1018714 – Passwords for BPEL Console and DTGov are stored in plain text in installation information (re-opened)

Bug 1018714 - Passwords for BPEL Console and DTGov are stored in plain text in installation information (re-opened)

Summary: Passwords for BPEL Console and DTGov are stored in plain text in installation...

Keywords:
Status:	CLOSED CURRENTRELEASE
Alias:	None
Product:	JBoss Fuse Service Works 6
Classification:	JBoss
Component:	Installer
Sub Component:
Version:	6.0.0 GA
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	urgent
Target Milestone:	CR2
Target Release:	6.0.0
Assignee:	Miles Tjandrawidjaja
QA Contact:	Stefan Bunciak
Docs Contact:
URL:
Whiteboard:
Duplicates (2):	1043380 1044556 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-14 09:18 UTC by Stefan Bunciak
Modified:	2014-02-06 15:25 UTC (History)
CC List:	14 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2014-02-06 15:25:11 UTC
Type:	Bug
Embargoed:

Attachments	(Terms of Use)

Description Stefan Bunciak 2013-10-14 09:18:20 UTC

Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* 6.0.0.ER4

Steps to Reproduce:
1. Install FSW & generate installation script
2. Inspect InstallSummary.html, generated installation script & .installationinformation

Actual results:
* All of the 3 files contain passwords for BPEL Console & DTGov in plain text.

Expected results:


Additional info:

Comment 1 Thomas Hauser 2013-10-21 17:46:01 UTC

Post beta builds will not display this information.

Comment 2 Pavol Srna 2013-12-16 12:27:06 UTC

Looking at the generated xml file. This issue is still not fixed. Password for admin user is hashed - that is good, but FSW admin password is still stored in plaintext. Reopening.

Comment 6 kconner 2013-12-17 19:34:38 UTC

*** Bug 1043380 has been marked as a duplicate of this bug. ***

Comment 7 kconner 2013-12-18 14:48:43 UTC

*** Bug 1044556 has been marked as a duplicate of this bug. ***

Comment 11 Pavol Srna 2014-01-15 09:53:23 UTC

Verified in CR1.

Comment 12 Tomáš Sedmík 2014-01-20 06:15:55 UTC

The vault password is still stored in InstallationLog.txt (vault.keystorepwd) in plain text.

Tested in CR1.

Steps to Reproduce:
1. Installation with additional configuration
2. Check Install password vault
3. All others is default

Comment 13 Thomas Hauser 2014-01-20 14:03:42 UTC

My mistake, good catch Tomas. Fixed for CR2.

Comment 14 Miles Tjandrawidjaja 2014-01-20 14:19:48 UTC

Keystore passwords should no longer be stored in the log.

http://git.app.eng.bos.redhat.com/installer-commons.git/commit/?h=6.1.1.ip&id=a4e8bceb9cec42a0e07b299cff769826806eb03d

Comment 17 Jiri Pechanec 2014-01-24 10:04:16 UTC

Verified in CR2

Note You need to log in before you can comment on or make changes to this bug.