How to encrypt password in broker-config.xml and ra.xml

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

How to encrypt password in broker-config.xml and ra.xml

deepak_a

Hi,

I am using simpleAuthenticationPlugin in my broker-config.xml as shown

<simpleAuthenticationPlugin>
   <users>
         <authenticationUser groups="admins,producers,consumers"
password="password" username="admin"/>              
   </users>
</simpleAuthenticationPlugin>



I also set password in ra.xml as shown below

        <config-property>
            <description>The default password that will be used to log the
default user into the ActiveMQ server.</description>
            <config-property-name>Password</config-property-name>
            <config-property-type>java.lang.String</config-property-type>
            <config-property-value>password</config-property-value>
        </config-property>



Can I know if its possible to store an encrypted password in
broker-config.xml and ra.xml ?


regards,
D



--
View this message in context: http://activemq.2283324.n4.nabble.com/How-to-encrypt-password-in-broker-config-xml-and-ra-xml-tp4681448.html
Sent from the ActiveMQ - User mailing list archive at Nabble.com.
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

ceposta
Take a look here: http://activemq.apache.org/encrypted-passwords.html


On Tue, May 27, 2014 at 8:53 AM, deepak_a <[hidden email]> wrote:

> Hi,I am using simpleAuthenticationPlugin in my broker-config.xml as shown
> I also set password in ra.xml as shown below                    The default
> password that will be used to log the default user into the ActiveMQ
> server.
> Password            java.lang.String            password        Can I know
> if its possible to store an encrypted password in broker-config.xml and
> ra.xml ?regards,D
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/How-to-encrypt-password-in-broker-config-xml-and-ra-xml-tp4681447.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.




--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
Hi,

Thanks for the link.
I am using ActiveMQ+Jboss (Active MQ integrated with Jboss 5.1.0)

I don't even find activemq-security.xml.
Am I missing something or should I store the algorithm & password in a different file?

regards
D
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

ceposta
The relevant parts from activemq-security.xml (which you can find if you
d/l a stand-alone version of activemq) would go in your broker-config.xml


On Tue, May 27, 2014 at 9:32 AM, deepak_a <[hidden email]> wrote:

> Hi,
>
> Thanks for the link.
> I am using ActiveMQ+Jboss (Active MQ integrated with Jboss 5.1.0)
>
> I don't even find activemq-security.xml.
> Am I missing something or should I store the algorithm & password in a
> different file?
>
> regards
> D
>
>
>
> --
> View this message in context:
> http://activemq.2283324.n4.nabble.com/How-to-encrypt-password-in-broker-config-xml-and-ra-xml-tp4681449p4681457.html
> Sent from the ActiveMQ - User mailing list archive at Nabble.com.
>



--
*Christian Posta*
http://www.christianposta.com/blog
twitter: @christianposta
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

Noel OConnor
I haven't tried this but maybe you can encrypt the password in the
datasource definition file that loads the ActiveMQ RAR.

In the Configuring JBoss section of
http://activemq.apache.org/integrating-apache-activemq-with-jboss.html try
adding a security-domain element.

The following link describes the security-domain and how to create it,
https://community.jboss.org/wiki/EncryptingDataSourcePasswords

As I said I haven't tried it so it may not work at all but its what I'd try
first.


On Wed, May 28, 2014 at 6:21 AM, Christian Posta
<[hidden email]>wrote:

> The relevant parts from activemq-security.xml (which you can find if you
> d/l a stand-alone version of activemq) would go in your broker-config.xml
>
>
> On Tue, May 27, 2014 at 9:32 AM, deepak_a <[hidden email]> wrote:
>
> > Hi,
> >
> > Thanks for the link.
> > I am using ActiveMQ+Jboss (Active MQ integrated with Jboss 5.1.0)
> >
> > I don't even find activemq-security.xml.
> > Am I missing something or should I store the algorithm & password in a
> > different file?
> >
> > regards
> > D
> >
> >
> >
> > --
> > View this message in context:
> >
> http://activemq.2283324.n4.nabble.com/How-to-encrypt-password-in-broker-config-xml-and-ra-xml-tp4681449p4681457.html
> > Sent from the ActiveMQ - User mailing list archive at Nabble.com.
> >
>
>
>
> --
> *Christian Posta*
> http://www.christianposta.com/blog
> twitter: @christianposta
>
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
This post was updated on .
Hi,

Thanks - I am already using security-domain for encrypting my database connection password (in Jboss datasource).

