Petals ESB Container

The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security

Details

  • Type: Improvement Request Improvement Request
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 4.1.0
  • Fix Version/s: 4.2.0
  • Component/s: Administration
  • Security Level: Public
  • Description:
    Hide

    The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security. So if credentials of a Petals node is known, it's easy to be connected to other nodes of the topology.
    These sensible information MUST be more strongly protected.

    Show
    The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security. So if credentials of a Petals node is known, it's easy to be connected to other nodes of the topology. These sensible information MUST be more strongly protected.
  • Environment:
    -

Issue Links

Depends
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Christophe DENEUX added a comment - Tue, 30 Oct 2012 - 17:29:15 +0100 - edited

The security can be increased introducing a passphrase at container level. To get the JMX credentials of other containers of the topology through the JMX API, the passphrase is required and MUST match the one of the container on which the client is connected. Otherwise, only other information are returned.

The passphrase is configured in the file 'server.properties' using the property 'petals.topology.passphrase'. If the property is not set or is empty, we consider that no passphrase is set, and the critical information could not be returned.

Show
Christophe DENEUX added a comment - Tue, 30 Oct 2012 - 17:29:15 +0100 - edited The security can be increased introducing a passphrase at container level. To get the JMX credentials of other containers of the topology through the JMX API, the passphrase is required and MUST match the one of the container on which the client is connected. Otherwise, only other information are returned. The passphrase is configured in the file 'server.properties' using the property 'petals.topology.passphrase'. If the property is not set or is empty, we consider that no passphrase is set, and the critical information could not be returned.
Hide
Permalink
Vincent Zurczak added a comment - Tue, 30 Oct 2012 - 17:31:56 +0100

I agree with this solution.

Show
Vincent Zurczak added a comment - Tue, 30 Oct 2012 - 17:31:56 +0100 I agree with this solution.
Hide
Permalink
Christophe DENEUX added a comment - Wed, 31 Oct 2012 - 12:40:09 +0100

Fixed in trunk

Show
Christophe DENEUX added a comment - Wed, 31 Oct 2012 - 12:40:09 +0100 Fixed in trunk

People

Dates

  • Created:
    Tue, 30 Oct 2012 - 17:20:19 +0100
    Updated:
    Wed, 31 Oct 2012 - 12:40:09 +0100
    Resolved:
    Wed, 31 Oct 2012 - 12:40:09 +0100
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Petals ESB. Try JIRA - bug tracking software for your team.