Security |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter active" data-level="1.50" data-path="masking-passwords.html"> |
| |
| <a href="masking-passwords.html"> |
| |
| |
| Masking Passwords |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.51" data-path="broker-plugins.html"> |
| |
| <a href="broker-plugins.html"> |
| |
| |
| Broker Plugins |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.52" data-path="resource-limits.html"> |
| |
| <a href="resource-limits.html"> |
| |
| |
| Resource Limits |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.53" data-path="jms-bridge.html"> |
| |
| <a href="jms-bridge.html"> |
| |
| |
| The JMS Bridge |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.54" data-path="client-reconnection.html"> |
| |
| <a href="client-reconnection.html"> |
| |
| |
| Client Reconnection and Session Reattachment |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.55" data-path="diverts.html"> |
| |
| <a href="diverts.html"> |
| |
| |
| Diverting and Splitting Message Flows |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.56" data-path="core-bridges.html"> |
| |
| <a href="core-bridges.html"> |
| |
| |
| Core Bridges |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.57" data-path="transformers.html"> |
| |
| <a href="transformers.html"> |
| |
| |
| Transformers |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.58" data-path="duplicate-detection.html"> |
| |
| <a href="duplicate-detection.html"> |
| |
| |
| Duplicate Message Detection |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.59" data-path="clusters.html"> |
| |
| <a href="clusters.html"> |
| |
| |
| Clusters |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.60" data-path="federation.html"> |
| |
| <a href="federation.html"> |
| |
| |
| Federation |
| |
| </a> |
| |
| |
| |
| <ul class="articles"> |
| |
| |
| <li class="chapter " data-level="1.60.1" data-path="federation-address.html"> |
| |
| <a href="federation-address.html"> |
| |
| |
| Address Federation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.60.2" data-path="federation-queue.html"> |
| |
| <a href="federation-queue.html"> |
| |
| |
| Queue Federation |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| |
| </ul> |
| |
| </li> |
| |
| <li class="chapter " data-level="1.61" data-path="ha.html"> |
| |
| <a href="ha.html"> |
| |
| |
| High Availability and Failover |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.62" data-path="graceful-shutdown.html"> |
| |
| <a href="graceful-shutdown.html"> |
| |
| |
| Graceful Server Shutdown |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.63" data-path="libaio.html"> |
| |
| <a href="libaio.html"> |
| |
| |
| Libaio Native Libraries |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.64" data-path="thread-pooling.html"> |
| |
| <a href="thread-pooling.html"> |
| |
| |
| Thread management |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.65" data-path="web-server.html"> |
| |
| <a href="web-server.html"> |
| |
| |
| Embedded Web Server |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.66" data-path="logging.html"> |
| |
| <a href="logging.html"> |
| |
| |
| Logging |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.67" data-path="rest.html"> |
| |
| <a href="rest.html"> |
| |
| |
| REST Interface |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.68" data-path="embedding-activemq.html"> |
| |
| <a href="embedding-activemq.html"> |
| |
| |
| Embedding the Broker |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.69" data-path="karaf.html"> |
| |
| <a href="karaf.html"> |
| |
| |
| Apache Karaf |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.70" data-path="tomcat.html"> |
| |
| <a href="tomcat.html"> |
| |
| |
| Apache Tomcat |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.71" data-path="spring-integration.html"> |
| |
| <a href="spring-integration.html"> |
| |
| |
| Spring Integration |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.72" data-path="cdi-integration.html"> |
| |
| <a href="cdi-integration.html"> |
| |
| |
| CDI Integration |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.73" data-path="intercepting-operations.html"> |
| |
| <a href="intercepting-operations.html"> |
| |
| |
| Intercepting Operations |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.74" data-path="data-tools.html"> |
| |
| <a href="data-tools.html"> |
| |
| |
| Data Tools |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.75" data-path="maven-plugin.html"> |
| |
| <a href="maven-plugin.html"> |
| |
| |
