-
1. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
jbertram Apr 2, 2015 10:02 AM (in response to guoxh16)My questions is: since we are not using clustering at all on both ends, does the above warning has any potential security implication?
Yes.
Can potential intruder access the message queues by using the default cluster admin user name/password?
Yes.
I know one way to fix the warning is to add <cluster-user> and <cluster-password> in hornetq-configuration.xml files. But we verified that once those two fields are being added, our SSL bridge cannot pass messages any more. Any solution for the SSL bridge if indeed we need those two fields? Not sure whether we can use the admin user defined in hornetq-users.xml as the cluster admin user and then the SSL bridge will work.
I'd need to reproduce that issue to give you more insight on it. Do you have a test-case that I could use to reproduce it on my machine?
-
2. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
guoxh16 Apr 2, 2015 3:30 PM (in response to jbertram)The following are my working WAN SSL bridge without <cluster-user> and <cluster-password>. Once I add those two fields into the two hortnetq-configuration.xml files, I don't see messages are being sent to the SSL bridge receiver side. BTW, I have two more LAN/Non SSL bridges defined in SSL bridge receiver side for further forwarding, you can delete them if you think that is not relevant.
Thanks,
John
----------------------------------------------------------------------------------------------
Hornetq-config.xml on SSL bridge sender side:
----------------------------------------------------------------------------------------------
<configuration xmlns="urn:hornetq"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:hornetq /schema/hornetq-configuration.xsd"><paging-directory>data/paging</paging-directory>
<bindings-directory>data/bindings</bindings-directory>
<journal-directory>${journals.dir:data/journal}</journal-directory>
<journal-min-files>${journals.num:10}</journal-min-files>
<journal-file-size>10485760</journal-file-size>
<journal-compact-percentage>75</journal-compact-percentage>
<large-messages-directory>data/large-messages</large-messages-directory>
<jmx-management-enabled>true</jmx-management-enabled>
<message-counter-enabled>true</message-counter-enabled>
<connectors>
<connector name="netty">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<param key="host" value="${local.ip}"/>
<param key="port" value="${local.port}"/>
</connector>
<!-- Connector to the other node for bridge connection -->
<connector name="ssl-bridge-connector"><factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<param key="host" value="${wan-bridge-to.ip}"/>
<param key="port" value="${wan-bridge-to.port}"/>
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="hornetq.keystore"/>
<param key="key-store-password" value="hornetqexample"/>
<param key="trust-store-path" value="hornetq.truststore"/>
<param key="trust-store-password" value="hornetqexample"/>
</connector>
</connectors><acceptors>
<acceptor name="netty">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>
<param key="host" value="${local.ip}"/>
<param key="port" value="${local.port}"/>
</acceptor>
</acceptors>
<!-- We need to create a core queue for the JMS queue explicitly because the bridge will be deployed
before the JMS queue is deployed, so the first time, it otherwise won't find the queue -->
<queues><queue name="jms.queue.QueueA">
<address>jms.queue.QueueA</address>
</queue>
<queue name="jms.queue.QueueB">
<address>jms.queue.QueueB</address>
</queue>
</queues>
<bridges>
<bridge name="QueueA-bridge">
<queue-name>jms.queue.QueueA</queue-name>
<forwarding-address>jms.queue.QueueA-to</forwarding-address>
<reconnect-attempts>-1</reconnect-attempts>
<static-connectors>
<connector-ref>ssl-bridge-connector</connector-ref>
</static-connectors>
</bridge>
<bridge name="QueueB-bridge">
<queue-name>jms.queue.QueueB</queue-name>
<forwarding-address>jms.queue.QueueB-to</forwarding-address>
<reconnect-attempts>-1</reconnect-attempts>
<static-connectors>
<connector-ref>ssl-bridge-connector</connector-ref>
</static-connectors>
</bridge>
</bridges><security-settings>
<security-setting match="#">
<permission type="createDurableQueue" roles="admin"/>
<permission type="deleteDurableQueue" roles="admin"/>
<permission type="createNonDurableQueue" roles="admin"/>
