Bug 724616 (BRMS-522)

Summary: Encrypted passwords in the change-set.xml
Product: [JBoss] JBoss Enterprise BRMS Platform 5 Reporter: Alessandro Lazarotti <alazarot>
Component: BRE (Expert, Fusion)Assignee: Nobody <nobody>
Status: CLOSED UPSTREAM QA Contact:
Severity: unspecified Docs Contact:
Priority: medium    
Version: 5.1.0 GACC: jpviragine, mhussain, mproctor
Target Milestone: ---   
Target Release: future   
Hardware: Unspecified   
OS: Unspecified   
URL: http://jira.jboss.org/jira/browse/BRMS-522
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
The drools client API accesses JBoss Enterprise BRMS with credentials declared as plain-text in a change-set.xml file or property files. A request has been made to develop a mechanism to obfuscate the password.
 Story Points: ---
Clone Of: Environment:
fedora12, jdk 1.6, brms 5.1
Last Closed: 2025-02-10 03:13:54 UTC Type: Feature Request
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alessandro Lazarotti 2010-12-29 19:51:50 UTC 
Help Desk Ticket Reference: https://c.na7.visual.force.com/apex/Case_View?id=500A0000005fqbn&sfdc.override=1
securitylevel_name: Public

Currently the drools client API access Guvnor by creditials declared as plain-text in change-set.xml or property files. This is a security problem for many companies. Is very important develop a mechanism to obfuscate the password.
Comment 1 Alessandro Lazarotti 2010-12-29 19:56:16 UTC 
Link: Added: This issue related JBRULES-2856
Comment 2 Rick Wagner 2011-08-25 18:47:59 UTC 
GSS prioritizes 'medium'.  Customer is watching issue, but there is not an urgent need.
Comment 3 Prakash Aradhya 2011-09-13 14:07:12 UTC 
It is important to get this addressed soon.  However not mandatory for BRMS 5.2 release.
Comment 4 Edson Tirelli 2012-03-28 18:07:06 UTC 
As we discussed by e-mail, the only solution for this is to use a keystore to store the crypto key so that it is managed by the JVM. We can do that, but my feeling is that customers will simply not use it, as keystores are annoying for the users to configure (see what happened with kbase signing feature).

If this was requested by a customer, we will do it. Otherwise, if it is an internal request, I don't think it will be worth the time spent on it.
Comment 6 lcarlon 2012-06-08 03:51:25 UTC 
    Technical note added. If any revisions are required, please edit the "Technical Notes" field
    accordingly. All revisions will be proofread by the Engineering Content Services team.
    
    New Contents:
The drools client API accesses JBoss BRMS by credentials declared as plain-text in change-set.xml or property files. A request has been mode to develop a mechanism to obfuscate the password.
Comment 14 Red Hat Bugzilla 2025-02-10 03:13:54 UTC 
This product has been discontinued or is no longer tracked in Red Hat Bugzilla.