| Maven Plugin |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.76" data-path="unit-testing.html"> |
| |
| <a href="unit-testing.html"> |
| |
| |
| Unit Testing |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.77" data-path="perf-tuning.html"> |
| |
| <a href="perf-tuning.html"> |
| |
| |
| Troubleshooting and Performance Tuning |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| <li class="chapter " data-level="1.78" data-path="configuration-index.html"> |
| |
| <a href="configuration-index.html"> |
| |
| |
| Configuration Reference |
| |
| </a> |
| |
| |
| |
| </li> |
| |
| |
| |
| |
| <li class="divider"></li> |
| |
| <li> |
| <a href="https://www.gitbook.com" target="blank" class="gitbook-link"> |
| Published with GitBook |
| </a> |
| </li> |
| </ul> |
| |
| |
| </nav> |
| |
| |
| </div> |
| |
| <div class="book-body"> |
| |
| <div class="body-inner"> |
| |
| |
| |
| <div class="book-header" role="navigation"> |
| |
| |
| <!-- Title --> |
| <h1> |
| <i class="fa fa-circle-o-notch fa-spin"></i> |
| <a href="." >Masking Passwords</a> |
| </h1> |
| </div> |
| |
| |
| |
| |
| <div class="page-wrapper" tabindex="-1" role="main"> |
| <div class="page-inner"> |
| |
| <div id="book-search-results"> |
| <div class="search-noresults"> |
| |
| <section class="normal markdown-section"> |
| |
| <h1 id="masking-passwords">Masking Passwords</h1> |
| <p>By default all passwords in Apache ActiveMQ Artemis server's configuration |
| files are in plain text form. This usually poses no security issues as those |
| files should be well protected from unauthorized accessing. However, in some |
| circumstances a user doesn't want to expose its passwords to more eyes than |
| necessary.</p> |
| <p>Apache ActiveMQ Artemis can be configured to use 'masked' passwords in its |
| configuration files. A masked password is an obscure string representation of a |
| real password. To mask a password a user will use an 'codec'. The codec |
| takes in the real password and outputs the masked version. A user can then |
| replace the real password in the configuration files with the new masked |
| password. When Apache ActiveMQ Artemis loads a masked password it uses the |
| codec to decode it back into the real password.</p> |
| <p>Apache ActiveMQ Artemis provides a default codec. Optionally users can use |
| or implement their own codec for masking the passwords.</p> |
| <p>In general, a masked password can be identified using one of two ways. The |
| first one is the <code>ENC()</code> syntax, i.e. any string value wrapped in <code>ENC()</code> is to |
| be treated as a masked password. For example</p> |
| <p><code>ENC(xyz)</code></p> |
| <p>The above indicates that the password is masked and the masked value is <code>xyz</code>.</p> |
| <p>The <code>ENC()</code> syntax is the <strong>preferred way</strong> of masking a password and is |
| universally supported in every password configuration in Artemis.</p> |
| <p>The other, legacy way is to use a <code>mask-password</code> attribute to tell that a |
| password in a configuration file should be treated as 'masked'. For example:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">mask-password</span>></span>true<span class="hljs-tag"></<span class="hljs-name">mask-password</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">cluster-password</span>></span>xyz<span class="hljs-tag"></<span class="hljs-name">cluster-password</span>></span> |
| </code></pre> |
| <p>This method is now <strong>deprecated</strong> and exists only to maintain |
| backward-compatibility. Newer configurations may not support it.</p> |
| <h2 id="generating-a-masked-password">Generating a Masked Password</h2> |
| <p>To get a mask for a password using the broker's default codec run the |
| <code>mask</code> command from your Artemis <em>instance</em>. This command will not work |
| from the Artemis home:</p> |
| <pre><code class="lang-sh">./artemis mask <plaintextPassword> |
| </code></pre> |
| <p>You'll get something like</p> |
| <pre><code>result: 32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360 |
| </code></pre><p>Just copy <code>32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360</code> and replace your |
| plaintext password with it using the <code>ENC()</code> syntax, e.g. |
| <code>ENC(32c6f67dae6cd61b0a7ad1702033aa81e6b2a760123f4360)</code>.</p> |
| <p>This process works for passwords in:</p> |
| <ul> |
| <li><code>broker.xml</code></li> |
| <li><code>login.config</code></li> |
| <li><code>bootstrap.xml</code></li> |
| <li><code>management.xml</code></li> |
| </ul> |
