Google Git
Sign in
apache / qpid-site / f9abb2ff3d4c69ea77648025917cf9fd15af75c3 / . / content / releases / qpid-broker-j-7.1.9 / book / Java-Broker-Security-Configuration-Encryption.html
blob: 91c97c810651b759478a6f3fdabec72ad9e1e4ea [file] [log] [blame]
<!DOCTYPE html>
<!--
-
- Licensed to the Apache Software Foundation (ASF) under one
- or more contributor license agreements. See the NOTICE file
- distributed with this work for additional information
- regarding copyright ownership. The ASF licenses this file
- to you under the Apache License, Version 2.0 (the
- "License"); you may not use this file except in compliance
- with the License. You may obtain a copy of the License at
-
- http://www.apache.org/licenses/LICENSE-2.0
-
- Unless required by applicable law or agreed to in writing,
- software distributed under the License is distributed on an
- "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
- KIND, either express or implied. See the License for the
- specific language governing permissions and limitations
- under the License.
-
-->
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
<head>
<title>8.4.&#160;Configuration Encryption - Apache Qpid&#8482;</title>
<meta http-equiv="X-UA-Compatible" content="IE=edge"/>
<meta name="viewport" content="width=device-width, initial-scale=1.0"/>
<link rel="stylesheet" href="/site.css" type="text/css" async="async"/>
<link rel="stylesheet" href="/deferred.css" type="text/css" defer="defer"/>
<script type="text/javascript">var _deferredFunctions = [];</script>
<script type="text/javascript" src="/deferred.js" defer="defer"></script>
<!--[if lte IE 8]>
<link rel="stylesheet" href="/ie.css" type="text/css"/>
<script type="text/javascript" src="/html5shiv.js"></script>
<![endif]-->
<!-- Redirects for `go get` and godoc.org -->
<meta name="go-import"
content="qpid.apache.org git https://gitbox.apache.org/repos/asf/qpid-proton.git"/>
<meta name="go-source"
content="qpid.apache.org
https://github.com/apache/qpid-proton/blob/go1/README.md
https://github.com/apache/qpid-proton/tree/go1{/dir}
https://github.com/apache/qpid-proton/blob/go1{/dir}/{file}#L{line}"/>
</head>
<body>
<div id="-content">
<div id="-top" class="panel">
<a id="-menu-link"><img width="16" height="16" src="" alt="Menu"/></a>
<a id="-search-link"><img width="22" height="16" src="" alt="Search"/></a>
<ul id="-global-navigation">
<li><a id="-logotype" href="/index.html">Apache Qpid<sup>&#8482;</sup></a></li>
<li><a href="/documentation.html">Documentation</a></li>
<li><a href="/download.html">Download</a></li>
<li><a href="/discussion.html">Discussion</a></li>
</ul>
</div>
<div id="-menu" class="panel" style="display: none;">
<div class="flex">
<section>
<h3>Project</h3>
<ul>
<li><a href="/overview.html">Overview</a></li>
<li><a href="/components/index.html">Components</a></li>
<li><a href="/releases/index.html">Releases</a></li>
</ul>
</section>
<section>
<h3>Messaging APIs</h3>
<ul>
<li><a href="/proton/index.html">Qpid Proton</a></li>
<li><a href="/components/jms/index.html">Qpid JMS</a></li>
<li><a href="/components/messaging-api/index.html">Qpid Messaging API</a></li>
</ul>
</section>
<section>
<h3>Servers and tools</h3>
<ul>
<li><a href="/components/broker-j/index.html">Broker-J</a></li>
<li><a href="/components/cpp-broker/index.html">C++ broker</a></li>
<li><a href="/components/dispatch-router/index.html">Dispatch router</a></li>
</ul>
</section>
<section>
<h3>Resources</h3>
<ul>
<li><a href="/dashboard.html">Dashboard</a></li>
<li><a href="https://cwiki.apache.org/confluence/display/qpid/Index">Wiki</a></li>
<li><a href="/resources.html">More resources</a></li>
</ul>
</section>
</div>
</div>
<div id="-search" class="panel" style="display: none;">
<form action="http://www.google.com/search" method="get">
<input type="hidden" name="sitesearch" value="qpid.apache.org"/>
<input type="text" name="q" maxlength="255" autofocus="autofocus" tabindex="1"/>
<button type="submit">Search</button>
<a href="/search.html">More ways to search</a>
</form>
</div>
<div id="-middle" class="panel">
<ul id="-path-navigation"><li><a href="/index.html">Home</a></li><li><a href="/releases/index.html">Releases</a></li><li><a href="/releases/qpid-broker-j-7.1.9/index.html">Qpid Broker-J 7.1.9</a></li><li><a href="/releases/qpid-broker-j-7.1.9/book/index.html">Apache Qpid Broker-J</a></li><li>8.4.&#160;Configuration Encryption</li></ul>
