[OPENAM-14125] Support the ability to not have the contents of .storepass and .keypass stored as cleartext - ForgeRock JIRA

Details

Type: Bug
Status: Open
Priority: Major
Resolution: Unresolved
Affects Version/s: 14.0.0, 5.5.1, 6.0.0, 6.5.0, 6.5.1, 6.5.2, 7.0.0, 6.5.3
Fix Version/s: None
Component/s: configurator, install
Labels:
- Password
- cleartext
- keystore
- storepass

Support Ticket IDs:

Description

Increased risk of internal fraud if someone happens to get access to this file and get the password. If we keep this encrypted and decryption key for that password is stored in the secret store which only Application (in our case openam) can access. This controls make it harder for the internal staff to get this password and hence lower the risk of fraud.

Customer has offered a 3rd party container plugin, as a suggestion to an approach, that could offer an idea.....

tomcatvault project to store passwords and build a custom “expressions plugin” to get the password for the vault at runtime.

https://github.com/darkedges/tomcat-vault

Expected behaviour

.storepass and .keystore files contain cleartext password files

Current behaviour

.storepass and .keystore files dont exist or contain hashed/encrypted passwords.

Work around

ensure that the filesystem permissions are readonly for owner (0400)

Code analysis

Attachments

Activity

People

Assignee:

Unassigned

Reporter:

Andrew Latham [X] (Inactive)

Votes:

0 Vote for this issue

Watchers:

5 Start watching this issue

Dates

Created:

14/Dec/18 4:24 AM

Updated:

12/Oct/20 5:29 AM