Uploaded image for project: 'AMQ Broker'
  1. AMQ Broker
  2. ENTMQBR-4634

[Docs]Encrypting amq broker pod credentials from env variables

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Won't Do
    • Icon: Major Major
    • None
    • AMQ 7.8.0.GA
    • documentation
    • 1
    • False
    • False
    • Undefined

      customer who is looking to encrypt amq credentials
      actually amq credentials are base 64 encoded in secrets
       
      But amq broker pod env are plain text and citing this as security concern and looking a way to encrypt
       
      same like amqbroker/etc/user.properties is encrypted

      // 2OBDUFjj = ENC(1024:1CB1F77E32E248B12CCB10F8991AD2EB93DD45E021105BA0DD777E5DD6AE1CE3:AAAEB451CDFE163C7FD96AA4A70CF7D35185BF41A8A3A6846283FA998299326035AE20A00CF10E326DF0C114EDE90FDCC21153944746CBABDA7BE161BE0E2C3E)
      

      But when connected to broker pod then printenv command prints the credentials in plain text not in enc like in users.properties file
       

      // sh-4.2$ printenv
      AMQ_ANYCAST_PREFIX=
      POD_NAMESPACE=
      HOSTNAME=ex-aao-ss-0
      AMQ_BROKER_OPERATOR_PORT_8383_TCP_PORT=8383
      AB_JOLOKIA_AUTH_OPENSHIFT=true
      KUBERNETES_PORT=tcp://172.30.0.1:443
      KUBERNETES_PORT_443_TCP_PORT=443
      TERM=xterm-256color
      JBOSS_IMAGE_NAME=amq-broker-7/amq-broker-78-openshift
      AMQ_BROKER_OPERATOR_PORT=tcp://172.30.128.248:8383
      KUBERNETES_SERVICE_PORT=443
      OLDPWD=/home/jboss/amq-broker
      AMQ_GLOBAL_MAX_SIZE=100 mb
      KUBERNETES_SERVICE_HOST=172.30.0.1
      AMQ_ROLE=admin
      AMQ_QUEUES=
      AMQ_BROKER_OPERATOR_PORT_8383_TCP_PROTO=tcp
      JBOSS_IMAGE_VERSION=7.8
      AMQ_CLUSTERED=true
      AMQ_BROKER_OPERATOR_SERVICE_HOST=172.30.128.248
      AMQ_CLUSTER_USER=whxUE67e
      JOLOKIA_VERSION=1.6.2
      JBOSS_AMQ_VERSION=7.8.0
      AMQ_ACCEPTORS=<acceptor name="scaleDown">tcp:\/\/ACCEPTOR_IP:61616?protocols=CORE;tcpSendBufferSize=1048576;tcpReceiveBufferSize=1048576;useEpoll=true;amqpCredits=1000;amqpMinCredits=300<\/acceptor>
      PRODUCT_VERSION=7.8.0
      JBOSS_CONTAINER_AMQ_S2I_MODULE=/opt/jboss/container/amq/s2i
      AB_JOLOKIA_HTTPS=true
      JBOSS_PRODUCT=AMQ
      AMQ_MULTICAST_PREFIX=
      AMQ_HOME=/opt/amq
      AMQ_REQUIRE_LOGIN=false
      JAVA_VENDOR=openjdk
      AMQ_CLUSTER_PASSWORD=SU6M0sCN
      PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
      AMQ_PASSWORD=mSqv6coX
      JBOSS_CONTAINER_S2I_CORE_MODULE=/opt/jboss/container/s2i/core/
      AMQ_USER=2OBDUFjj
      PWD=/home/jboss/amq-broker/etc
      JAVA_HOME=/usr/lib/jvm/java-1.8.0
      TRIGGERED_ROLL_COUNT=2
      AMQ_EXTRA_ARGS=--no-autotune
      JAVA_VERSION=1.8.0
      AMQ_CONNECTORS=
      JBOSS_CONTAINER_OPENJDK_JDK_MODULE=/opt/jboss/container/openjdk/jdk
      AB_JOLOKIA_PASSWORD_RANDOM=true
      JBOSS_CONTAINER_JOLOKIA_MODULE=/opt/jboss/container/jolokia
      AMQ_NAME=amq-broker
      AMQ_TRANSPORTS=
      JBOSS_CONTAINER_JAVA_PROXY_MODULE=/opt/jboss/container/java/proxy
      HOME=/home/jboss
      SHLVL=2
      S2I_SOURCE_DEPLOYMENTS_FILTER=*
      KUBERNETES_PORT_443_TCP_PROTO=tcp
      AMQ_BROKER_OPERATOR_SERVICE_PORT_METRICS=8383
      KUBERNETES_SERVICE_PORT_HTTPS=443
      AMQ_RESET_CONFIG=false
      AMQ_BROKER_OPERATOR_PORT_8383_TCP=tcp://172.30.128.248:8383
      JBOSS_CONTAINER_UTIL_LOGGING_MODULE=/opt/jboss/container/util/logging/
      AMQ_JOURNAL_TYPE=nio
      NSS_SDB_USE_CACHE=no
      JBOSS_CONTAINER_JAVA_JVM_MODULE=/opt/jboss/container/java/jvm
      AMQ_ADDRESSES=
      AMQ_ENABLE_MANAGEMENT_RBAC=false
      PING_SVC_NAME=ex-aao-ping-svc
      KUBERNETES_PORT_443_TCP_ADDR=172.30.0.1
      AMQ_ENABLE_JOLOKIA_AGENT=false
      KUBERNETES_PORT_443_TCP=tcp://172.30.0.1:443
      AMQ_BROKER_OPERATOR_PORT_8383_TCP_ADDR=172.30.128.248
      container=oci
      AMQ_BROKER_OPERATOR_SERVICE_PORT=8383
      _=/usr/bin/printenv
      

            jcliffor@redhat.com John Clifford
            jbyrne@redhat.com John Byrne (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: