Bug 1532759

Summary: pkispawn seems to be leaving our passwords in several different files after installation completes
Product: Red Hat Enterprise Linux 7 Reporter: Amy Farley <afarley>
Component: pki-coreAssignee: Ade Lee <alee>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: medium Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: medium    
Version: 7.4CC: alee, lmiksik, mharmsen, msauton, nkinder, pebarbos, rpattath
Target Milestone: rc   
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: pki-core-10.5.1-6.el7 Doc Type: Bug Fix
Doc Text:
The Certificate System deployment archive file no longer contains passwords in plain text Previously, when you created a new Certificate System instance by passing a configuration file with a password in the *[DEFAULT]* section to the *pkispawn* utility, the password was visible in the archived deployment file. Although this file has world readable permissions, it is contained within a directory that is only accessible by the Certificate Server instance user, which is *pkiuser*, by default. With this update, permissions on this file have been restricted to the Certificate Server instance user, and *pkispawn* now masks the password in the archived deployment file. To restrict access to the password on an existing installation, manually remove the password from the `/etc/sysconfig/pki/tomcat/<instance_name>/<subsystem>/deployment.cfg` file, and set the file's permissions to "600".
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-10 17:02:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Comment 6 Ade Lee 2018-01-19 19:14:40 UTC

commit 26bc698847b5348033ce3abb225ed24ebce4386d (origin/master, origin/HEAD, gerrit/master, master)
Author: Ade Lee <alee>
Date:   Tue Jan 9 12:14:23 2018 -0500

    Fix masking in the archived deployment.cfg
    Resolves rhbz#1532759
    Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4


commit 70ef976dfabe2c34ed69ac00c8868b3c7f6d825b (HEAD -> masking_fix_10.5)
Author: Ade Lee <alee>
Date:   Tue Jan 9 12:14:23 2018 -0500

    Fix masking in the archived deployment.cfg
    Cherry-picked from 26bc698847b5348033ce3abb225ed24ebce4386d
    Resolves rhbz#1532759
    Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4

Comment 8 Ade Lee 2018-01-26 16:42:16 UTC
QE Verification:

1. Create instance using a pkispawn deployment file.  Make sure to place the passwords in the DEFAULT section.

2. Check the archived deployment file under /etc/sysconfig/pki/tomcat/<instance_name>/<subsystem>/deployment.cfg.  Passwords should be masked - and the file should have pkiuser ownership, and not be world readable.

Comment 9 Roshni 2018-01-31 14:02:00 UTC
[root@nocp1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.1
Release     : 6.el7
Architecture: noarch
Install Date: Fri 26 Jan 2018 02:35:32 PM EST
Group       : System Environment/Daemons
Size        : 2360651
License     : GPLv2
Signature   : RSA/SHA256, Tue 23 Jan 2018 10:44:40 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.1-6.el7.src.rpm
Build Date  : Tue 23 Jan 2018 10:14:38 PM EST
Build Host  : ppc-016.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verifiation steps explained in comment 8

Comment 13 errata-xmlrpc 2018-04-10 17:02:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.