Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1339881 - [GSS](6.4.z) HornetQ still logs truststore and keystore passwords in plain text.
Summary: [GSS](6.4.z) HornetQ still logs truststore and keystore passwords in plain text.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: JBoss Enterprise Application Platform 6
Classification: JBoss
Component: HornetQ
Version: 6.4.7
Hardware: All
OS: Linux
unspecified
high
Target Milestone: CR1
: EAP 6.4.9
Assignee: Miroslav Sochurek
QA Contact: Peter Mackay
URL:
Whiteboard:
Depends On:
Blocks: eap649-payload 1325387
TreeView+ depends on / blocked
 
Reported: 2016-05-26 04:46 UTC by Tyronne Wickramarathne
Modified: 2019-11-14 08:10 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:
Type: Bug


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker JBEAP-4852 0 Major Verified (7.0.z) ARTEMIS-551 - ActiveMQ logs truststore password in plain text 2017-06-22 02:10:04 UTC

Description Tyronne Wickramarathne 2016-05-26 04:46:13 UTC
Description of problem:

It appears HORNETQ-1281[1] is incomplete. HornetQ still logs truststore and keystore passwords in plain text. 

Version-Release number of selected component (if applicable):
JBoss-EAP-6.4.7
HornetQ-2.3.25_SP8

[1] https://issues.jboss.org/browse/HORNETQ-1281

How reproducible:
Always

Steps to Reproduce:
1. Please configure HornetQ data replication over netty-ssl as instructed in this article : https://access.redhat.com/solutions/761453
2. Please start both server instances and observe the server log

Actual results:


Expected results:


Additional info:

I believe the following code is at fault :
 // HORNETQ-1281 - don't log passwords
            String val;
            if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.DEFAULT_TRUSTSTORE_PASSWORD))
            {
               val = "****";
            }
            else


That needs to be corrected as :

if (key.equals(TransportConstants.KEYSTORE_PASSWORD_PROP_NAME) || key.equals(TransportConstants.TRUSTSTORE_PASSWORD_PROP_NAME))
            {
               val = "****";
            }

Comment 5 Peter Mackay 2016-06-28 08:56:01 UTC
Verified with EAP 6.4.9.CP.CR2.

Comment 7 Petr Penicka 2017-01-17 12:58:51 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Comment 8 Petr Penicka 2017-01-17 12:58:53 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.

Comment 9 Petr Penicka 2017-01-17 13:00:49 UTC
Retroactively bulk-closing issues from released EAP 6.4 cummulative patches.


Note You need to log in before you can comment on or make changes to this bug.