Bug 1017212 - Ensure all Overlord passwords are properly vaulted
Summary: Ensure all Overlord passwords are properly vaulted
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Installer
Version: 6.0.0 GA
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: CR1
: 6.0.0
Assignee: Thomas Hauser
QA Contact: Andrej Vano
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-10-09 12:51 UTC by Eric Wittmann
Modified: 2014-02-06 15:29 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker DTGOV-83 0 Major Closed Add support for vaulted passwords 2014-01-17 13:57:53 UTC

Description Eric Wittmann 2013-10-09 12:51:24 UTC
Description of problem:
Currently there are a number of user credentials stored in various overlord configuration files.  This includes:

overlord-idp-users.properties
gadget-server.properties
rtgov.properties
dtgov.properties

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install dtgov/s-ramp/rtgov
2. Observe passwords in cleartext in config files

Expected Result:

Instead, all of these passwords should be stored in the EAP password vault and instead of a cleartext password in the configs, we should store the vault key.

Comment 2 Eric Wittmann 2013-10-29 13:30:50 UTC
The overlord apps now support vaulted passwords in their configuration files (e.g. sramp-ui.properties, dtgov.properties, etc).  It is up to the installer now to store passwords in the vault and then put the resulting password keys into the overlord configuration files as appropriate.

This has been documented elsewhere (mojo) for reference by interested/relevant parties.

Assigning to thauser to complete the prod installer changes.

Comment 3 Thomas Hauser 2013-11-07 21:33:34 UTC
Finalizing changes made to facilitate this in the installer.

If the user does not elect to create a Password Vault of their own definition, the installer will generate keystores and create a vault according to the parameters here: https://mojo.redhat.com/docs/DOC-28828

All passwords present in the installer will be put into the vault. This includes:
- Database Passwords
- If chosen, LDAP passwords
- If chosen, SSL Cert password for securing management interfaces


If the user does choose to create their own, the installer will change appropriate paths in the S-RAMP config files, and use this user-defined vault to mask all of the aforementioned passwords.

These changes will be present in ER7 builds.

Comment 4 Thomas Hauser 2013-11-14 15:26:37 UTC
Changes are complete for ER7. Need the full build to confirm.

Comment 5 Andrej Vano 2013-12-13 08:29:27 UTC
Hello,

all passwords are vaulted on ER7-2

Comment 6 Andrej Podhradsky 2013-12-18 15:19:19 UTC
When you try to install without RTGov server (just client) you are asked for a password to RTGov server. And this password is stored in overlord-rtgov.properties in plain text (RESTActivityServer.serverPassword).

Comment 7 Thomas Hauser 2013-12-19 16:26:53 UTC
Reproduced. Fixed in a7fb82ff54b532a3e59e65c2740b9351c3c9e940 and a9c2146a5725412881e34d3431a6002146c24620

Comment 8 Jiri Pechanec 2014-01-16 10:22:25 UTC
Verified in CR1


Note You need to log in before you can comment on or make changes to this bug.