<div class="docbook"><div class="navheader"><table summary="Navigation header" width="100%"><tr><th align="center" colspan="3">8.4. Configuration Encryption</th></tr><tr><td align="left" width="20%"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a> </td><th align="center" width="60%">Chapter 8. Security</th><td align="right" width="20%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr></table><hr /></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a id="Java-Broker-Security-Configuration-Encryption"></a>8.4. Configuration Encryption</h2></div></div></div><p> The Broker is capable of encrypting passwords and other security items stored in the | |
Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC | |
passwords, and LDAP passwords can be stored in the configure in a form that is difficult to | |
read.</p><p>The Broker ships with an encryptor implementation called <code class="literal">AESKeyFile</code>. This | |
uses a securely generated random key of 256bit<a class="footnote" href="#ftn.d0e5510" id="d0e5510"><sup class="footnote">[9]</sup></a> to encrypt the secrets stored within a key | |
file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted | |
with it may be compromised. For this reason, the Broker ensures that the file's permissions | |
allow the file to be read exclusively by the user account used for running the Broker.</p><div class="important" style="margin-left: 0.5in; margin-right: 0.5in;"><h3 class="title">Important</h3><p>If the keyfile is lost or corrupted, the secrets will be irrecoverable.</p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Configuration"></a>8.4.1. Configuration</h3></div></div></div><p>The <code class="literal">AESKeyFile</code> encyptor provider is enabled/disabled via the <a class="link" href="Java-Broker-Management-Managing-Broker.html" title="7.2. Broker">Broker attributes</a> within the | |
Web Management Console. On enabling the provider, any existing passwords within the | |
configuration will be automatically rewritten in the encrypted form.</p><p>Note that passwords stored by the Authentication Providers <a class="link" href="Java-Broker-Security.html#Java-Broker-Security-PlainPasswordFile-Provider" title="8.1.8. Plain Password File (Deprecated)">PlainPasswordFile</a> and. | |
<a class="link" href="Java-Broker-Security.html#Java-Broker-Security-Base64MD5PasswordFile-Provider" title="8.1.10. Base64MD5 Password File (Deprecated)">PlainPasswordFile</a> | |
with the external password files are <span class="emphasis"><em>not</em></span> encrypted by the key. Use the | |
Scram Authentication Managers instead; these make use of the Configuration Encryption when | |
storing the users' passwords. </p></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a id="Java-Broker-Security-Configuration-Encryption-Alternate-Implementations"></a>8.4.2. Alternate Implementations</h3></div></div></div><p>If the <code class="literal">AESKeyFile</code> encryptor implementation does not meet the needs of | |
the user, perhaps owing to the security standards of their institution, the | |
<code class="literal">ConfigurationSecretEncrypter</code> interface is designed as an extension point. | |
Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ | |
stronger encryption or delegating the storage of the key to an Enterprise Password | |
Safe.</p></div><div class="footnotes"><br /><hr style="width:100; text-align:left;margin-left: 0" /><div class="footnote" id="ftn.d0e5510"><p><a class="para" href="#d0e5510"><sup class="para">[9] </sup></a>Java Cryptography Extension (JCE) | |
Unlimited Strength required</p></div></div></div><div class="navfooter"><hr /><table summary="Navigation footer" width="100%"><tr><td align="left" width="40%"><a accesskey="p" href="Java-Broker-Security-AccessControlProviders.html">Prev</a> </td><td align="center" width="20%"><a accesskey="u" href="Java-Broker-Security.html">Up</a></td><td align="right" width="40%"> <a accesskey="n" href="Java-Broker-Runtime.html">Next</a></td></tr><tr><td align="left" valign="top" width="40%">8.3. Access Control Providers </td><td align="center" width="20%"><a accesskey="h" href="Apache-Qpid-Broker-J-Book.html">Home</a></td><td align="right" valign="top" width="40%"> Chapter 9. Runtime</td></tr></table></div></div> |