1017212 – Ensure all Overlord passwords are properly vaulted

Bug 1017212 - Ensure all Overlord passwords are properly vaulted

Summary: Ensure all Overlord passwords are properly vaulted

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Fuse Service Works 6
Classification:	JBoss
Component:	Installer
Sub Component:
Version:	6.0.0 GA
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	high
Target Milestone:	CR1
Target Release:	6.0.0
Assignee:	Thomas Hauser
QA Contact:	Andrej Vano
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-09 12:51 UTC by Eric Wittmann
Modified:	2014-02-06 15:29 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type:	Bug

Attachments	(Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	DTGOV-83	0	Major	Closed	Add support for vaulted passwords	2014-01-17 13:57:53 UTC

Description Eric Wittmann 2013-10-09 12:51:24 UTC

Description of problem:
Currently there are a number of user credentials stored in various overlord configuration files.  This includes:

overlord-idp-users.properties
gadget-server.properties
rtgov.properties
dtgov.properties

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Observe passwords in cleartext in config files

Expected Result:

Instead, all of these passwords should be stored in the EAP password vault and instead of a cleartext password in the configs, we should store the vault key.

Comment 2 Eric Wittmann 2013-10-29 13:30:50 UTC

The overlord apps now support vaulted passwords in their configuration files (e.g. sramp-ui.properties, dtgov.properties, etc).  It is up to the installer now to store passwords in the vault and then put the resulting password keys into the overlord configuration files as appropriate.

This has been documented elsewhere (mojo) for reference by interested/relevant parties.

Assigning to thauser to complete the prod installer changes.

Comment 3 Thomas Hauser 2013-11-07 21:33:34 UTC

Finalizing changes made to facilitate this in the installer.

If the user does not elect to create a Password Vault of their own definition, the installer will generate keystores and create a vault according to the parameters here: https://mojo.redhat.com/docs/DOC-28828

All passwords present in the installer will be put into the vault. This includes:
- Database Passwords
- If chosen, LDAP passwords
- If chosen, SSL Cert password for securing management interfaces


If the user does choose to create their own, the installer will change appropriate paths in the S-RAMP config files, and use this user-defined vault to mask all of the aforementioned passwords.

These changes will be present in ER7 builds.

Comment 4 Thomas Hauser 2013-11-14 15:26:37 UTC

Changes are complete for ER7. Need the full build to confirm.

Comment 5 Andrej Vano 2013-12-13 08:29:27 UTC

Hello,

all passwords are vaulted on ER7-2

Comment 6 Andrej Podhradsky 2013-12-18 15:19:19 UTC

When you try to install without RTGov server (just client) you are asked for a password to RTGov server. And this password is stored in overlord-rtgov.properties in plain text (RESTActivityServer.serverPassword).

Comment 7 Thomas Hauser 2013-12-19 16:26:53 UTC

Reproduced. Fixed in a7fb82ff54b532a3e59e65c2740b9351c3c9e940 and a9c2146a5725412881e34d3431a6002146c24620

Comment 8 Jiri Pechanec 2014-01-16 10:22:25 UTC

Verified in CR1

Note You need to log in before you can comment on or make changes to this bug.