| <p>This process does <strong>not</strong> work for passwords in:</p> |
| <ul> |
| <li><code>artemis-users.properties</code></li> |
| </ul> |
| <p>Maksed passwords for <code>artemis-users.properties</code> <em>can</em> be generated using the |
| <code>mask</code> command using the <code>--hash</code> command-line option. However, we recommend |
| using the set of tools provided by the <code>user</code> command described below.</p> |
| <h2 id="masking-configuration">Masking Configuration</h2> |
| <p>Besides supporting the <code>ENC()</code> syntax, the server configuration file (i.e. |
| broker.xml) has a property that defines the default masking behaviors over the |
| entire file scope.</p> |
| <p><code>mask-password</code>: this boolean type property indicates if a password should be |
| masked or not. Set it to "true" if you want your passwords masked. The default |
| value is "false". As noted above, this configuration parameter is deprecated.</p> |
| <p><code>password-codec</code>: this string type property identifies the name of the class |
| which will be used to decode the masked password within the broker. If not |
| specified then the default |
| <code>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec</code> will be used.</p> |
| <h3 id="artemis-usersproperties">artemis-users.properties</h3> |
| <p>Apache ActiveMQ Artemis's built-in security manager uses plain properties files |
| where the user passwords are specified in a hashed form by default. Note, the |
| passwords are technically <em>hashed</em> rather than masked in this context. The |
| default <code>PropertiesLoginModule</code> will not decode the passwords in |
| <code>artemis-users.properties</code> but will instead hash the input and compare the two |
| hashed values for password verification.</p> |
| <p>Use the following command from the CLI of the Aremtis <em>instance</em> you wish to |
| add the user/password to. This command will not work from the Artemis home |
| used to create the instance. For example:</p> |
| <pre><code class="lang-sh">./artemis user add --user guest --password guest --role admin |
| </code></pre> |
| <p>This will use the default codec to perform a "one-way" hash of the password |
| and alter both the <code>artemis-users.properties</code> and <code>artemis-roles.properties</code> |
| files with the specified values.</p> |
| <p>Passwords in <code>artemis-users.properties</code> are automatically detected as hashed or |
| not by looking for the syntax <code>ENC(<hash>)</code>. The <code>mask-password</code> parameter does |
| not need to be <code>true</code> to use hashed passwords here.</p> |
| <h3 id="cluster-password">cluster-password</h3> |
| <p>If it is specified in <code>ENC()</code> syntax it will be treated as masked, or |
| if <code>mask-password</code> is <code>true</code> the <code>cluster-password</code> will be treated as masked.</p> |
| <h3 id="connectors--acceptors">Connectors & Acceptors</h3> |
| <p>In broker.xml <code>connector</code> and <code>acceptor</code> configurations sometimes needs to |
| specify passwords. For example, if a user wants to use an <code>acceptor</code> with |
| <code>sslEnabled=true</code> it can specify <code>keyStorePassword</code> and <code>trustStorePassword</code>. |
| Because Acceptors and Connectors are pluggable implementations, each transport |
| will have different password masking needs.</p> |
| <p>The preferred way is simply to use the <code>ENC()</code> syntax.</p> |
| <p>If using the legacy <code>mask-password</code> and <code>password-codec</code> values then when a |
| <code>connector</code> or <code>acceptor</code> is initialised, Apache ActiveMQ Artemis will add |
| these values to the parameters using the keys <code>activemq.usemaskedpassword</code> |
| and <code>activemq.passwordcodec</code> respectively. The Netty and InVM implementations |
| will use these as needed and any other implementations will have access to |
| these to use if they so wish.</p> |
| <h3 id="core-bridges">Core Bridges</h3> |
| <p>Core Bridges are configured in the server configuration file and so the masking |
| of its <code>password</code> properties follows the same rules as that of |
| <code>cluster-password</code>. It supports <code>ENC()</code> syntax.</p> |
| <p>For using <code>mask-password</code> property, the following table summarizes the |
| relations among the above-mentioned properties</p> |
| <table> |
| <thead> |
| <tr> |
| <th>mask-password</th> |
| <th>cluster-password</th> |
| <th>acceptor/connector passwords</th> |
| <th>bridge password</th> |
| </tr> |
