JDK-6740543 : Add support for encrypted passwords in the jmxremote.password file
  • Type: Enhancement
  • Component: core-svc
  • Sub-Component: java.lang.management
  • Affected Version: 5.0u15
  • Priority: P3
  • Status: Resolved
  • Resolution: Duplicate
  • OS: solaris_2.5.1
  • CPU: sparc
  • Submitted: 2008-08-22
  • Updated: 2017-02-12
  • Resolved: 2017-02-12
Related Reports
Duplicate :  
JDK-5016517 - Replace plaintext passwords by hashed passwords for out-of-the-box JMX Agent
Description
The jmxremote.password file does not have any mechanism for encrypted passwords. As per Oracle Secure Standards, none of the passwords in the implementation config files can be in cleartext. Currently, there is no way for a user to encrypt his passwords.

First, please provide a way for the user to encrypt his passwords and also make that option the default.

Second, even if the user provide the password as cleartext in input, the JVM should encrypt all cleartext passwords, thus making them unreadable in e.g. a crash dump.

The currently available solution with restricted file permissions does not provide a solution to this issue.

--- Sample jmxremote.password file ---
--- $JRE/lib/management/jmxremote.password.template ---
# ----------------------------------------------------------------------
#           Template for jmxremote.password
#
# o Copy this template to jmxremote.password
# o Set the user/password entries in jmxremote.password
# o Change the permission of jmxremote.password to read-only
#   by the owner.
#
# See below for the location of jmxremote.password file.
# ----------------------------------------------------------------------

##############################################################
#        Password File for Remote JMX Monitoring
##############################################################
#
# Password file for Remote JMX API access to monitoring.  This
# file defines the different roles and their passwords.  The access
# control file (jmxremote.access by default) defines the allowed
# access for each role.  To be functional, a role must have an entry
# in both the password and the access files.
#
# Default location of this file is $JRE/lib/management/jmxremote.password
# You can specify an alternate location by specifying a property in
# the management config file $JRE/lib/management/management.properties
# or by specifying a system property (See that file for details).


##############################################################
#    File permissions of the jmxremote.password file
##############################################################
#      Since there are cleartext passwords stored in this file,
#      this file must be readable by ONLY the owner,
#      otherwise the program will exit with an error.
#
# The file format for password and access files is syntactically the same
# as the Properties file format.  The syntax is described in the Javadoc
# for java.util.Properties.load.
# Typical password file has multiple  lines, where each line is blank,
# a comment (like this one), or a password entry.
#
#
# A password entry consists of a role name and an associated
# password.  The role name is any string that does not itself contain
# spaces or tabs.  The password is again any string that does not
# contain spaces or tabs.  Note that passwords appear in the clear in
# this file, so it is a good idea not to use valuable passwords.
#
# A given role should have at most one entry in this file.  If a role
# has no entry, it has no access.
# If multiple entries are found for the same role name, then the last one
# is used.
#
# In a typical installation, this file can be read by anybody on the
# local machine, and possibly by people on other machines.
# For # security, you should either restrict the access to this file,
# or specify another, less accessible file in the management config file
# as described above.
#
# Following are two commented-out entries.  The "measureRole" role has
# password "QED".  The "controlRole" role has password "R&D".
#
# monitorRole  QED
# controlRole   R&D
Comments
Hashed passwords are adequate and easy to implement compared to Encryted passwords. Hence duplicating the issue
12-02-2017
I would suggest a way to add to the default, ie to still allow clear text passwords, but to also allow some hashed solution. I agree that we need to be backwards compatible. The syntax of the password file expects lines of "role password". Could one add support for three part lines, with some symbol in between? monitorRole QED adminRole * 7b46c291e7073c31d3ce0adae2f7554f If this was combined with a generator launcher or something, it could be pretty simple: > $JAVA_HOME/bin/jmxpasswd Enter Username: adminRole Enter Passwrod: ******* Add the following line to jmxremote.passwd: adminRole * 7b46c291e7073c31d3ce0adae2f7554f It would still allow unsecure behavior by default, but it also allows for a more secure way without a lot of work. Right now we have one easy, bad way, and a difficult good way. That is the exact opposite of secure by default. By having the hashed version be part of the example jmxremote file and adding instructions in the comments of that file, I would guess a lot of people setting it up would go for that route.
09-04-2013
EVALUATION The authentication mechanism in the JMX agent is pluggable so the customer can use alternative JAAS LoginModules if required. The simple password file mechanism is there to get developers up and running quickly. Here's a rather old blog that demonstrates how to use LDAP for authenication instead of the password file. http://blogs.sun.com/alanb/entry/one_password_to_rule_them Luis-Miguel has another blog that goes through various ways to configure the agent for authenication: http://blogs.sun.com/lmalventosa/entry/jmx_authentication_authorization
22-08-2008