Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1065339 - Passwords are not masked when a password vault is used
Summary: Passwords are not masked when a password vault is used
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: JBoss BRMS Platform 6
Classification: Retired
Component: Installer
Version: 6.0.0
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 6.0.1
Assignee: Thomas Hauser
QA Contact: Lukáš Petrovický
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2014-02-14 12:04 UTC by Ivo Bek
Modified: 2014-02-17 09:51 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-02-17 09:51:37 UTC
Type: Bug


Attachments (Terms of Use)

Description Ivo Bek 2014-02-14 12:04:17 UTC
Description of problem:

When I install a password vault, the element vault in standalone.xml is added but none password is masked.

For example for the new installation with EAP there is a datasource ExampleDS which uses password "sa". I believe, this password and the others should be masked when the password vault is used.

Version-Release number of selected component (if applicable):


How reproducible:

First, generate your password vault you will use during installation, for example:

keytool -genkey -alias vault -keystore vault.keystore -keyalg RSA -keysize 1024 -storepass vault22 -keypass vault22 -dname "CN=Picketbox vault,OU=picketbox,O=JBoss,L=chicago,ST=il,C=us"

Steps to Reproduce:
1. Install BRMS with a password vault.
2. Look into standalone configuration.
3. See the datasource ExampleDS which contains a password in plain text.

Actual results:


Expected results:


Additional info:

Comment 1 Thomas Hauser 2014-02-14 16:11:59 UTC
Hello Ivo,

The ExampleDS datasource is hardcoded right in the standalone*.xml; this is the reason its password is not masked. The password vault added during the BRMS installation will only mask passwords created during the installation process (if you configure LDAP or SSL, you will see this effect).

If it's the case that the LDAP / SSL / Security Domain passwords are not being vaulted, I would consider that a bug. Otherwise, this is working as intended.

Thanks,
Tom

Comment 2 Thomas Hauser 2014-02-14 17:52:50 UTC
Additionally, improvements have been made to this functionality. A keystore is now generated as part of the process, so manually creating a key is no longer necessary.

Comment 3 Thomas Hauser 2014-02-14 18:24:07 UTC
Correction to above: ... so manually creating a *keystore* is no longer necessary.

Comment 4 Thomas Hauser 2014-02-14 18:35:10 UTC
After installing the vault and ssl in the most recent build, I see the following: 
<ssl>
   <keystore path="/home/thauser/keys/ssl/ssl.keystore" keystore-password="${VAULT::ssl::password::1}"/>
</ssl>

This means that the vault is substituting the values it should be. I think that this BZ can be either CLOSED or MODIFIED.

Comment 5 Ivo Bek 2014-02-17 09:51:37 UTC
Hi Thomas,

thank you for the explanation. I thought it will "encrypt" also the existing passwords in standalone.xml because it is not only ExampleDS what it can be there because BRMS/BPMS can be installed on an existing EAP installation where might be other passwords. So, the administrator has to run ./vault manually to encrypt them after the installation. 

With SSL it works as expected, so since this is intended behavior I change the status to not a bug.


Note You need to log in before you can comment on or make changes to this bug.