| </thead> |
| <tbody> |
| <tr> |
| <td>absent</td> |
| <td>plain text</td> |
| <td>plain text</td> |
| <td>plain text</td> |
| </tr> |
| <tr> |
| <td>false</td> |
| <td>plain text</td> |
| <td>plain text</td> |
| <td>plain text</td> |
| </tr> |
| <tr> |
| <td>true</td> |
| <td>masked</td> |
| <td>masked</td> |
| <td>masked</td> |
| </tr> |
| </tbody> |
| </table> |
| <p>It is recommended that you use the <code>ENC()</code> syntax for new applications/deployments.</p> |
| <h4 id="examples">Examples</h4> |
| <p><strong>Note:</strong> In the following examples if related attributed or properties are |
| absent, it means they are not specified in the configure file.</p> |
| <ul> |
| <li><p>Unmasked</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">cluster-password</span>></span>bbc<span class="hljs-tag"></<span class="hljs-name">cluster-password</span>></span> |
| </code></pre> |
| <p>This indicates the cluster password is a plain text value <code>bbc</code>.</p> |
| </li> |
| <li><p>Masked 1</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">cluster-password</span>></span>ENC(80cf731af62c290)<span class="hljs-tag"></<span class="hljs-name">cluster-password</span>></span> |
| </code></pre> |
| <p>This indicates the cluster password is a masked value <code>80cf731af62c290</code>.</p> |
| </li> |
| <li><p>Masked 2</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">mask-password</span>></span>true<span class="hljs-tag"></<span class="hljs-name">mask-password</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">cluster-password</span>></span>80cf731af62c290<span class="hljs-tag"></<span class="hljs-name">cluster-password</span>></span> |
| </code></pre> |
| <p>This indicates the cluster password is a masked value and Apache ActiveMQ |
| Artemis will use its built-in codec to decode it. All other passwords in the |
| configuration file, Connectors, Acceptors and Bridges, will also use masked |
| passwords.</p> |
| </li> |
| </ul> |
| <h3 id="bootstrapxml">bootstrap.xml</h3> |
| <p>The broker embeds a web-server for hosting some web applications such as a |
| management console. It is configured in <code>bootstrap.xml</code> as a web component. The |
| web server can be secured using the <code>https</code> protocol, and it can be configured |
| with a keystore password and/or truststore password which by default are |
| specified in plain text forms.</p> |
| <p>To mask these passwords you need to use <code>ENC()</code> syntax. The <code>mask-password</code> |
| boolean is not supported here.</p> |
| <p>You can also set the <code>passwordCodec</code> attribute if you want to use a password |
| codec other than the default one. For example</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">web</span> <span class="hljs-attr">bind</span>=<span class="hljs-string">"https://localhost:8443"</span> <span class="hljs-attr">path</span>=<span class="hljs-string">"web"</span> |
| <span class="hljs-attr">keyStorePassword</span>=<span class="hljs-string">"ENC(-5a2376c61c668aaf)"</span> |
| <span class="hljs-attr">trustStorePassword</span>=<span class="hljs-string">"ENC(3d617352d12839eb71208edf41d66b34)"</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">app</span> <span class="hljs-attr">url</span>=<span class="hljs-string">"activemq-branding"</span> <span class="hljs-attr">war</span>=<span class="hljs-string">"activemq-branding.war"</span>/></span> |
| <span class="hljs-tag"></<span class="hljs-name">web</span>></span> |
| </code></pre> |
| <h3 id="managementxml">management.xml</h3> |
| <p>The broker embeds a JMX connector which is used for management. The connector can |
| be secured using SSL and it can be configured with a keystore password and/or |
| truststore password which by default are specified in plain text forms.</p> |
| <p>To mask these passwords you need to use <code>ENC()</code> syntax. The <code>mask-password</code> |
| boolean is not supported here.</p> |
| <p>You can also set the <code>password-codec</code> attribute if you want to use a password |
| codec other than the default one. For example</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">connector</span> |
| <span class="hljs-attr">connector-port</span>=<span class="hljs-string">"1099"</span> |
| <span class="hljs-attr">connector-host</span>=<span class="hljs-string">"localhost"</span> |
| <span class="hljs-attr">secured</span>=<span class="hljs-string">"true"</span> |
| <span class="hljs-attr">key-store-path</span>=<span class="hljs-string">"myKeystore.jks"</span> |