<permission type="deleteNonDurableQueue" roles="admin"/>
<permission type="send" roles="user, admin"/>
<permission type="consume" roles="user, admin"/>
</security-setting>
</security-settings>
<address-settings>
<address-setting match="jms.queue.QueueA">
<max-delivery-attempts>-1</max-delivery-attempts>
<redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<address-setting match="jms.queue.QueueB">
<max-delivery-attempts>-1</max-delivery-attempts>
<redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<!-- Matches all JMS queues and topics -->
<address-setting match="jms.#"><redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<!--default for catch all-->
<address-setting match="#"><dead-letter-address>jms.queue.DLQ</dead-letter-address>
<expiry-address>jms.queue.ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-size-bytes>10485760</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>BLOCK</address-full-policy>
</address-setting>
</address-settings>
</configuration>
--------------------------------------------------------------------------------
hornetq-jms.xml on SSL bridge sender side:
--------------------------------------------------------------------------------
<configuration xmlns="urn:hornetq"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:hornetq /schema/hornetq-jms.xsd"><connection-factory name="NettyConnectionFactory">
<xa>false</xa>
<connectors>
<connector-ref connector-name="netty" />
</connectors>
<entries>
<entry name="/ConnectionFactory" />
</entries>
</connection-factory>
<queue name="HealthCheckQueue">
<entry name="/queue/HealthCheckQueue" />
</queue>
<queue name="QueueA">
<entry name="/queue/QueueA" />
</queue>
<queue name="QueueB">
<entry name="/queue/QueueB" />
</queue>
</configuration>
--------------------------------------------------------------------------
Hornetq-config.xml on SSL bridge receiver side:
--------------------------------------------------------------------------
<configuration xmlns="urn:hornetq"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:hornetq /schema/hornetq-configuration.xsd"><paging-directory>data/paging</paging-directory>
<bindings-directory>data/bindings</bindings-directory>
<journal-directory>${journals.dir:data/journal}</journal-directory>
<journal-min-files>${journals.num:10}</journal-min-files>
<journal-file-size>10485760</journal-file-size>
<journal-compact-percentage>75</journal-compact-percentage>
<large-messages-directory>data/large-messages</large-messages-directory>
<jmx-management-enabled>true</jmx-management-enabled>
<message-counter-enabled>true</message-counter-enabled>
<connectors>
<connector name="netty">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<param key="host" value="${local.ip}"/>
<param key="port" value="${local.port}"/>
</connector>
<!-- Connector to the other node for non-ssl bridge connection -->
<connector name="NonSSL-bridge-connector1"><factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<param key="host" value="${connector-remote1.ip}"/>
<param key="port" value="${connector-remote1.port}"/>
<param key="ssl-enabled" value="false"/>
</connector>
<connector name="NonSSL-bridge-connector2">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>
<param key="host" value="${connector-remote2.ip}"/>
<param key="port" value="${connector-remote2.port}"/>
<param key="ssl-enabled" value="false"/>
</connector>
</connectors>
<acceptors>
<acceptor name="ssl-bridge-netty">
<factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>
<param key="host" value="${local.ip}"/>
<param key="port" value="${ssl-bridge.port}"/>
<param key="ssl-enabled" value="true"/>
<param key="key-store-path" value="hornetq.keystore"/>
<param key="key-store-password" value="hornetqexample"/>
<param key="trust-store-path" value="hornetq.truststore"/>
<param key="trust-store-password" value="hornetqexample"/>
</acceptor>
<acceptor name="netty"><factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>
<param key="host" value="${local.ip}"/>
<param key="port" value="${local.port}"/>
</acceptor>
</acceptors>
<queues>
<queue name="jms.queue.QueueA-to">
<address>jms.queue.QueueA-to</address>
</queue>
<queue name="jms.queue.QueueB-to">
<address>jms.queue.QueueB-to</address>
</queue>
</queues>
<bridges>
<bridge name="lan-QueueA-bridge">
<queue-name>jms.queue.QueueA-to</queue-name>
<forwarding-address>jms.queue.QueueA-dest</forwarding-address>
