4 Replies Latest reply: May 28, 2010 11:16 AM by 807581 RSS

    Password file for MQ - Encrypted

    807581
      Hi,

      I wish to use a passwordfile for my implementation of Java MQ, but do not want to have it stored in plain text.I use imqcmd as part of my deployment process and do no want to be prompted for passwords as it is automated.

      Is there any way in which to encrypt the password file for imqcmd commands?

      Thanks,

      Anthonie
        • 1. Re: Password file for MQ - Encrypted
          805009
          You need to create a password file and set its permissions to protect it from unauthorized access.
          [http://docs.sun.com/app/docs/doc/820-6740/aeogq?a=view|http://docs.sun.com/app/docs/doc/820-6740/aeogq?a=view]

          Note that even if the file were encrypted this wouldn't avoid the need to set its permissions to protect it from unauthorized access (since somebody could copy the file).

          Nigel
          • 2. Re: Password file for MQ - Encrypted
            807581
            Thank you. I understand the need for user permissions, but would also like the file to be encrypted. For now, I will use the permissions approach.
            • 3. Re: Password file for MQ - Encrypted
              807581
              The source code for IMQ and J233 is available to download.
              You can then customize the code to do whatever you want (i.e. read in a password in some encrypted format using an algorithm of your choice and then unencrypting it before passing it on).

              You can easily do this for the KEYSTORE / TRUSTSTORE password files by writing your own Java security provider.

              Here are the steps for that:

              *1. Write a custom java security provider.*
              public class YOUR_PROVIDER_Provider extends java.security.Provider
              {
              your code here ...
              public class YOUR_PROVIDER_Provider extends Provider
              public YOUR_PROVIDER_Provider()
              {
              super("YOUR_PROVIDER_Provider", 1.0, "A Custom Security provider");

              String className = YOUR_PROVIDER_Provider.class.getName();
              put("KeyStore.JKS", className);
              ...
              }
              }
              2. then,
              Need an entry in the java.security file like this:
              security.provider.1=YOUR_PROVIDER_Provider

              The above order MUST be 1 in order to override the Sun default security provider
              * @see java.security java.security file located in: {$JRE_HOME}\lib\security\

              *3. write your own JavaKeyStore* (you can download Sun's java source code to use as a baseline.
              I would recommend using this one:

              sun.security.provider.JavaKeyStore

              If you change the package name to a custom one, you will need this (due to "package protect" accessor of this class)
              sun.security.provider.KeyProtector

              In this class:
              sun.security.provider.JavaKeyStore

              Modify these methods:
              public Key engineGetKey(String alias, char[] password)
              throws NoSuchAlgorithmException, UnrecoverableKeyException{
              // ... your code
              }

              public void engineSetKeyEntry(String alias, Key key, char[] password,
              Certificate[] chain)
              throws KeyStoreException{
              // ... your code
              }

              public void engineStore(OutputStream stream, char[] password)
              throws IOException, NoSuchAlgorithmException, CertificateException
              {
              // ... your code
              }

              public void engineLoad(InputStream stream, char[] password)
              throws IOException, NoSuchAlgorithmException, CertificateException
              {
              // ... your code
              }
              4. put your custom files inside a .jar file and put this in the java classpath AHEAD of the standard java ones:
              e.g.
              java -Xbootclasspath/p:YOUR_JAR.jar

              you will have to do this inside the IMQ startup script

              alternatively you can simply edit the imqbrokerd.conf file to something like this:
              ARGS=-vmargs -Xbootclasspath/p:YOUR_JAR.jar:

              this file is in: IMQ_HOME/etc/mq/
              • 4. Re: Password file for MQ - Encrypted
                807581
                The source code for IMQ is available to download.
                You can then customize the code to do whatever you want (i.e. read in a password in some encrypted format using an algorithm of your choice and then unencrypting it before passing it on).

                You can easily do this for the password files by writing your own TLS class & DBManager class (to encrypt the JDBC database password also).

                Here are the steps for that:

                *1. Write a custom java TLSProtocol class.*

                In this class:
                package com.sun.messaging.jmq.jmsserver.net.tls.TLSProtocol

                Modify these methods:
                public static ServerSocketFactory getServerSocketFactory()
                throws IOException
                {
                // ... your code here
                }

                *2. Modify this class:*
                com.sun.messaging.jmq.jmsserver.persist.jdbc.DBManager

                /*
                When instantiated, the object configures itself by reading the
                properties specified in BrokerConfig.
                */
                *private DBManager() throws BrokerException {*
                // ... put code to set the "password" variable by "unecrypting" the encrypted password that you have saved in the settings/config file
                }


                *3. put your custom files inside a .jar file and put this in the java classpath AHEAD of the standard java ones:*
                e.g.
                java -Xbootclasspath/p:YOUR_JAR.jar

                you will have to do this inside the IMQ startup script

                alternatively you can simply edit the imqbrokerd.conf file to something like this:
                ARGS=-vmargs -Xbootclasspath/p:YOUR_JAR.jar:

                this file is in: IMQ_HOME/etc/mq/