Bug 1018714

Summary: Passwords for BPEL Console and DTGov are stored in plain text in installation information (re-opened)
Product: [JBoss] JBoss Fuse Service Works 6 Reporter: Stefan Bunciak <sbunciak>
Component: InstallerAssignee: Miles Tjandrawidjaja <mtjandra>
Status: CLOSED CURRENTRELEASE QA Contact: Stefan Bunciak <sbunciak>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: 6.0.0 GACC: aneelica, apodhrad, djorm, dlesage, jpechane, jsedlace, kconner, ldimaggi, mtjandra, ncross, psrna, soa-p-jira, thauser, tsedmik
Target Milestone: CR2Keywords: Reopened
Target Release: 6.0.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-02-06 15:25:11 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Stefan Bunciak 2013-10-14 09:18:20 UTC 
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* 6.0.0.ER4

Steps to Reproduce:
1. Install FSW & generate installation script
2. Inspect InstallSummary.html, generated installation script & .installationinformation

Actual results:
* All of the 3 files contain passwords for BPEL Console & DTGov in plain text.

Expected results:


Additional info:
Comment 1 Thomas Hauser 2013-10-21 17:46:01 UTC 
Post beta builds will not display this information.
Comment 2 Pavol Srna 2013-12-16 12:27:06 UTC 
Looking at the generated xml file. This issue is still not fixed. Password for admin user is hashed - that is good, but FSW admin password is still stored in plaintext. Reopening.
Comment 6 kconner 2013-12-17 19:34:38 UTC 
*** Bug 1043380 has been marked as a duplicate of this bug. ***
Comment 7 kconner 2013-12-18 14:48:43 UTC 
*** Bug 1044556 has been marked as a duplicate of this bug. ***
Comment 11 Pavol Srna 2014-01-15 09:53:23 UTC 
Verified in CR1.
Comment 12 Tomáš Sedmík 2014-01-20 06:15:55 UTC 
The vault password is still stored in InstallationLog.txt (vault.keystorepwd) in plain text.

Tested in CR1.

Steps to Reproduce:
1. Installation with additional configuration
2. Check Install password vault
3. All others is default
Comment 13 Thomas Hauser 2014-01-20 14:03:42 UTC 
My mistake, good catch Tomas. Fixed for CR2.
Comment 14 Miles Tjandrawidjaja 2014-01-20 14:19:48 UTC 
Keystore passwords should no longer be stored in the log.

http://git.app.eng.bos.redhat.com/installer-commons.git/commit/?h=6.1.1.ip&id=a4e8bceb9cec42a0e07b299cff769826806eb03d
Comment 17 Jiri Pechanec 2014-01-24 10:04:16 UTC 
Verified in CR2