--- old/src/jdk.management.agent/share/conf/jmxremote.password.template	2017-02-24 18:57:22.787404561 +0530
+++ new/src/jdk.management.agent/share/conf/jmxremote.password.template	2017-02-24 18:57:22.635403895 +0530
@@ -3,11 +3,10 @@
 #
 # o Copy this template to jmxremote.password
 # o Set the user/password entries in jmxremote.password
-# o Change the permission of jmxremote.password to read-only
-#   by the owner.
+# o Change the permission of jmxremote.password to be accessible
+#   only by the owner.
+# o Passwords will be hashed by server if they are in clear.
 #
-# See below for the location of jmxremote.password file.
-# ----------------------------------------------------------------------
 
 ##############################################################
 #        Password File for Remote JMX Monitoring
@@ -24,41 +23,70 @@
 # the management config file $JRE/conf/management/management.properties
 # or by specifying a system property (See that file for details).
 
-
 ##############################################################
-#    File permissions of the jmxremote.password file
+#    File format of the jmxremote.password file
 ##############################################################
-#      Since there are cleartext passwords stored in this file,
-#      this file must be readable by ONLY the owner,
-#      otherwise the program will exit with an error.
-#
-# The file format for password and access files is syntactically the same
-# as the Properties file format.  The syntax is described in the Javadoc
-# for java.util.Properties.load.
-# Typical password file has multiple  lines, where each line is blank,
-# a comment (like this one), or a password entry.
 #
+# The file contains multiple lines where lines, where each line is blank,
+# a comment (like this one), or a password entry.
 #
 # A password entry consists of a role name and an associated
-# password.  The role name is any string that does not itself contain
-# spaces or tabs.  The password is again any string that does not
-# contain spaces or tabs.  Note that passwords appear in the clear in
-# this file, so it is a good idea not to use valuable passwords.
+# password. The role name is any string that does not itself contain
+# spaces or tabs. Passwords can be specified as clear text or Base64 encoded hash.
+#
+# Clear text password is any string that does not contain spaces or tabs.
+# Hashed passwords must follow below format.
+# hashedPassword = base64_encoded_salt W base64_encoded_hash W hash_algorithm
+# where,
+#   W = spaces
+#   base64_encoded_hash = Hash_algorithm(password + salt)
+#   hash_algorithm = Algorithm string specified using format below
+#       https://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#MessageDigest
+#       Every java platform supports MD5,SHA-1,SHA-256 algorithms. 
+#       This is an optional field. If not specified SHA-256 will be assumed.
+#
+# If passwords are in clear, they will be over-written by their hash if 
+# hashing is requested and if password file can be written into.
+# 
+# In order to change password for a role, replace hashed password entry 
+# with clear text password or new hashed password. If new password is in clear,
+# it will be replaced with its hash when new login attempt is made.
 #
 # A given role should have at most one entry in this file.  If a role
 # has no entry, it has no access.
 # If multiple entries are found for the same role name, then the last one
 # is used.
-#
-# In a typical installation, this file can be read by anybody on the
+# 
+# User generated hashed password file can also be used instead of clear-text
+# password file. If generated by user, hashed passwords must follow
+# format specified above.
+
+##############################################################
+#    File permissions of the jmxremote.password file
+##############################################################
+#      This file must be made accessible by ONLY the owner.
+# In a typical installation, this file can be accessed by anybody on the
 # local machine, and possibly by people on other machines.
-# For # security, you should either restrict the access to this file,
+# For security, you should either restrict the access to this file except for owner,
 # or specify another, less accessible file in the management config file
 # as described above.
 #
+
+##############################################################
+#    Sample of the jmxremote.password file
+##############################################################
 # Following are two commented-out entries.  The "measureRole" role has
-# password "QED".  The "controlRole" role has password "R&D".
+# password "QED".  The "controlRole" role has password "R&D". This is example
+# of specifying passwords in clear
 #
-# monitorRole  QED
-# controlRole   R&D
+#   monitorRole  QED
+#   controlRole  R&D
+# 
+# Once a login attempt is made, passwords will be hashed and the file will have 
+# below entries with clear passwords overwritten by their respective 
+# SHA-256 hash
+#
+#   monitorRole 818kn2GKCT1IqMKnJhwtmow8v/9cv++8bJbhjO+ugX0= WqoaqEAVub/PenLY2wxLMLCdPRa+rFCWCWM0Zh/wR38= SHA-256
+#   controlRole ALO98BOPW9rqvvtzzn7Lx7Q2uNWZdUf9PtY0g9aQ5lk= yobRA/4ygyJQTE2gEe4xQdYu7IexBHl0SSP9mEHFFhA= SHA-256
+#