Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-14125

Support the ability to not have the contents of .storepass and .keypass stored as cleartext

    Details

    • Support Ticket IDs:

      Description

      Increased risk of internal fraud if someone happens to get access to this file and get the password. If we keep this encrypted and decryption key for that password is stored in the secret store which only Application (in our case openam) can access. This controls make it harder for the internal staff to get this password and hence lower the risk of fraud.

      Customer has offered a 3rd party container plugin, as a suggestion to an approach, that could offer an idea.....

      tomcatvault project to store passwords and build a custom “expressions plugin” to get the password for the vault at runtime.

       

      https://github.com/darkedges/tomcat-vault

       

      Expected behaviour
      .storepass and .keystore files contain cleartext password files
      
      Current behaviour
      .storepass and .keystore files dont exist or contain hashed/encrypted passwords.
      

      Work around

      ensure that the filesystem permissions are readonly for owner (0400)

      Code analysis

       

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              andrew.latham Andrew Latham [X] (Inactive)
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated: