-
Bug
-
Resolution: Won't Do
-
Major
-
None
-
AMQ 7.7.0.GA, AMQ 7.6.0.GA
When deploying the amq-broker-77-persistence-clustered-ssl template with a custom password for the keystore/truststore we get:
2020-07-09 06:10:05,566 INFO [io.hawt.system.ProxyWhitelist] Initial proxy whitelist: [localhost, 127.0.0.1, 172.17.0.10, broker-amq-0.broker-amq-headless.broker.svc.cluster.local] java.io.IOException: Keystore was tampered with, or password was incorrect
It seems that the custom password is still encoded as base64 in the generated broker.xml, unlike when using the default "password":
Namespace with custom password (not working):
fvaleri-mac:02695768 fvaleri$ oc exec broker-amq-0 -- cat
broker/etc/broker.xml | grep keyStorePassword
<acceptor
name="artemis-ssl">tcp://broker-amq-0.broker-amq-headless.broker.svc.cluster.local:61617?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=cGFzc3dvcmQ=</acceptor>
<acceptor
name="amqp-ssl">tcp://broker-amq-0.broker-amq-headless.broker.svc.cluster.local:5671?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=cGFzc3dvcmQ=</acceptor>
<acceptor
name="stomp-ssl">tcp://broker-amq-0.broker-amq-headless.broker.svc.cluster.local:61612?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=STOMP;useEpoll=true;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=cGFzc3dvcmQ=</acceptor>
<acceptor
name="mqtt-ssl">tcp://broker-amq-0.broker-amq-headless.broker.svc.cluster.local:8883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=cGFzc3dvcmQ=</acceptor>
Namespace with default password (working):
fvaleri-mac:02695768 fvaleri$ oc exec broker1-amq-0 -- cat
broker/etc/broker.xml | grep keyStorePassword
<acceptor
name="artemis-ssl">tcp://broker1-amq-0.broker-amq-headless.broker1.svc.cluster.local:61617?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=CORE,AMQP,STOMP,HORNETQ,MQTT,OPENWIRE;useEpoll=true;amqpCredits=1000;amqpLowCredits=300;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=password</acceptor>
<acceptor
name="amqp-ssl">tcp://broker1-amq-0.broker-amq-headless.broker1.svc.cluster.local:5671?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=AMQP;useEpoll=true;amqpCredits=1000;amqpMinCredits=300;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=password</acceptor>
<acceptor
name="stomp-ssl">tcp://broker1-amq-0.broker-amq-headless.broker1.svc.cluster.local:61612?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=STOMP;useEpoll=true;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=password</acceptor>
<acceptor
name="mqtt-ssl">tcp://broker1-amq-0.broker-amq-headless.broker1.svc.cluster.local:8883?tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;protocols=MQTT;useEpoll=true;connectionsAllowed=1000;sslEnabled=true;keyStorePath=/etc/amq-secret-volume/server-ks.jks;keyStorePassword=password</acceptor>
- is caused by
-
ENTMQBR-2629 Ensure sensitive credentials are stored in kubernetes secrets
-
- Closed
-
- is documented by
-
AMQDOC-3166 Provide more detailed explanation for ENTMQBR-3262
-
- Closed
-
- links to
