Bug 1017212

Summary: Ensure all Overlord passwords are properly vaulted
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Eric Wittmann <eric.wittmann>
Component: InstallerAssignee: Thomas Hauser <thauser>
Status: CLOSED CURRENTRELEASE QA Contact: Andrej Vano <avano>
Severity: high Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: apodhrad, atangrin, jpechane, jsedlace, ldimaggi, soa-p-jira
Target Milestone: CR1Keywords: Reopened
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Eric Wittmann 2013-10-09 12:51:24 UTC 
Description of problem:
Currently there are a number of user credentials stored in various overlord configuration files.  This includes:

overlord-idp-users.properties
gadget-server.properties
rtgov.properties
dtgov.properties

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Observe passwords in cleartext in config files

Expected Result:

Instead, all of these passwords should be stored in the EAP password vault and instead of a cleartext password in the configs, we should store the vault key.
Comment 2 Eric Wittmann 2013-10-29 13:30:50 UTC 
The overlord apps now support vaulted passwords in their configuration files (e.g. sramp-ui.properties, dtgov.properties, etc).  It is up to the installer now to store passwords in the vault and then put the resulting password keys into the overlord configuration files as appropriate.

This has been documented elsewhere (mojo) for reference by interested/relevant parties.

Assigning to thauser to complete the prod installer changes.
Comment 3 Thomas Hauser 2013-11-07 21:33:34 UTC 
Finalizing changes made to facilitate this in the installer.

If the user does not elect to create a Password Vault of their own definition, the installer will generate keystores and create a vault according to the parameters here: https://mojo.redhat.com/docs/DOC-28828

All passwords present in the installer will be put into the vault. This includes:
- Database Passwords
- If chosen, LDAP passwords
- If chosen, SSL Cert password for securing management interfaces


If the user does choose to create their own, the installer will change appropriate paths in the S-RAMP config files, and use this user-defined vault to mask all of the aforementioned passwords.

These changes will be present in ER7 builds.
Comment 4 Thomas Hauser 2013-11-14 15:26:37 UTC 
Changes are complete for ER7. Need the full build to confirm.
Comment 5 Andrej Vano 2013-12-13 08:29:27 UTC 
Hello,

all passwords are vaulted on ER7-2
Comment 6 Andrej Podhradsky 2013-12-18 15:19:19 UTC 
When you try to install without RTGov server (just client) you are asked for a password to RTGov server. And this password is stored in overlord-rtgov.properties in plain text (RESTActivityServer.serverPassword).
Comment 7 Thomas Hauser 2013-12-19 16:26:53 UTC 
Reproduced. Fixed in a7fb82ff54b532a3e59e65c2740b9351c3c9e940 and a9c2146a5725412881e34d3431a6002146c24620
Comment 8 Jiri Pechanec 2014-01-16 10:22:25 UTC 
Verified in CR1