This datasource is referred in broker-config.xml as a JNDI - so activeMQ uses this encrypted password when it connects to the database.

My concern is the cleartext password I am using in <simpleAuthenticationPlugin> in broker-config.xml and <config-property>  in ra.xml

After adding the 3 beans : environmentVariablesConfiguration, configurationEncryptor and propertyConfigurer - I notice that activeMQ doesn't start properly.


2014-05-28 11:49:57,601 INFO  [org.jasypt.spring.properties.EncryptablePropertyPlaceholderConfigurer] (Starting ActiveMQ Broker) Loading properties file from URL [file:C:/Downloads/REFORM_HOME/jboss-5.1.0.GA/server/default/deploy/activemq-ra.rar/credentials-enc.properties]
2014-05-28 11:49:57,603 WARN  [org.apache.activemq.ra.ActiveMQResourceAdapter] (Starting ActiveMQ Broker) Could not start up embeded ActiveMQ Broker 'xbean:broker-config.xml': null

As per link: http://activemq.apache.org/encrypted-passwords.html

It looks like I also need to set/unset environment variable.
Can some one point out how to do this when integrating ActivemQ + JBoss.


regards
#D
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
Hi,

I am now able to use encrypt password as per: http://activemq.apache.org/encrypted-passwords.html

As described earlier I run ActiveMQ integrated with Jboss.

My ejbs pick up the ActiveMQ connection from ra.xml - where the password is specified under a config-property

        <config-property>
            <description>The default password that will be used to log the default user into the ActiveMQ server.</description>
            <config-property-name>Password</config-property-name>
            <config-property-type>java.lang.String</config-property-type>
                       
                       <config-property-value>${activemq.password}</config-property-value>


How can I ensure that the password gets decrypted when an attempt is made to get the JMS connection to broker? I assumed that the decryption will be done automatically - but apparently not!

Any any idea on how to achieve that?

regards
D
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
If I look more closely at the ra.xml
- the following section handles the password credentials

            <authentication-mechanism>
                <authentication-mechanism-type>BasicPassword</authentication-mechanism-type>
                <credential-interface>javax.resource.spi.security.PasswordCredential</credential-interface>
            </authentication-mechanism>


As per the connection_1_6.xsd (used by ra.xml)

        The credential-interfaceType specifies the interface that the resource adapter implementation
        supports for the representation of the credentials. This element(s) that use this type,
        i.e. credential-interface,  should be used by application server to find out the Credential
        interface it should use as part of the security contract.
       
        The possible values are:
       
        javax.resource.spi.security.PasswordCredential
        org.ietf.jgss.GSSCredential
        javax.resource.spi.security.GenericCredential

So I can use only the above 3 interfaces - and none of them actually takes in a encrypted password along with an algorithm - so that it can be decrypted.

Does this mean - since my MDB (message driven beans) use ra.xml to connect to the messageBroker - I have to write my own implementation to connect to JMS Broker (that takes in algorithm name and encrypted password?)


regards
D
       
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
Hi,

Does any one have suggestions for my above query?


regards
D
Reply | Threaded
Open this post in threaded view
|

Re: How to encrypt password in broker-config.xml and ra.xml

deepak_a
Hi,

Can some clarify the query I had raised in this post. This is becoming a show stopper for us.
Would appreciate if some one can share their experience.

regards,
D