| <span class="hljs-attr">key-store-password</span>=<span class="hljs-string">"ENC(3a34fd21b82bf2a822fa49a8d8fa115d"</span> |
| <span class="hljs-attr">trust-store-path</span>=<span class="hljs-string">"myTruststore.jks"</span> |
| <span class="hljs-attr">trust-store-password</span>=<span class="hljs-string">"ENC(3a34fd21b82bf2a822fa49a8d8fa115d)"</span>/></span> |
| </code></pre> |
| <p>With this configuration, both passwords in ra.xml and all of its MDBs will have |
| to be in masked form.</p> |
| <h3 id="loginconfig">login.config</h3> |
| <p>Artemis supports LDAP login modules to be configured in JAAS configuration file |
| (default name is <code>login.config</code>). When connecting to a LDAP server usually you |
| need to supply a connection password in the config file. By default this |
| password is in plain text form.</p> |
| <p>To mask it you need to configure the passwords in your login module using |
| <code>ENC()</code> syntax. To specify a codec using the following property:</p> |
| <p><code>passwordCodec</code> - the password codec class name. (the default codec will be |
| used if it is absent)</p> |
| <p>For example:</p> |
| <pre><code>LDAPLoginExternalPasswordCodec { |
| org.apache.activemq.artemis.spi.core.security.jaas.LDAPLoginModule required |
| debug=true |
| initialContextFactory=com.sun.jndi.ldap.LdapCtxFactory |
| connectionURL="ldap://localhost:1024" |
| connectionUsername="uid=admin,ou=system" |
| connectionPassword="ENC(-170b9ef34d79ed12)" |
| passwordCodec="org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec;key=helloworld" |
| connectionProtocol=s |
| authentication=simple |
| userBase="ou=system" |
| userSearchMatching="(uid={0})" |
| userSearchSubtree=false |
| roleBase="ou=system" |
| roleName=dummyRoleName |
| roleSearchMatching="(uid={1})" |
| roleSearchSubtree=false |
| ; |
| }; |
| </code></pre><h3 id="jca-resource-adapter">JCA Resource Adapter</h3> |
| <p>Both ra.xml and MDB activation configuration have a <code>password</code> property that |
| can be masked preferably using <code>ENC()</code> syntax.</p> |
| <p>Alternatively it can use an optional attribute in ra.xml to indicate that a |
| password is masked:</p> |
| <p><code>UseMaskedPassword</code> -- If setting to "true" the passwords are masked. Default |
| is false.</p> |
| <p>There is another property in ra.xml that can specify a codec:</p> |
| <p><code>PasswordCodec</code> -- Class name and its parameters for the codec used to decode |
| the masked password. Ignored if UseMaskedPassword is false. The format of this |
| property is a full qualified class name optionally followed by key/value pairs. |
| It is the same format as that for JMS Bridges. Example:</p> |
| <p>Example 1 Using the <code>ENC()</code> syntax:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-name</span>></span>password<span class="hljs-tag"></<span class="hljs-name">config-property-name</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-type</span>></span>String<span class="hljs-tag"></<span class="hljs-name">config-property-type</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-value</span>></span>ENC(80cf731af62c290)<span class="hljs-tag"></<span class="hljs-name">config-property-value</span>></span> |
| <span class="hljs-tag"></<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-name</span>></span>PasswordCodec<span class="hljs-tag"></<span class="hljs-name">config-property-name</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-type</span>></span>java.lang.String<span class="hljs-tag"></<span class="hljs-name">config-property-type</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-value</span>></span>com.foo.ACodec;key=helloworld<span class="hljs-tag"></<span class="hljs-name">config-property-value</span>></span> |
| <span class="hljs-tag"></<span class="hljs-name">config-property</span>></span> |
| </code></pre> |
| <p>Example 2 Using the "UseMaskedPassword" property:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-name</span>></span>UseMaskedPassword<span class="hljs-tag"></<span class="hljs-name">config-property-name</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-type</span>></span>boolean<span class="hljs-tag"></<span class="hljs-name">config-property-type</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-value</span>></span>true<span class="hljs-tag"></<span class="hljs-name">config-property-value</span>></span> |
