Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1018714

Summary:	Passwords for BPEL Console and DTGov are stored in plain text in installation information (re-opened)
Product:	[JBoss] JBoss Fuse Service Works 6	Reporter:	Stefan Bunciak <sbunciak>
Component:	Installer	Assignee:	Miles Tjandrawidjaja <mtjandra>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Stefan Bunciak <sbunciak>
Severity:	urgent	Docs Contact:
Priority:	unspecified
Version:	6.0.0 GA	CC:	aneelica, apodhrad, djorm, dlesage, jpechane, jsedlace, kconner, ldimaggi, mtjandra, ncross, psrna, soa-p-jira, thauser, tsedmik
Target Milestone:	CR2	Keywords:	Reopened
Target Release:	6.0.0
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2014-02-06 15:25:11 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Stefan Bunciak 2013-10-14 09:18:20 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* 6.0.0.ER4

Steps to Reproduce:
1. Install FSW & generate installation script
2. Inspect InstallSummary.html, generated installation script & .installationinformation

Actual results:
* All of the 3 files contain passwords for BPEL Console & DTGov in plain text.

Expected results:


Additional info:

Comment 1 Thomas Hauser 2013-10-21 17:46:01 UTC

Post beta builds will not display this information.

Comment 2 Pavol Srna 2013-12-16 12:27:06 UTC

Looking at the generated xml file. This issue is still not fixed. Password for admin user is hashed - that is good, but FSW admin password is still stored in plaintext. Reopening.

Comment 6 kconner 2013-12-17 19:34:38 UTC

*** Bug 1043380 has been marked as a duplicate of this bug. ***

Comment 7 kconner 2013-12-18 14:48:43 UTC

*** Bug 1044556 has been marked as a duplicate of this bug. ***

Comment 11 Pavol Srna 2014-01-15 09:53:23 UTC

Verified in CR1.

Comment 12 Tomáš Sedmík 2014-01-20 06:15:55 UTC

The vault password is still stored in InstallationLog.txt (vault.keystorepwd) in plain text.

Tested in CR1.

Steps to Reproduce:
1. Installation with additional configuration
2. Check Install password vault
3. All others is default

Comment 13 Thomas Hauser 2014-01-20 14:03:42 UTC

My mistake, good catch Tomas. Fixed for CR2.

Comment 14 Miles Tjandrawidjaja 2014-01-20 14:19:48 UTC

Keystore passwords should no longer be stored in the log.

http://git.app.eng.bos.redhat.com/installer-commons.git/commit/?h=6.1.1.ip&id=a4e8bceb9cec42a0e07b299cff769826806eb03d

Comment 17 Jiri Pechanec 2014-01-24 10:04:16 UTC

Verified in CR2