All geek questions in one place

How to encrypt passwords for JConsole password file

I use JConsole to access my MBeans applications, and I use the password.properties file. But according to the Sun specification, this file contains only passwords in text formats only.

com.sun.management.jmxremote.password.file=<someLocation>/password.properties

Now I would like to encrypt the password and use it to authenticate JMX users with JConsole (the username and password fields in the Remote section). I could use any predefined encryption logic or my own encryption algorithms.

Does anyone know about this interception in order to change the plaintext password to encrypted so that the JMX Framework also knows about the encrypted password?

My current password file is:

guest  guest
admin  admin

With encryption, it should look like this:

guest  ENC(RjqpRYbAOwbAfAEDBdHJ7Q4l/GO5IoJidZctNT5oG64=)
admin  ENC(psg3EnDei6fVRuqHeLwOqNTgIWkwQTjI2+u2O7MXXWc=)
+3
1

com.sun.management.jmxremote.login.config management.properties(.% JAVA_HOME%/lib/management/management.properties), , Authenticator LoginModule .

:

JMXPluggableAuthenticator {
    com.sun.jmx.remote.security.FileLoginModule required;
};

jmxremote.password. com.sun.jmx.remote.security.JMXPluggableAuthenticator LoginModule, LoginModule, .

FileLoginModule, attemptAuthentication(boolean), , , . javax.security.auth.spi.LoginModule CallbackHandler ( init()), . / , . :

public class EncryptedFileLoginModule implements LoginModule {

@Override
public void initialize(Subject subject, CallbackHandler callbackHandler,
        Map<String, ?> sharedState, Map<String, ?> options) {
    this.subject = subject;
    this.callbackHandler = callbackHandler;
}

public boolean login() throws LoginException {
    attemptLogin();
    if (username == null || password == null) {
        throw new LoginException("Either no username or no password specified");
    }
    MessageDigest instance = MessageDigest.getInstance("SHA-1");
    byte[] raw = new String(password).getBytes();
    byte[] crypted = instance.digest(raw);
    // TODO: Compare to the one stored locally
    if (!authenticated) throw new LoginException();
    return true;
}

private void attemptLogin() throws LoginException {
    Callback[] callbacks = new Callback[2];
    callbacks[0] = new NameCallback("username");
    callbacks[1] = new PasswordCallback("password", false);
        callbackHandler.handle(callbacks);
        username = ((NameCallback) callbacks[0]).getName();
        user = new JMXPrincipal(username);
        char[] tmpPassword = ((PasswordCallback) callbacks[1]).getPassword();
        password = new char[tmpPassword.length];
        System.arraycopy(tmpPassword, 0, password, 0, tmpPassword.length);
        ((PasswordCallback) callbacks[1]).clearPassword();
}

, , - , JMX SSL. , SSL, , .

, , , JAAS. , , Windows, NTLoginModule . .

c:/temp/mysecurity.cfg:

MyLoginModule {
 com.sun.security.auth.module.NTLoginModule REQUIRED  debug=true debugNative=true;
};

jmxremote.access, , JMX:

monitorRole readonly
controlRole readwrite ...
mhaller readonly

( , . , ) JVM :

-Dcom.sun.management.jmxremote
-Dcom.sun.management.jmxremote.port=8686
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Djava.net.preferIPv4Stack=true
-Djava.security.auth.login.config=c:/temp/mysecurity.cfg
-Dcom.sun.management.jmxremote.login.config=MyLoginModule

JConsole VisualVM.

, JConsole, , . . , jconsole , . VisualVM , , .

, NTLoginModule , , , Sun :

  • com.sun.security.auth.module.Krb5LoginModule: Kerberos
  • com.sun.security.auth.module.LdapLoginModule: ( Java 6): LDAP
  • com.sun.security.auth.module.JndiLoginModule: LDAP, JNDI.
  • com.sun.security.auth.module.KeyStoreLoginModule: Java Keystore. PIN- -.

LdapLoginModule

+7

Source: https://habr.com/ru/post/1721927/

More articles:


All Articles