| <span class="hljs-tag"></<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-name</span>></span>password<span class="hljs-tag"></<span class="hljs-name">config-property-name</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-type</span>></span>String<span class="hljs-tag"></<span class="hljs-name">config-property-type</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-value</span>></span>80cf731af62c290<span class="hljs-tag"></<span class="hljs-name">config-property-value</span>></span> |
| <span class="hljs-tag"></<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-name</span>></span>PasswordCodec<span class="hljs-tag"></<span class="hljs-name">config-property-name</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-type</span>></span>java.lang.String<span class="hljs-tag"></<span class="hljs-name">config-property-type</span>></span> |
| <span class="hljs-tag"><<span class="hljs-name">config-property-value</span>></span>com.foo.ACodec;key=helloworld<span class="hljs-tag"></<span class="hljs-name">config-property-value</span>></span> |
| <span class="hljs-tag"></<span class="hljs-name">config-property</span>></span> |
| </code></pre> |
| <h2 id="choosing-a-codec-for-password-masking">Choosing a codec for password masking</h2> |
| <p>As described in the previous sections, all password masking requires a codec. |
| A codec uses an algorithm to convert a masked password into its original |
| clear text form in order to be used in various security operations. The |
| algorithm used for decoding must match that for encoding. Otherwise the |
| decoding may not be successful.</p> |
| <p>For user's convenience Apache ActiveMQ Artemis provides a default codec. |
| However a user can implement their own if they wish.</p> |
| <h3 id="the-default-codec">The Default Codec</h3> |
| <p>Whenever no codec is specified in the configuration, the default codec |
| is used. The class name for the default codec is |
| <code>org.apache.activemq.artemis.utils.DefaultSensitiveStringCodec</code>. It has |
| hashing, encoding, and decoding capabilities. It uses <code>java.crypto.Cipher</code> |
| utilities to hash or encode a plaintext password and also to decode a masked |
| string using the same algorithm and key.</p> |
| <h3 id="using-a-custom-codec">Using a custom codec</h3> |
| <p>It is possible to use a custom codec rather than the built-in one. Simply |
| make sure the codec is in Apache ActiveMQ Artemis's classpath. The custom |
| codec can also be service loaded rather than class loaded, if the codec's |
| service provider is installed in the classpath. Then configure the server to |
| use it as follows:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">password-codec</span>></span>com.foo.SomeCodec;key1=value1;key2=value2<span class="hljs-tag"></<span class="hljs-name">password-codec</span>></span> |
| </code></pre> |
| <p>If your codec needs params passed to it you can do this via key/value pairs |
| when configuring. For instance if your codec needs say a "key-location" |
| parameter, you can define like so:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">password-codec</span>></span>com.foo.NewCodec;key-location=/some/url/to/keyfile<span class="hljs-tag"></<span class="hljs-name">password-codec</span>></span> |
| </code></pre> |
| <p>Then configure your cluster-password like this:</p> |
| <pre><code class="lang-xml"><span class="hljs-tag"><<span class="hljs-name">cluster-password</span>></span>ENC(masked_password)<span class="hljs-tag"></<span class="hljs-name">cluster-password</span>></span> |
| </code></pre> |
| <p>When Apache ActiveMQ Artemis reads the cluster-password it will initialize the |
| <code>NewCodec</code> and use it to decode "mask_password". It also process all passwords |
| using the new defined codec.</p> |
| <h4 id="implementing-custom-codecs">Implementing Custom Codecs</h4> |
| <p>To use a different codec than the built-in one, you either pick one from |
| existing libraries or you implement it yourself. All codecs must implement |
| the <code>org.apache.activemq.artemis.utils.SensitiveDataCodec<T></code> interface:</p> |
| <pre><code class="lang-java"><span class="hljs-keyword">public</span> <span class="hljs-class"><span class="hljs-keyword">interface</span> <span class="hljs-title">SensitiveDataCodec</span><<span class="hljs-title">T</span>> </span>{ |
| |
| <span class="hljs-function">T <span class="hljs-title">decode</span><span class="hljs-params">(Object mask)</span> <span class="hljs-keyword">throws</span> Exception</span>; |
| |
| <span class="hljs-function">T <span class="hljs-title">encode</span><span class="hljs-params">(Object secret)</span> <span class="hljs-keyword">throws</span> Exception</span>; |
| |
| <span class="hljs-function"><span class="hljs-keyword">default</span> <span class="hljs-keyword">void</span> <span class="hljs-title">init</span><span class="hljs-params">(Map<String, String> params)</span> <span class="hljs-keyword">throws</span> Exception </span>{ |
| }; |
| } |
| </code></pre> |
| <p>This is a generic type interface but normally for a password you just need |
| String type. So a new codec would be defined like</p> |
| <pre><code class="lang-java">public class MyCodec implements SensitiveDataCodec<String> { |
| @Override |
| public String decode(Object mask) throws Exception { |
| // Decode the mask into clear text password. |
| return "the password"; |
| } |
| |
| @Override |
| public String encode(Object secret) throws Exception { |
| // Mask the clear text password. |
| return "the masked password""; |
| } |
| |
| @Override |
| public void init(Map<String, String> params) { |
| // Initialization done here. It is called right after the codec has been created. |
| } |
| } |
| </code></pre> |
| <p>Last but not least, once you get your own codec please <a href="using-server.html#adding-runtime-dependencies">add it to the |
| classpath</a> otherwise the broker |
| will fail to load it!</p> |
| |
| |
| </section> |
| |
| </div> |
| <div class="search-results"> |
| <div class="has-results"> |
| |
| <h1 class="search-results-title"><span class='search-results-count'></span> results matching "<span class='search-query'></span>"</h1> |
| <ul class="search-results-list"></ul> |
| |
| </div> |
| <div class="no-results"> |
| |
| <h1 class="search-results-title">No results matching "<span class='search-query'></span>"</h1> |
| |
| </div> |
| </div> |
| </div> |
| |
| </div> |
| </div> |
| |
| </div> |
| |
| |
| |
| <a href="security.html" class="navigation navigation-prev " aria-label="Previous page: Security"> |
| <i class="fa fa-angle-left"></i> |
| </a> |
| |
| |
| <a href="broker-plugins.html" class="navigation navigation-next " aria-label="Next page: Broker Plugins"> |
| <i class="fa fa-angle-right"></i> |
| </a> |
| |
| |
| |
| </div> |
| |
| <script> |
| var gitbook = gitbook || []; |
| gitbook.push(function() { |
| gitbook.page.hasChanged({"page":{"title":"Masking Passwords","level":"1.50","depth":1,"next":{"title":"Broker Plugins","level":"1.51","depth":1,"path":"broker-plugins.md","ref":"broker-plugins.md","articles":[]},"previous":{"title":"Security","level":"1.49","depth":1,"path":"security.md","ref":"security.md","articles":[]},"dir":"ltr"},"config":{"plugins":[],"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"pluginsConfig":{"highlight":{},"search":{},"lunr":{"maxIndexSize":1000000},"sharing":{"facebook":true,"twitter":true,"google":false,"weibo":false,"instapaper":false,"vk":false,"all":["facebook","google","twitter","weibo","instapaper"]},"fontsettings":{"theme":"white","family":"sans","size":2},"theme-default":{"styles":{"website":"styles/website.css","pdf":"styles/pdf.css","epub":"styles/epub.css","mobi":"styles/mobi.css","ebook":"styles/ebook.css","print":"styles/print.css"},"showLevel":false}},"github":"apache/activemq-artemis","theme":"default","githubHost":"https://github.com/","pdf":{"pageNumbers":true,"fontSize":12,"fontFamily":"Arial","paperSize":"a4","chapterMark":"pagebreak","pageBreaksBefore":"/","margin":{"right":62,"left":62,"top":56,"bottom":56}},"structure":{"langs":"LANGS.md","readme":"README.md","glossary":"GLOSSARY.md","summary":"SUMMARY.md"},"variables":{},"title":"ActiveMQ Artemis Documentation","links":{"home":"http://activemq.apache.org/artemis","issues":"https://issues.apache.org/jira/browse/ARTEMIS","contribute":"http://activemq.apache.org/contributing.html"},"gitbook":"3.x.x","description":"ActiveMQ Artemis User Guide and Reference Documentation"},"file":{"path":"masking-passwords.md","mtime":"2020-04-27T19:30:24.000Z","type":"markdown"},"gitbook":{"version":"3.1.1","time":"2020-04-29T20:47:49.444Z"},"basePath":".","book":{"language":""}}); |
| }); |
| </script> |
| </div> |
| |
| |
| <script src="gitbook/gitbook.js"></script> |
| <script src="gitbook/theme.js"></script> |
| |
| |
| <script src="gitbook/gitbook-plugin-search/search-engine.js"></script> |
| |
| |
| |
| <script src="gitbook/gitbook-plugin-search/search.js"></script> |
| |
| |
| |
| <script src="gitbook/gitbook-plugin-lunr/lunr.min.js"></script> |
| |
| |
| |
| <script src="gitbook/gitbook-plugin-lunr/search-lunr.js"></script> |
| |
| |
| |
| <script src="gitbook/gitbook-plugin-sharing/buttons.js"></script> |
| |
| |
| |
| <script src="gitbook/gitbook-plugin-fontsettings/fontsettings.js"></script> |
| |
| |
| |
| </body> |
| </html> |
| |