Petals ESB Container

The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security

Details

  • Type: Improvement Request Improvement Request
  • Status: Resolved Resolved
  • Priority: Major Major
  • Resolution: Fixed
  • Affects Version/s: 4.1.0
  • Fix Version/s: 4.2.0
  • Component/s: Administration
  • Security Level: Public
  • Description:
    Hide

    The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security. So if credentials of a Petals node is known, it's easy to be connected to other nodes of the topology.
    These sensible information MUST be more strongly protected.

    Show
    The JMX API PetalsAdminServiceMBean.retrieveTopology returns JMX credentials without dedicated security. So if credentials of a Petals node is known, it's easy to be connected to other nodes of the topology. These sensible information MUST be more strongly protected.
  • Environment:
    -

Issue Links

Depends
 

Activity

Ascending order - Click to sort in descending order
Hide
Permalink
Christophe DENEUX added a comment - Tue, 30 Oct 2012 - 17:29:15 +0100 - edited

The security can be increased introducing a passphrase at container level. To get the JMX credentials of other containers of the topology through the JMX API, the passphrase is required and MUST match the one of the container on which the client is connected. Otherwise, only other information are returned.

The passphrase is configured in the file 'server.properties' using the property 'petals.topology.passphrase'. If the property is not set or is empty, we consider that no passphrase is set, and the critical information could not be returned.

Show
Christophe DENEUX added a comment - Tue, 30 Oct 2012 - 17:29:15 +0100 - edited The security can be increased introducing a passphrase at container level. To get the JMX credentials of other containers of the topology through the JMX API, the passphrase is required and MUST match the one of the container on which the client is connected. Otherwise, only other information are returned. The passphrase is configured in the file 'server.properties' using the property 'petals.topology.passphrase'. If the property is not set or is empty, we consider that no passphrase is set, and the critical information could not be returned.
Christophe DENEUX made changes - Tue, 30 Oct 2012 - 17:29:15 +0100
Field Original Value New Value
Status New [ 10000 ] Open [ 10002 ]
Priority Major [ 3 ]
Hide
Permalink
Vincent Zurczak added a comment - Tue, 30 Oct 2012 - 17:31:56 +0100

I agree with this solution.

Show
Vincent Zurczak added a comment - Tue, 30 Oct 2012 - 17:31:56 +0100 I agree with this solution.
Christophe DENEUX made changes - Tue, 30 Oct 2012 - 19:14:23 +0100
Link This issue blocks PETALSESBCLI-64 [ PETALSESBCLI-64 ]
Christophe DENEUX made changes - Wed, 31 Oct 2012 - 12:39:51 +0100
Status Open [ 10002 ] In Progress [ 10003 ]
Hide
Permalink
Christophe DENEUX added a comment - Wed, 31 Oct 2012 - 12:40:09 +0100

Fixed in trunk

Show
Christophe DENEUX added a comment - Wed, 31 Oct 2012 - 12:40:09 +0100 Fixed in trunk
Christophe DENEUX made changes - Wed, 31 Oct 2012 - 12:40:09 +0100
Status In Progress [ 10003 ] Resolved [ 10004 ]
Fix Version/s 4.2.0 [ 10356 ]
Resolution Fixed [ 1 ]
Transition Status Change Time Execution Times Last Executer Last Execution Date
New New Open Open
8m 56s
1
Christophe DENEUX
Tue, 30 Oct 2012 - 17:29:15 +0100
Open Open In Progress In Progress
19h 10m
1
Christophe DENEUX
Wed, 31 Oct 2012 - 12:39:51 +0100
In Progress In Progress Resolved Resolved
18s
1
Christophe DENEUX
Wed, 31 Oct 2012 - 12:40:09 +0100



People

Dates

  • Created:
    Tue, 30 Oct 2012 - 17:20:19 +0100
    Updated:
    Wed, 31 Oct 2012 - 12:40:09 +0100
    Resolved:
    Wed, 31 Oct 2012 - 12:40:09 +0100
Atlassian JIRA (v4.1.2#531) | Report a problem | Request a feature | Contact administrators
Powered by a free Atlassian JIRA open source license for Petals ESB. Try JIRA - bug tracking software for your team.