jdk Cdiff src/jdk.management.agent/share/conf/jmxremote.password.template

src/jdk.management.agent/share/conf/jmxremote.password.template


*** 1,15 ****
  # ----------------------------------------------------------------------
  #           Template for jmxremote.password
  #
  # o Copy this template to jmxremote.password
  # o Set the user/password entries in jmxremote.password
! # o Change the permission of jmxremote.password to read-only
! #   by the owner.
  #
- # See below for the location of jmxremote.password file.
- # ----------------------------------------------------------------------
  
  ##############################################################
  #        Password File for Remote JMX Monitoring
  ##############################################################
  #
--- 1,16 ----
  # ----------------------------------------------------------------------
  #           Template for jmxremote.password
  #
  # o Copy this template to jmxremote.password
  # o Set the user/password entries in jmxremote.password
! # o Change the permission of jmxremote.password to be accessible
! #   only by the owner.
! # o The jmxremote.passwords file will be re-written by the server
!     to replace all plain text passwords with hashed passwords when
!     the file is read by the server.
  #
  
  ##############################################################
  #        Password File for Remote JMX Monitoring
  ##############################################################
  #
*** 22,64 ****
  # Default location of this file is $JRE/conf/management/jmxremote.password
  # You can specify an alternate location by specifying a property in
  # the management config file $JRE/conf/management/management.properties
  # or by specifying a system property (See that file for details).
  
- 
  ##############################################################
! #    File permissions of the jmxremote.password file
  ##############################################################
- #      Since there are cleartext passwords stored in this file,
- #      this file must be readable by ONLY the owner,
- #      otherwise the program will exit with an error.
  #
! # The file format for password and access files is syntactically the same
! # as the Properties file format.  The syntax is described in the Javadoc
! # for java.util.Properties.load.
! # Typical password file has multiple  lines, where each line is blank,
  # a comment (like this one), or a password entry.
  #
  #
! # A password entry consists of a role name and an associated
! # password.  The role name is any string that does not itself contain
! # spaces or tabs.  The password is again any string that does not
! # contain spaces or tabs.  Note that passwords appear in the clear in
! # this file, so it is a good idea not to use valuable passwords.
  #
  # A given role should have at most one entry in this file.  If a role
  # has no entry, it has no access.
  # If multiple entries are found for the same role name, then the last one
  # is used.
  #
! # In a typical installation, this file can be read by anybody on the
  # local machine, and possibly by people on other machines.
! # For # security, you should either restrict the access to this file,
  # or specify another, less accessible file in the management config file
  # as described above.
  #
! # Following are two commented-out entries.  The "measureRole" role has
! # password "QED".  The "controlRole" role has password "R&D".
  #
  # monitorRole  QED
  # controlRole   R&D
  
--- 23,104 ----
  # Default location of this file is $JRE/conf/management/jmxremote.password
  # You can specify an alternate location by specifying a property in
  # the management config file $JRE/conf/management/management.properties
  # or by specifying a system property (See that file for details).
  
  ##############################################################
! #    File format of the jmxremote.password file
  ##############################################################
  #
! # The file contains multiple lines where each line is blank,
  # a comment (like this one), or a password entry.
  #
+ # password entry follows below syntax
+ #   role_name W [clearPassword|hashedPassword]
+ #
+ # role_name is any string that does not itself contain spaces or tabs.
+ # W = spaces or tabs
  #
! # Passwords can be specified using clear text or via a hash. Clear text password
! # is any string that does not contain spaces or tabs. Hashed passwords must 
! # follow the below format.
! # hashedPassword = base64_encoded_salt W base64_encoded_hash W hash_algorithm
! # where,
! #   base64_encoded_hash = Hash_algorithm(password + salt)
! #   W = spaces or tabs
! #   hash_algorithm = Algorithm string specified using format below
! #       https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
! #       MD5, SHA-1 and SHA-256 are supported algorithms.
! #       This is an optional field. If not specified SHA-256 will be assumed.
! #
! # If passwords are in clear, they will be over-written by their hash if all of 
! # the below criteria are met. 
! #   * com.sun.management.jmxremote.password.hashpasswords property is set to true in 
! #     management.properties file
! #   * the password file is writable
! #   * the system security policy allows writing into the password file, if a 
! #     security manager is configured
! # 
! # In order to change password for a role, replace the hashed password entry
! # with the clear text password or the new hashed password. If the new password 
! # is in clear, it will be replaced with its hash when a new login attempt is made.
  #
  # A given role should have at most one entry in this file.  If a role
  # has no entry, it has no access.
  # If multiple entries are found for the same role name, then the last one
  # is used.
  # 
! # A user generated hashed password file can also be used instead of clear-text
! # password file. If generated by user, hashed passwords must follow
! # format specified above.
! 
! ##############################################################
! #    File permissions of the jmxremote.password file
! ##############################################################
! #       This file must be made accessible by ONLY the owner,
! #       otherwise the program will exit with an error.
! #
! # In a typical installation, this file can be accessed by anybody on the
  # local machine, and possibly by people on other machines.
! # For security, you should either restrict the access to this file except for owner,
  # or specify another, less accessible file in the management config file
  # as described above.
  #
! 
! ##############################################################
! #    Sample of the jmxremote.password file
! ##############################################################
! # Following are two commented-out entries.  The "monitorRole" role has
! # password "QED".  The "controlRole" role has password "R&D". This is example
! # of specifying passwords in clear
  #
  #   monitorRole  QED
  #   controlRole  R&D
+ # 
+ # Once a login attempt is made, passwords will be hashed and the file will have 
+ # below entries with clear passwords overwritten by their respective 
+ # SHA-256 hash
+ #
+ #   monitorRole 818kn2GKCT1IqMKnJhwtmow8v/9cv++8bJbhjO+ugX0= WqoaqEAVub/PenLY2wxLMLCdPRa+rFCWCWM0Zh/wR38= SHA-256
+ #   controlRole ALO98BOPW9rqvvtzzn7Lx7Q2uNWZdUf9PtY0g9aQ5lk= yobRA/4ygyJQTE2gEe4xQdYu7IexBHl0SSP9mEHFFhA= SHA-256
+ #
< prev index next >