Bug 1018714 - Passwords for BPEL Console and DTGov are stored in plain text in installation information (re-opened)
Passwords for BPEL Console and DTGov are stored in plain text in installation...
Status: CLOSED CURRENTRELEASE
Product: JBoss Fuse Service Works 6
Classification: JBoss
Component: Installer (Show other bugs)
6.0.0 GA
Unspecified Unspecified
unspecified Severity urgent
: CR2
: 6.0.0
Assigned To: Miles Tjandrawidjaja
Stefan Bunciak
: Reopened
: 1043380 1044556 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2013-10-14 05:18 EDT by Stefan Bunciak
Modified: 2014-02-06 10:25 EST (History)
14 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-02-06 10:25:11 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Stefan Bunciak 2013-10-14 05:18:20 EDT
Description of problem:


Version-Release number of selected component (if applicable):


How reproducible:
* 6.0.0.ER4

Steps to Reproduce:
1. Install FSW & generate installation script
2. Inspect InstallSummary.html, generated installation script & .installationinformation

Actual results:
* All of the 3 files contain passwords for BPEL Console & DTGov in plain text.

Expected results:


Additional info:
Comment 1 Thomas Hauser 2013-10-21 13:46:01 EDT
Post beta builds will not display this information.
Comment 2 Pavol Srna 2013-12-16 07:27:06 EST
Looking at the generated xml file. This issue is still not fixed. Password for admin user is hashed - that is good, but FSW admin password is still stored in plaintext. Reopening.
Comment 6 kconner 2013-12-17 14:34:38 EST
*** Bug 1043380 has been marked as a duplicate of this bug. ***
Comment 7 kconner 2013-12-18 09:48:43 EST
*** Bug 1044556 has been marked as a duplicate of this bug. ***
Comment 11 Pavol Srna 2014-01-15 04:53:23 EST
Verified in CR1.
Comment 12 Tomáš Sedmík 2014-01-20 01:15:55 EST
The vault password is still stored in InstallationLog.txt (vault.keystorepwd) in plain text.

Tested in CR1.

Steps to Reproduce:
1. Installation with additional configuration
2. Check Install password vault
3. All others is default
Comment 13 Thomas Hauser 2014-01-20 09:03:42 EST
My mistake, good catch Tomas. Fixed for CR2.
Comment 14 Miles Tjandrawidjaja 2014-01-20 09:19:48 EST
Keystore passwords should no longer be stored in the log.

http://git.app.eng.bos.redhat.com/installer-commons.git/commit/?h=6.1.1.ip&id=a4e8bceb9cec42a0e07b299cff769826806eb03d
Comment 17 Jiri Pechanec 2014-01-24 05:04:16 EST
Verified in CR2

Note You need to log in before you can comment on or make changes to this bug.