Bug 1532759 - pkispawn seems to be leaving our passwords in several different files after installation completes
Summary: pkispawn seems to be leaving our passwords in several different files after i...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Ade Lee
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-09 18:33 UTC by Amy Farley
Modified: 2021-06-10 14:08 UTC (History)
7 users (show)

Fixed In Version: pki-core-10.5.1-6.el7
Doc Type: Bug Fix
Doc Text:
The Certificate System deployment archive file no longer contains passwords in plain text Previously, when you created a new Certificate System instance by passing a configuration file with a password in the *[DEFAULT]* section to the *pkispawn* utility, the password was visible in the archived deployment file. Although this file has world readable permissions, it is contained within a directory that is only accessible by the Certificate Server instance user, which is *pkiuser*, by default. With this update, permissions on this file have been restricted to the Certificate Server instance user, and *pkispawn* now masks the password in the archived deployment file. To restrict access to the password on an existing installation, manually remove the password from the `/etc/sysconfig/pki/tomcat/<instance_name>/<subsystem>/deployment.cfg` file, and set the file's permissions to "600".
Clone Of:
Last Closed: 2018-04-10 17:02:54 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github dogtagpki pki issues 3028 0 None None None 2020-10-04 21:40:07 UTC
Red Hat Product Errata RHBA-2018:0925 0 None None None 2018-04-10 17:03:37 UTC

Comment 6 Ade Lee 2018-01-19 19:14:40 UTC

commit 26bc698847b5348033ce3abb225ed24ebce4386d (origin/master, origin/HEAD, gerrit/master, master)
Author: Ade Lee <alee>
Date:   Tue Jan 9 12:14:23 2018 -0500

    Fix masking in the archived deployment.cfg
    Resolves rhbz#1532759
    Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4


commit 70ef976dfabe2c34ed69ac00c8868b3c7f6d825b (HEAD -> masking_fix_10.5)
Author: Ade Lee <alee>
Date:   Tue Jan 9 12:14:23 2018 -0500

    Fix masking in the archived deployment.cfg
    Cherry-picked from 26bc698847b5348033ce3abb225ed24ebce4386d
    Resolves rhbz#1532759
    Change-Id: Ia464852bab792b1629436ddbb963be1479579bc4

Comment 8 Ade Lee 2018-01-26 16:42:16 UTC
QE Verification:

1. Create instance using a pkispawn deployment file.  Make sure to place the passwords in the DEFAULT section.

2. Check the archived deployment file under /etc/sysconfig/pki/tomcat/<instance_name>/<subsystem>/deployment.cfg.  Passwords should be masked - and the file should have pkiuser ownership, and not be world readable.

Comment 9 Roshni 2018-01-31 14:02:00 UTC
[root@nocp1 ~]# rpm -qi pki-ca
Name        : pki-ca
Version     : 10.5.1
Release     : 6.el7
Architecture: noarch
Install Date: Fri 26 Jan 2018 02:35:32 PM EST
Group       : System Environment/Daemons
Size        : 2360651
License     : GPLv2
Signature   : RSA/SHA256, Tue 23 Jan 2018 10:44:40 PM EST, Key ID 199e2f91fd431d51
Source RPM  : pki-core-10.5.1-6.el7.src.rpm
Build Date  : Tue 23 Jan 2018 10:14:38 PM EST
Build Host  : ppc-016.build.eng.bos.redhat.com
Relocations : (not relocatable)
Packager    : Red Hat, Inc. <http://bugzilla.redhat.com/bugzilla>
Vendor      : Red Hat, Inc.
URL         : http://pki.fedoraproject.org/
Summary     : Certificate System - Certificate Authority

Verifiation steps explained in comment 8

Comment 13 errata-xmlrpc 2018-04-10 17:02:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.