<reconnect-attempts>-1</reconnect-attempts>
<static-connectors>
<connector-ref>NonSSL-bridge-connector1</connector-ref>
</static-connectors>
</bridge>
<bridge name="lan-QueueB-bridge">
<queue-name>jms.queue.QueueB-to</queue-name>
<forwarding-address>jms.queue.QueueB-dest</forwarding-address>
<reconnect-attempts>-1</reconnect-attempts>
<static-connectors>
<connector-ref>NonSSL-bridge-connector2</connector-ref>
</static-connectors>
</bridge>
</bridges>
<security-settings>
<security-setting match="#">
<permission type="createDurableQueue" roles="admin"/>
<permission type="deleteDurableQueue" roles="admin"/>
<permission type="createNonDurableQueue" roles="admin"/>
<permission type="deleteNonDurableQueue" roles="admin"/>
<permission type="send" roles="user, admin"/>
<permission type="consume" roles="user, admin"/>
</security-setting>
</security-settings>
<address-settings>
<address-setting match="jms.queue.QueueA-to">
<max-delivery-attempts>-1</max-delivery-attempts>
<redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<address-setting match="jms.queue.QueueB-to">
<max-delivery-attempts>-1</max-delivery-attempts>
<redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<!-- Matches all JMS queues and topics -->
<address-setting match="jms.#"><redistribution-delay>0</redistribution-delay>
<max-size-bytes>${message.memory.max:10485760}</max-size-bytes>
<page-size-bytes>5242880</page-size-bytes>
<address-full-policy>PAGE</address-full-policy>
</address-setting>
<!--default for catch all-->
<address-setting match="#"><dead-letter-address>jms.queue.DLQ</dead-letter-address>
<expiry-address>jms.queue.ExpiryQueue</expiry-address>
<redelivery-delay>0</redelivery-delay>
<max-size-bytes>10485760</max-size-bytes>
<message-counter-history-day-limit>10</message-counter-history-day-limit>
<address-full-policy>BLOCK</address-full-policy>
</address-setting>
</address-settings>
</configuration>
-----------------------------------------------------------------------------------
hornetq-jms.xml on SSL bridge receiver side:
-----------------------------------------------------------------------------------
<configuration xmlns="urn:hornetq"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="urn:hornetq /schema/hornetq-jms.xsd"><connection-factory name="NettyConnectionFactory">
<xa>false</xa>
<connectors>
<connector-ref connector-name="netty" />
</connectors>
<entries>
<entry name="/ConnectionFactory" />
</entries>
</connection-factory>
<queue name="HealthCheckQueue">
<entry name="/queue/HealthCheckQueue" />
</queue>
<queue name="QueueA-to">
<entry name="/queue/QueueA-to" />
</queue>
<queue name="QueueB-to">
<entry name="/queue/QueueB-to" />
</queue>
</configuration>
-
3. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
jbertram Apr 2, 2015 5:23 PM (in response to guoxh16)Is SSL required? I'm trying to get the simplest configuration possible to reproduce the error.
-
4. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
guoxh16 Apr 2, 2015 5:30 PM (in response to jbertram)Yes. We need SSL since the core bridge is over WAN between two data centers. We want to make sure that encrypted data are being passed over public network.
-
5. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
jbertram Apr 2, 2015 9:59 PM (in response to guoxh16)Sorry for the confusion. I meant is SSL required to reproduce the problem? I'm trying to get the simplest configuration required to reproduce the problem, and if SSL isn't strictly required to reproduce it then I don't want to have to go through the work of creating a keystore and truststore and configuring them.
-
6. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
guoxh16 Apr 3, 2015 1:14 PM (in response to jbertram)Yes, SSL is required to reproduce the problem. My non-ssl bridge has no problem passing data. To quickly set up SSL, you can just reuse the hornetq.example.keystore and hornetq.example.truststore files included in the SSL example of hornetq 2.3.2.Final or hornetq2.4.0.Final documentation as I did in my sample settings.
-
7. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
jbertram Apr 6, 2015 11:20 AM (in response to guoxh16)I set up 2 instances of HornetQ 2.4.1.Final with the configuration you pasted previously (although a bit simplified to eliminate unnecessary artifacts for the test). The SSL bridge worked without issue whether or not the cluster-password and cluster-user were set.