Mask Password in ActiveMQ connection URL

Question

I'm using JMS on a Spring boot client to connect to an ActiveMQ Artemis 2.19.0 broker over SSL.

In broker.xml I'm using mask passwords like ENC(32c6f67da12342b0a7ad1702033aa81e6b2a760123f4360) instead of plain text, and it works fine.

I tried to use the same mask password instead of plain text in my ActiveMQ connection URL like in code below, but it didn't work. I'm using this command to mask the password:

./artemis mask <plaintextPassword>

The plain text password is working.

Here's my code to configure the connection factory:

ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(
        "(tcp://amq:61616)?" +
                "sslEnabled=true" +
                "&trustStorePath=" + trustStorePath + "&trustStorePassword=ENC(397e3aeeddf27c9783a3ab920d83e24da5b7d710df3b405f)"
);

The error which I get:

2021-10-27 13:10:15.243  WARN 17748 --- [-netty-threads)] io.netty.channel.ChannelInitializer      : Failed to initialize a channel. Closing: [id: 0x07b0d96b]

java.io.IOException: keystore password was incorrect
        at java.base/sun.security.pkcs12.PKCS12KeyStore.engineLoad(PKCS12KeyStore.java:2116) ~[na:na]
        at java.base/sun.security.util.KeyStoreDelegator.engineLoad(KeyStoreDelegator.java:243) ~[na:na]
        at java.base/java.security.KeyStore.load(KeyStore.java:1479) ~[na:na]
        at org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.loadKeystore(SSLSupport.java:224) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.loadTrustManagerFactory(SSLSupport.java:166) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.loadTrustManager(SSLSupport.java:195) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.ssl.SSLSupport.createContext(SSLSupport.java:99) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.loadJdkSslEngine(NettyConnector.java:624) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector.access$500(NettyConnector.java:124) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at org.apache.activemq.artemis.core.remoting.impl.netty.NettyConnector$1.initChannel(NettyConnector.java:532) ~[artemis-core-client-2.6.4.jar!/:2.6.4]
        at io.netty.channel.ChannelInitializer.initChannel(ChannelInitializer.java:129) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.ChannelInitializer.handlerAdded(ChannelInitializer.java:112) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.AbstractChannelHandlerContext.callHandlerAdded(AbstractChannelHandlerContext.java:964) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAdded0(DefaultChannelPipeline.java:610) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.DefaultChannelPipeline.access$100(DefaultChannelPipeline.java:46) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.DefaultChannelPipeline$PendingHandlerAddedTask.execute(DefaultChannelPipeline.java:1474) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.DefaultChannelPipeline.callHandlerAddedForAllHandlers(DefaultChannelPipeline.java:1126) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.DefaultChannelPipeline.invokeHandlerAddedIfNeeded(DefaultChannelPipeline.java:651) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.register0(AbstractChannel.java:503) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe.access$200(AbstractChannel.java:416) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.AbstractChannel$AbstractUnsafe$1.run(AbstractChannel.java:475) ~[netty-transport-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.AbstractEventExecutor.safeExecute(AbstractEventExecutor.java:163) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor.runAllTasks(SingleThreadEventExecutor.java:416) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.channel.epoll.EpollEventLoop.run(EpollEventLoop.java:331) ~[netty-transport-native-epoll-4.1.39.Final-linux-x86_64.jar!/:4.1.39.Final]
        at io.netty.util.concurrent.SingleThreadEventExecutor$5.run(SingleThreadEventExecutor.java:918) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at io.netty.util.internal.ThreadExecutorMap$2.run(ThreadExecutorMap.java:74) ~[netty-common-4.1.39.Final.jar!/:4.1.39.Final]
        at org.apache.activemq.artemis.utils.ActiveMQThreadFactory$1.run(ActiveMQThreadFactory.java:118) ~[artemis-commons-2.6.4.jar!/:2.6.4]
Caused by: java.security.UnrecoverableKeyException: failed to decrypt safe contents entry: javax.crypto.BadPaddingException: Given final block not properly padded. Such issues can arise if a bad key is used during decryption.
        ... 27 common frames omitted

Is there may be other way to use mask password instead of plain text in the connection URL?

Answer 1

The ActiveMQ Artemis Client doesn't support encrypted passwords in composite urls as (tcp://amq:61616)?, see ARTEMIS-3543. The workaround is to avoid fragments, i.e.

ActiveMQConnectionFactory factory = new ActiveMQConnectionFactory(
    "tcp://amq:61616?" +
            "sslEnabled=true" +
            "&trustStorePath=" + trustStorePath + "&trustStorePassword=ENC(397e3aeeddf27c9783a3ab920d83e24da5b7d710df3b405f)"
);