Bug 1014456

Summary: RTGov authentication config uses open-text passwords
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Jiri Pechanec <jpechane>
Component: ConfigurationAssignee: Julian Coleman <jcoleman>
Status: CLOSED CURRENTRELEASE QA Contact: Jiri Pechanec <jpechane>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: atangrin, dlesage, kconner, ldimaggi, soa-p-jira
Target Milestone: ER7Keywords: Reopened
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The RTGov authentication stores passwords in clear text. The passwords should be encrypted or hashed. The defaults present a security risk to users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 15:25:39 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jiri Pechanec 2013-10-02 05:53:18 UTC 
The RTGov authentication based on property files stores passwords in open-text. The passwords should be encrypted/hashed.

overlord-idp-users.properties
#eric=eric
admin=JBoss.123

overlord-rtgov.properties for rtgc-only
RESTActivityServer.serverUsername=admin
RESTActivityServer.serverPassword=JBoss.123
Comment 1 Jiri Pechanec 2013-12-13 05:50:07 UTC 
overlord-idp-users.properties - remove ok
overlord-rtgov.properties - still contains opentext credentials
Comment 2 Len DiMaggio 2014-01-22 02:20:01 UTC 
Seeing this in CR1 - with an RTGov client only install:

grep -i password ./standalone/configuration/overlord-rtgov.properties

RESTActivityServer.serverPassword=${vault:VAULT::rtgov::serverPassword::1}