-
1. Re: Masking passwords in jboss-esb.xml
massios Nov 20, 2010 12:33 PM (in response to massios)Dear ESBers,
I just realised something a little bit more serious than the original question. The esb is publishing the password information in the juddi registry...
For example the jms listener in the orignal question gets inserted like this in the juddi registry....
<wsa:From xmlns:wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing">
<wsa:Address>jms:MACHINE_NAME:1199#queue/jms_queue</wsa:Address>
<wsa:ReferenceProperties>
<jbossesb:java.naming.factory.initial xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">org.jnp.interfaces.NamingContextFactory</jbossesb:java.naming.factory.initial>
<jbossesb:java.naming.provider.url xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">MACHINE_NAME:1199</jbossesb:java.naming.provider.url>
<jbossesb:java.naming.factory.url.pkgs xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">org.jnp.interfaces</jbossesb:java.naming.factory.url.pkgs>
<jbossesb:destination-type xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">queue</jbossesb:destination-type>
<jbossesb:destination-name xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">queue/jms_queue</jbossesb:destination-name>
<jbossesb:specification-version xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">1.1</jbossesb:specification-version>
<jbossesb:connection-factory xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">ConnectionFactory</jbossesb:connection-factory>
<jbossesb:persistent xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">true</jbossesb:persistent>
<jbossesb:acknowledge-mode xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">AUTO_ACKNOWLEDGE</jbossesb:acknowledge-mode>
<jbossesb:jms-security-principal xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">myUser</jbossesb:jms-security-principal>
<jbossesb:jms-security-credential xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">JustAPassword</jbossesb:jms-security-credential>
<jbossesb:transacted xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">true</jbossesb:transacted>
<jbossesb:type xmlns:jbossesb="http://schemas.jboss.com/ws/2007/01/jbossesb">urn:jboss/esb/epr/type/jms</jbossesb:type>
</wsa:ReferenceProperties>
</wsa:From> -
2. Re: Masking passwords in jboss-esb.xml
massios Nov 20, 2010 1:30 PM (in response to massios)I think something could be done here to make sure that an encrypted credential gets decrypted.
package org.jboss.soa.esb.addressing.eprs;
public class JMSEpr extends EPR
public final String getJMSSecurityCredential() -
3. Re: Masking passwords in jboss-esb.xml
rickjwagner Nov 22, 2010 9:31 PM (in response to massios)1 of 1 people found this helpfulCheck out section 8.7 of the Services Guide. (Here's a link: http://docs.redhat.com/docs/en-US/JBoss_Enterprise_SOA_Platform/5/html-single/ESB_Services_Guide/index.html#id3063598)
Rick
-
4. Re: Masking passwords in jboss-esb.xml
joe_boy12 Mar 29, 2011 12:34 PM (in response to rickjwagner)hello Nikos
did you find the way to mask it in jboss-esb.xml?
Joe
-
5. Re: Masking passwords in jboss-esb.xml
massios Mar 29, 2011 5:34 PM (in response to joe_boy12)We probably still have this as an open issue.
I am sure that we haven't tried what is described in the section 8.7 of the services guide.
I was reading today again the post from Rick and the section he mentions and it seems promising.
Nikos
-
6. Masking passwords in jboss-esb.xml
joe_boy12 Mar 29, 2011 5:49 PM (in response to massios)I think I figured out something not exactly masking
create the encrypted file ( read
8.7.1. Creating an Encrypted Password File)
-- FilePassword [salt] [count] [password] [password-file]
java -cp ../../../lib/jbosssx.jar org.jboss.security.plugins.FilePassword TEST1234 12 esbpassword esb.password
and in jboss-esb.xml
<jms-message-filter dest-type="QUEUE" dest-name="queue/MyGatewayQueue" jms-security-principal="esbuser" jms-security-credential="/jboss-soa-p-5/jboss-as/server/testesb/conf/esb.password" />
worked just fine.
didnt have luck with annotation as jboss-esb.xml XSD didnt support the annotation element to inject masked password into jms-bus.
you have any better idea?
-
7. Re: Masking passwords in jboss-esb.xml
massios Mar 29, 2011 6:22 PM (in response to joe_boy12)Are you using the SOA platform or the GA version of the esb?
We are using the GA version.
Nikos
-
8. Re: Masking passwords in jboss-esb.xml
massios Mar 29, 2011 6:25 PM (in response to joe_boy12)when you set this
<jms-message-filter dest-type="QUEUE" dest-name="queue/MyGatewayQueue" jms-security-principal="esbuser" jms-security-credential="/jboss-soa-p-5/jboss-as/server/testesb/conf/esb.password" />
Have you seen what gets published in the registry?
-
9. Masking passwords in jboss-esb.xml
joe_boy12 Mar 29, 2011 8:04 PM (in response to massios)can you educate me how to get that information from juddi registry? I am using SOA version and can see only service registered in juddi - which doent list the Gateway queue just the ESB channel. Are you using any other registry browser?
here is how you set it in jboss-esb.xml - from you original config
<providers>
<jms-provider ....>
<jms-bus busid="jmsChannel">
<jms-message-filter dest-name="queue/jms_queue"
dest-type="QUEUE"
persistent="true"
transacted="true"
jms-security-principal="myUser"
jms-security-credential="<<put a file path here which has encrypted password>>"/>
</jms-bus>
</jms-provider>
</providers>
-
10. Masking passwords in jboss-esb.xml
massios Mar 30, 2011 2:55 AM (in response to joe_boy12)Hello Joe,
We are using the ub uddi registry browser.
You have to connect to the juddi registry that comes along with the esb using ub and then select "show all businesses" or something similar from the ub menu. This will display the list of services that are installed in your esb.
-
11. Masking passwords in jboss-esb.xml
tcunning Mar 30, 2011 7:31 AM (in response to massios)Alternatively, if you are using MySQL/Oracle/Postgres as the backing store for the juddi db (or anything other than in-memory hsqldb), you can just query the database.