0

We are introducing SASL security to Jgroups, but we do not want to expose the password directly in the jgroups config xml. What is the best way to secure the password client_password="password123" ?

<TCP bind_addr="172.25.90.xxx" bind_port="7750"
    enable_diagnostics="false" thread_naming_pattern="pl"
    send_buf_size="640k" sock_conn_timeout="300"
    bundler_type="sender-sends-with-timer"
    oob_thread_pool.queue_enabled="false" />
<MPING bind_addr="172.25.90.xxx"
    mcast_addr="${jgroups.mping.mcast_addr:228.2.4.6}"
    mcast_port="${jgroups.mping.mcast_port:43366}"
    ip_ttl="${jgroups.udp.ip_ttl:2}" />
<MERGE3 min_interval="10000" max_interval="30000" />
<FD_SOCK />
<FD_ALL timeout="60000" interval="15000"
    timeout_check_interval="5000" />
<VERIFY_SUSPECT timeout="5000" />
<pbcast.NAKACK2 use_mcast_xmit="false"
    max_msg_batch_size="100" resend_last_seqno="true" />
<UNICAST3 xmit_interval="500" xmit_table_num_rows="50"
    max_msg_batch_size="100" conn_expiry_timeout="0" />
<pbcast.STABLE stability_delay="500"
    desired_avg_gossip="5000" max_bytes="1M" />
<SASL mech="DIGEST-MD5" client_name="SANADMA"
    client_password="password123" server_callback_handler_class="org.jgroups.auth.sasl.SimpleAuthorizingCallbackHandler"client_callback_handler_class="org.jgroups.auth.sasl.SimpleAuthorizingCallbackHandler"sasl_props="com.sun.security.sasl.digest.realm=test_realm" /><pbcast.GMS print_local_addr="false" join_timeout="${jgroups.join_timeout:5000}" /><MFC max_credits="2m" min_threshold="0.40" /><FRAG2 /></config>
rockycres
  • 71
  • 8

1 Answers1

0

You change the configuration to point to a property:

<SASL client_password="${jgroups.sasl.password}" .../>

Then, when running JGroups, set the property's value in the command line using -Djgroups.sasl.password=password123. If you have an environment variable in the machine with the password, you can also use -Djgroups.sasl.password=${MY_SECRET}.

pruivo
  • 1,214
  • 7
  • 7