From b15e32a943ae269c1c7dae4b2084e2ad87f3940d Mon Sep 17 00:00:00 2001 From: Alex Rudyy Date: Wed, 15 Apr 2015 10:00:55 +0000 Subject: QPID-6481: Move java broker docbook into java source tree git-svn-id: https://svn.apache.org/repos/asf/qpid/trunk@1673703 13f79535-47bb-0310-9956-ffa450edef68 --- ...va-Broker-Security-Configuration-Encryption.xml | 74 ---------------------- 1 file changed, 74 deletions(-) delete mode 100644 qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml (limited to 'qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml') diff --git a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml b/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml deleted file mode 100644 index 2924f2859c..0000000000 --- a/qpid/doc/book/src/java-broker/security/Java-Broker-Security-Configuration-Encryption.xml +++ /dev/null @@ -1,74 +0,0 @@ - - - - -
- Configuration Encryption - The Broker is capable of encrypting passwords and other security items stored in the - Broker's configuration. This is means that items such as keystore/truststore passwords, JDBC - passwords, and LDAP passwords can be stored in the configure in a form that is difficult to - read. - The Broker ships with an encryptor implementation called AESKeyFile. This - uses a securely generated random key of 256bitJava Cryptography Extension (JCE) - Unlimited Strength required to encrypt the secrets stored within a key - file. Of course, the key itself must be guarded carefully, otherwise the passwords encrypted - with it may be compromised. For this reason, the Broker that the file's permissions allow the - file to be read exclusively by the user account used for running the Broker. - - If the keyfile is lost or corrupted, the secrets will be irrecoverable. - -
- Configuration - To use AESKeyFile, first stop the Broker, then edit the Broker's - configuration file ${QPID_WORK}/config.json. Insert a Broker attribute called - confidentialConfigurationEncryptionProvider with value - AESKeyFile. On restarting the Broker, it will generate a keyfile in - location ${QPID_WORK}/.keys/. Any existing passwords contained with the - configuration will be automatically encrypted, as will any new or changed ones in - future. - - Enanbling password encryption - - { - "id" : "3f183a59-abc3-40ad-8e14-0cac9de2cac4", - "name" : "${broker.name}", - "confidentialConfigurationEncryptionProvider" : "AESKeyFile", - .... - } - - - Note that passwords stored by the Authentication Providers PlainPasswordFile and. - PlainPasswordFile - with the external password files are not encrypted by the key. Use the - Scram Authentication Managers instead; these make use of the Configuration Encryption when - storing the users' passwords. -
-
- Alternate Implementations - If the AESKeyFile encryptor implementation does not meet the needs of - the user, perhaps owing to the security standards of their institution, the - ConfigurationSecretEncrypter interface is designed as an extension point. - Users may implement their own implementation of ConfigurationSecretEncrypter perhaps to employ - stronger encryption or delegating the storage of the key to an Enterprise Password Safe. -
-
-- cgit v1.2.1