While configuring ActiveMQ for a production use, you usually need to store passwords in your configuration files. Passwords are usually needed for:
- Simple authentication plugin
- JDBC/LDAP passwords
- Accessing secured brokers by Web Console, Camel, etc
Naturally, people don’t want to keep plain passwords in the configuration files. ActiveMQ 5.4.1 comes with a solution for that. Thanks to the
integration with Jasypt library, your passwords can be now stored encrypted.
For a full description of this new feature see http://activemq.apache.org/encrypted-passwords.html.
Here, I’ll briefly describe how to use it and what implications does it have for your deployment. First of all, for your convenience we provided new commands that you can use to encrypt/decrypt passwords from the command line.
Encrypted passwords should replace plain ones in the properties files and with just a little XML config (replacing standard property configurer with one provided by Jasypt) you should be ready to go.
But there’s one tricky part to all this. You need to provide secret to the encryptor somehow. The most secure way to do this is by using the environment variable. You should set the it before you start the broker and unset it just after.
Of course, there are other methods you can use to achieve this. But the only one currently provided by Jasypt assumes that you need to put that password in your xml configuration file. It’s needless to say that compromising the security of this password affects all other encrypted passwords. There’s always a room for improvement, so probably we can make it easier for you to enter this password while starting the broker in the future.
If you want (need) extra security, there’s usually a price to be payed in complexity of your deployment procedures. Setting/unsetting environment variables every time you start the broker (for now) is a small one if you want your passwords to be safe.