From commits-return-53340-apmail-activemq-commits-archive=activemq.apache.org@activemq.apache.org Fri Sep 21 15:51:28 2018 Return-Path: X-Original-To: apmail-activemq-commits-archive@www.apache.org Delivered-To: apmail-activemq-commits-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 231AF206D2 for ; Fri, 21 Sep 2018 15:51:28 +0000 (UTC) Received: (qmail 61324 invoked by uid 500); 21 Sep 2018 15:51:28 -0000 Delivered-To: apmail-activemq-commits-archive@activemq.apache.org Received: (qmail 61282 invoked by uid 500); 21 Sep 2018 15:51:28 -0000 Mailing-List: contact commits-help@activemq.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@activemq.apache.org Delivered-To: mailing list commits@activemq.apache.org Received: (qmail 61273 invoked by uid 99); 21 Sep 2018 15:51:28 -0000 Received: from git1-us-west.apache.org (HELO git1-us-west.apache.org) (140.211.11.23) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 21 Sep 2018 15:51:28 +0000 Received: by git1-us-west.apache.org (ASF Mail Server at git1-us-west.apache.org, from userid 33) id E0934E012E; Fri, 21 Sep 2018 15:51:27 +0000 (UTC) Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit From: clebertsuconic@apache.org To: commits@activemq.apache.org Message-Id: <5c3d5e7381ca4862a8e30795103f9ce3@git.apache.org> X-Mailer: ASF-Git Admin Mailer Subject: activemq-artemis git commit: ARTEMIS-2087 support masked passwords in management.xml Date: Fri, 21 Sep 2018 15:51:27 +0000 (UTC) Repository: activemq-artemis Updated Branches: refs/heads/2.6.x f90afad1b -> 1fd1c798b ARTEMIS-2087 support masked passwords in management.xml (cherry picked from commit 07e14c1582c44409ed778805ff5c0018f8671544) Project: http://git-wip-us.apache.org/repos/asf/activemq-artemis/repo Commit: http://git-wip-us.apache.org/repos/asf/activemq-artemis/commit/1fd1c798 Tree: http://git-wip-us.apache.org/repos/asf/activemq-artemis/tree/1fd1c798 Diff: http://git-wip-us.apache.org/repos/asf/activemq-artemis/diff/1fd1c798 Branch: refs/heads/2.6.x Commit: 1fd1c798bd8347878358838bea3fc3adc5f3286e Parents: f90afad Author: Justin Bertram Authored: Thu Sep 13 16:50:07 2018 -0500 Committer: Clebert Suconic Committed: Fri Sep 21 11:51:00 2018 -0400 ---------------------------------------------------------------------- .../cli/factory/jmx/ManagementFactory.java | 2 +- .../activemq/artemis/dto/JMXConnectorDTO.java | 17 +++++++++++---- docs/user-manual/en/management.md | 10 +++++++-- docs/user-manual/en/masking-passwords.md | 23 ++++++++++++++++++++ 4 files changed, 45 insertions(+), 7 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java ---------------------------------------------------------------------- diff --git a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java index 235cdf6..79e241e 100644 --- a/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java +++ b/artemis-cli/src/main/java/org/apache/activemq/artemis/cli/factory/jmx/ManagementFactory.java @@ -60,7 +60,7 @@ public class ManagementFactory { return createJmxAclConfiguration(new URI(configuration), artemisHome, artemisInstance, artemisURIInstance); } - public static ManagementContext create(ManagementContextDTO config) { + public static ManagementContext create(ManagementContextDTO config) throws Exception { ManagementContext context = new ManagementContext(); if (config.getAuthorisation() != null) { http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java ---------------------------------------------------------------------- diff --git a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java index 617a570..bd78481 100644 --- a/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java +++ b/artemis-dto/src/main/java/org/apache/activemq/artemis/dto/JMXConnectorDTO.java @@ -22,6 +22,8 @@ import javax.xml.bind.annotation.XmlAccessorType; import javax.xml.bind.annotation.XmlAttribute; import javax.xml.bind.annotation.XmlRootElement; +import org.apache.activemq.artemis.utils.PasswordMaskingUtil; + @XmlRootElement(name = "connector") @XmlAccessorType(XmlAccessType.FIELD) public class JMXConnectorDTO { @@ -62,6 +64,9 @@ public class JMXConnectorDTO { @XmlAttribute (name = "trust-store-password") String trustStorePassword; + @XmlAttribute (name = "password-codec") + String passwordCodec; + public String getConnectorHost() { return connectorHost; } @@ -94,8 +99,8 @@ public class JMXConnectorDTO { return keyStorePath; } - public String getKeyStorePassword() { - return keyStorePassword; + public String getKeyStorePassword() throws Exception { + return getPassword(keyStorePassword); } public String getTrustStoreProvider() { @@ -106,7 +111,11 @@ public class JMXConnectorDTO { return trustStorePath; } - public String getTrustStorePassword() { - return trustStorePassword; + public String getTrustStorePassword() throws Exception { + return getPassword(trustStorePassword); + } + + private String getPassword(String password) throws Exception { + return PasswordMaskingUtil.resolveMask(null, password, this.passwordCodec); } } http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/docs/user-manual/en/management.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/management.md b/docs/user-manual/en/management.md index 071af6d..d415e98 100644 --- a/docs/user-manual/en/management.md +++ b/docs/user-manual/en/management.md @@ -444,7 +444,7 @@ You can also configure the connector using the following: - `key-store-password` - The keystore password. + The keystore password. This can be [masked](masking-passwords.md). - `key-store-provider` @@ -456,12 +456,18 @@ You can also configure the connector using the following: - `trust-store-password` - The trustore password. + The trustore password. This can be [masked](masking-passwords.md). - `trust-store-provider` The provider; `JKS` by default. +- `password-codec` + + The fully qualified class name of the password codec to use. See the + [password masking](masking-passwords.md) documentation for more details on + how this works. + > **Note:** > > It is important to note that the rmi registry will pick an ip address to bind http://git-wip-us.apache.org/repos/asf/activemq-artemis/blob/1fd1c798/docs/user-manual/en/masking-passwords.md ---------------------------------------------------------------------- diff --git a/docs/user-manual/en/masking-passwords.md b/docs/user-manual/en/masking-passwords.md index c7332c7..7824b11 100644 --- a/docs/user-manual/en/masking-passwords.md +++ b/docs/user-manual/en/masking-passwords.md @@ -155,6 +155,29 @@ codec other than the default one. For example ``` +#### Passwords in management.xml + +The broker embeds a JMX connector which is used for management. The connector can +be secured using SSL and it can be configured with a keystore password and/or +truststore password which by default are specified in plain text forms. + +To mask these passwords you need to use `ENC()` syntax. The `mask-password` +boolean is not supported here. + +You can also set the `password-codec` attribute if you want to use a password +codec other than the default one. For example + +```xml + +``` + ### Passwords for the JCA Resource Adapter Both ra.xml and MDB activation configuration have a `password` property that