7 Replies Latest reply on Apr 6, 2015 11:20 AM by Justin Bertram

    How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled

    John Guo Newbie

      We are setting up a core bridge over WAN on SSL transport protocol. We are using stand-alone brokers without clustering connected by the bridge. In our hornetq-configuration.xml files, we didn't specify anything related to clustering such as <cluster-connections>, <broadcast-groups>, <discovery-groups>, <cluster-user>, and <cluster-password>. However, once we started the standalone brokers, there is a warning as the following:

       

      HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password. Please see the HornetQ user guide, cluster chapter, for instructions on how to change this.

       

      My questions is: since we are not using clustering at all on both ends, does the above warning has any potential security implication? Can potential intruder access the message queues by using the default cluster admin user name/password?

       

      I know one way to fix the warning is to add <cluster-user> and <cluster-password> in hornetq-configuration.xml files. But we verified that once those two fields are being added, our SSL bridge cannot pass messages any more.  Any solution for the SSL bridge if indeed we need those two fields? Not sure whether we can use the admin user defined in hornetq-users.xml as the cluster admin user and then the SSL bridge will work.

       

      Thanks a lot,

      John

        • 1. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
          Justin Bertram Master

          My questions is: since we are not using clustering at all on both ends, does the above warning has any potential security implication?

          Yes.

           

          Can potential intruder access the message queues by using the default cluster admin user name/password?

          Yes.

           

          I know one way to fix the warning is to add <cluster-user> and <cluster-password> in hornetq-configuration.xml files. But we verified that once those two fields are being added, our SSL bridge cannot pass messages any more.  Any solution for the SSL bridge if indeed we need those two fields? Not sure whether we can use the admin user defined in hornetq-users.xml as the cluster admin user and then the SSL bridge will work.

          I'd need to reproduce that issue to give you more insight on it.  Do you have a test-case that I could use to reproduce it on my machine?

          • 2. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
            John Guo Newbie

            The following are my working WAN SSL bridge without <cluster-user> and <cluster-password>. Once I add those two fields into the two hortnetq-configuration.xml files, I don't see messages are being sent to the SSL bridge receiver side. BTW, I have two more LAN/Non SSL bridges defined in SSL bridge receiver side for further forwarding, you can delete them if you think that is not relevant.


            Thanks,

            John


            ----------------------------------------------------------------------------------------------

            Hornetq-config.xml on SSL bridge sender side:

            ----------------------------------------------------------------------------------------------

            <configuration xmlns="urn:hornetq"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="urn:hornetq /schema/hornetq-configuration.xsd">

             

               <paging-directory>data/paging</paging-directory>

               <bindings-directory>data/bindings</bindings-directory>

               <journal-directory>${journals.dir:data/journal}</journal-directory>

               <journal-min-files>${journals.num:10}</journal-min-files>

               <journal-file-size>10485760</journal-file-size>

               <journal-compact-percentage>75</journal-compact-percentage>

               <large-messages-directory>data/large-messages</large-messages-directory>

             

               <jmx-management-enabled>true</jmx-management-enabled>

               <message-counter-enabled>true</message-counter-enabled>

             

               <connectors>  

               <connector name="netty">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${local.ip}"/>

               <param key="port"  value="${local.port}"/>

               </connector>

             

               <!-- Connector to the other node for bridge connection -->
               <connector name="ssl-bridge-connector">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${wan-bridge-to.ip}"/>

               <param key="port" value="${wan-bridge-to.port}"/>

               <param key="ssl-enabled" value="true"/>

               <param key="key-store-path" value="hornetq.keystore"/>

               <param key="key-store-password" value="hornetqexample"/>

               <param key="trust-store-path" value="hornetq.truststore"/>

               <param key="trust-store-password" value="hornetqexample"/>

               </connector>


               </connectors>

             

               <acceptors>

               <acceptor name="netty">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

               <param key="host"  value="${local.ip}"/>

               <param key="port"  value="${local.port}"/>

               </acceptor>

               </acceptors>

              

               <!-- We need to create a core queue for the JMS queue explicitly because the bridge will be deployed
              before the JMS queue is deployed, so the first time, it otherwise won't find the queue -->
               <queues>  

               <queue name="jms.queue.QueueA">

               <address>jms.queue.QueueA</address>

               </queue>

               <queue name="jms.queue.QueueB">

               <address>jms.queue.QueueB</address>

               </queue>

              </queues>

             

               <bridges>

               <bridge name="QueueA-bridge">

               <queue-name>jms.queue.QueueA</queue-name>

               <forwarding-address>jms.queue.QueueA-to</forwarding-address>

               <reconnect-attempts>-1</reconnect-attempts>

               <static-connectors>

               <connector-ref>ssl-bridge-connector</connector-ref>

               </static-connectors>

               </bridge>

               <bridge name="QueueB-bridge">

               <queue-name>jms.queue.QueueB</queue-name>

               <forwarding-address>jms.queue.QueueB-to</forwarding-address>

               <reconnect-attempts>-1</reconnect-attempts>

               <static-connectors>

               <connector-ref>ssl-bridge-connector</connector-ref>

               </static-connectors>

               </bridge>
               </bridges>

              

               <security-settings>

               <security-setting match="#">

               <permission type="createDurableQueue" roles="admin"/>

               <permission type="deleteDurableQueue" roles="admin"/>

               <permission type="createNonDurableQueue" roles="admin"/>

               <permission type="deleteNonDurableQueue" roles="admin"/>

               <permission type="send" roles="user, admin"/>

               <permission type="consume" roles="user, admin"/>

               </security-setting>

               </security-settings>

             

               <address-settings>

             

               <address-setting match="jms.queue.QueueA">

               <max-delivery-attempts>-1</max-delivery-attempts>

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

             

               <address-setting match="jms.queue.QueueB">

               <max-delivery-attempts>-1</max-delivery-attempts>

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

             

               <!-- Matches all JMS queues and topics -->
               <address-setting match="jms.#">

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

              

               <!--default for catch all-->
               <address-setting match="#">

               <dead-letter-address>jms.queue.DLQ</dead-letter-address>

               <expiry-address>jms.queue.ExpiryQueue</expiry-address>

               <redelivery-delay>0</redelivery-delay>

               <max-size-bytes>10485760</max-size-bytes>  

               <message-counter-history-day-limit>10</message-counter-history-day-limit>

               <address-full-policy>BLOCK</address-full-policy>

               </address-setting>

               </address-settings>

             

            </configuration>

             

            --------------------------------------------------------------------------------

            hornetq-jms.xml on SSL bridge sender side:

            --------------------------------------------------------------------------------

            <configuration xmlns="urn:hornetq"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="urn:hornetq /schema/hornetq-jms.xsd">

             

              <connection-factory name="NettyConnectionFactory">

               <xa>false</xa>

               <connectors>

               <connector-ref connector-name="netty" />

               </connectors>

               <entries>

               <entry name="/ConnectionFactory" />

               </entries>

              </connection-factory>

             

              <queue name="HealthCheckQueue">

               <entry name="/queue/HealthCheckQueue" />

              </queue>

             

              <queue name="QueueA">

               <entry name="/queue/QueueA" />

              </queue>

             

              <queue name="QueueB">

               <entry name="/queue/QueueB" />

              </queue>

            </configuration>


            --------------------------------------------------------------------------

            Hornetq-config.xml on SSL bridge receiver side:

            --------------------------------------------------------------------------

            <configuration xmlns="urn:hornetq"
               xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
               xsi:schemaLocation="urn:hornetq /schema/hornetq-configuration.xsd">

             

               <paging-directory>data/paging</paging-directory>

               <bindings-directory>data/bindings</bindings-directory>

               <journal-directory>${journals.dir:data/journal}</journal-directory>

               <journal-min-files>${journals.num:10}</journal-min-files>

               <journal-file-size>10485760</journal-file-size>

               <journal-compact-percentage>75</journal-compact-percentage>

               <large-messages-directory>data/large-messages</large-messages-directory>

             

               <jmx-management-enabled>true</jmx-management-enabled>

               <message-counter-enabled>true</message-counter-enabled>

             

               <connectors>  

               <connector name="netty">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${local.ip}"/>

               <param key="port"  value="${local.port}"/>

               </connector>

             

               <!-- Connector to the other node for non-ssl bridge connection -->
               <connector name="NonSSL-bridge-connector1">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${connector-remote1.ip}"/>

               <param key="port" value="${connector-remote1.port}"/>

               <param key="ssl-enabled" value="false"/>

               </connector>

             

               <connector name="NonSSL-bridge-connector2">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyConnectorFactory</factory-class>

               <param key="host"  value="${connector-remote2.ip}"/>

               <param key="port" value="${connector-remote2.port}"/>

               <param key="ssl-enabled" value="false"/>

               </connector>

             

               </connectors>

             

               <acceptors>

               <acceptor name="ssl-bridge-netty">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

               <param key="host"  value="${local.ip}"/>

               <param key="port"  value="${ssl-bridge.port}"/>

               <param key="ssl-enabled" value="true"/>

               <param key="key-store-path" value="hornetq.keystore"/>

               <param key="key-store-password" value="hornetqexample"/>

               <param key="trust-store-path" value="hornetq.truststore"/>

               <param key="trust-store-password" value="hornetqexample"/>

               </acceptor>


               <acceptor name="netty">

               <factory-class>org.hornetq.core.remoting.impl.netty.NettyAcceptorFactory</factory-class>

               <param key="host"  value="${local.ip}"/>

               <param key="port"  value="${local.port}"/>

               </acceptor>

               </acceptors>

             

               <queues>  

               <queue name="jms.queue.QueueA-to">

               <address>jms.queue.QueueA-to</address>

               </queue>

               <queue name="jms.queue.QueueB-to">

               <address>jms.queue.QueueB-to</address>

               </queue>

               </queues>

             

               <bridges>

               <bridge name="lan-QueueA-bridge">

               <queue-name>jms.queue.QueueA-to</queue-name>

               <forwarding-address>jms.queue.QueueA-dest</forwarding-address>

               <reconnect-attempts>-1</reconnect-attempts>

               <static-connectors>

               <connector-ref>NonSSL-bridge-connector1</connector-ref>

               </static-connectors>

               </bridge>

               <bridge name="lan-QueueB-bridge">

               <queue-name>jms.queue.QueueB-to</queue-name>

               <forwarding-address>jms.queue.QueueB-dest</forwarding-address>

               <reconnect-attempts>-1</reconnect-attempts>

               <static-connectors>

               <connector-ref>NonSSL-bridge-connector2</connector-ref>

               </static-connectors>

               </bridge>

               </bridges>

             

               <security-settings>

               <security-setting match="#">

               <permission type="createDurableQueue" roles="admin"/>

               <permission type="deleteDurableQueue" roles="admin"/>

               <permission type="createNonDurableQueue" roles="admin"/>

               <permission type="deleteNonDurableQueue" roles="admin"/>

               <permission type="send" roles="user, admin"/>

               <permission type="consume" roles="user, admin"/>

               </security-setting>

               </security-settings>

             

               <address-settings>

             

               <address-setting match="jms.queue.QueueA-to">

               <max-delivery-attempts>-1</max-delivery-attempts>

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

             

               <address-setting match="jms.queue.QueueB-to">

               <max-delivery-attempts>-1</max-delivery-attempts>

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

              

               <!-- Matches all JMS queues and topics -->
               <address-setting match="jms.#">

               <redistribution-delay>0</redistribution-delay>

               <max-size-bytes>${message.memory.max:10485760}</max-size-bytes>

               <page-size-bytes>5242880</page-size-bytes>

               <address-full-policy>PAGE</address-full-policy>

               </address-setting>

             

               <!--default for catch all-->
               <address-setting match="#">

               <dead-letter-address>jms.queue.DLQ</dead-letter-address>

               <expiry-address>jms.queue.ExpiryQueue</expiry-address>

               <redelivery-delay>0</redelivery-delay>

               <max-size-bytes>10485760</max-size-bytes>

               <message-counter-history-day-limit>10</message-counter-history-day-limit>

               <address-full-policy>BLOCK</address-full-policy>

               </address-setting>

               </address-settings>

             

            </configuration>


            -----------------------------------------------------------------------------------

            hornetq-jms.xml on SSL bridge receiver side:

            -----------------------------------------------------------------------------------

            <configuration xmlns="urn:hornetq"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="urn:hornetq /schema/hornetq-jms.xsd">

             

              <connection-factory name="NettyConnectionFactory">

               <xa>false</xa>

               <connectors>

               <connector-ref connector-name="netty" />

               </connectors>

               <entries>

               <entry name="/ConnectionFactory" />

               </entries>

              </connection-factory>

             

              <queue name="HealthCheckQueue">

               <entry name="/queue/HealthCheckQueue" />

              </queue>

             

              <queue name="QueueA-to">

               <entry name="/queue/QueueA-to" />

              </queue>

             

              <queue name="QueueB-to">

               <entry name="/queue/QueueB-to" />

              </queue>

             

            </configuration>

            • 4. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
              John Guo Newbie

              Yes. We need SSL since the core bridge is over WAN between two data centers. We want to make sure that encrypted data are being passed over public network.

              • 5. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
                Justin Bertram Master

                Sorry for the confusion.  I meant is SSL required to reproduce the problem?  I'm trying to get the simplest configuration required to reproduce the problem, and if SSL isn't strictly required to reproduce it then I don't want to have to go through the work of creating a keystore and truststore and configuring them.

                • 6. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
                  John Guo Newbie

                  Yes, SSL is required to reproduce the problem. My non-ssl bridge has no problem passing data. To quickly set up SSL, you can just reuse the hornetq.example.keystore and hornetq.example.truststore files included in the SSL example of hornetq 2.3.2.Final or hornetq2.4.0.Final documentation as I did in my sample settings.



                   

                  • 7. Re: How to handle "HQ222007: Security risk! HornetQ is running with the default cluster admin user and default password" warning when cluster is disabled
                    Justin Bertram Master

                    I set up 2 instances of HornetQ 2.4.1.Final with the configuration you pasted previously (although a bit simplified to eliminate unnecessary artifacts for the test).  The SSL bridge worked without issue whether or not the cluster-password and cluster-user were set.