<div id="-middle-content">
<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4.&#160;Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a>&#160;</td><th align="center" width="60%">Chapter&#160;8.&#160;Security</th><td align="right" width="20%">&#160;<a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4.&#160;Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the
Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC
passwords, and LDAP passwords can be stored in the configure in a form that is difficult to
read.</p><p>The Broker ships with an encryptor implementation called <code class="literal">AESKeyFile</code>. This
uses a securely generated random key of 256bit<a class="footnote" href="#ftn.d0e5510" id="d0e5510"><sup class="footnote">[9]</sup></a> to encrypt the secrets stored within a key
file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted
with it may be compromised. For this reason, the Broker ensures that the file's permissions
allow the file to be read exclusively by the user account used for running the Broker.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>If the keyfile is lost or corrupted, the secrets will be irrecoverable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Configuration"></a>8.4.1.&#160;Configuration</h3></div></div></div><p>The <code class="literal">AESKeyFile</code> encyptor provider is enabled/disabled via the <a class="link" href="Java-Broker-Management-Managing-Broker.html" title="7.2.&#160;Broker">Broker attributes</a> within the
Web Management Console. On enabling the provider, any existing passwords within the
configuration will be automatically rewritten in the encrypted form.</p><p>Note that passwords stored by the Authentication Providers <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.8.&#160;Plain Password File (Deprecated)">PlainPasswordFile</a> and.
<a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.10.&#160;Base64MD5 Password File (Deprecated)">PlainPasswordFile</a>
with the external password files are <span class="emphasis"><em>not</em></span> encrypted by the key. Use the
Scram Authentication Managers instead; these make use of the Configuration Encryption when
storing the users' passwords. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Alternate-Implementations"></a>8.4.2.&#160;Alternate Implementations</h3></div></div></div><p>If the <code class="literal">AESKeyFile</code> encryptor implementation does not meet the needs of
the user, perhaps owing to the security standards of their institution, the
<code class="literal">ConfigurationSecretEncrypter</code> interface is designed as an extension point.
Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ
stronger encryption or delegating the storage of the key to an Enterprise Password
Safe.</p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e5510"><p><a class="para" href="#d0e5510"><sup class="para">[9] </sup></a>Java Cryptography Extension (JCE)
Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a>&#160;</td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%">&#160;<a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3.&#160;Access Control Providers&#160;</td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%">&#160;Chapter&#160;9.&#160;Runtime</td></tr></table></div></div>
<hr/>
<ul id="-apache-navigation">
<li><a href="http://www.apache.org/">Apache</a></li>
<li><a href="http://www.apache.org/licenses/">License</a></li>
<li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
<li><a href="http://www.apache.org/foundation/thanks.html">Thanks!</a></li>
<li><a href="/security.html">Security</a></li>
<li><a href="http://www.apache.org/"><img id="-apache-feather" width="48" height="14" src="" alt="Apache"/></a></li>
</ul>
<p id="-legal">
Apache Qpid, Messaging built on AMQP; Copyright &#169; 2015
The Apache Software Foundation; Licensed under
the <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache
License, Version 2.0</a>; Apache Qpid, Qpid, Qpid Proton,
Proton, Apache, the Apache feather logo, and the Apache Qpid
project logo are trademarks of The Apache Software
Foundation; All other marks mentioned may be trademarks or
registered trademarks of their respective owners
</p>
</div>
</div>
</div>
</body>
</html>