[teiid-issues] [JBoss JIRA] Commented: (TEIID-729) Default keystore may lead to confusion or provide false sense of security in encrypting passwords

Ramesh Reddy (JIRA) jira-events at lists.jboss.org
Thu Jul 23 14:58:40 EDT 2009 

    [ https://jira.jboss.org/jira/browse/TEIID-729?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12477326#action_12477326 ] 

Ramesh Reddy commented on TEIID-729:
------------------------------------

keystore.sh & keystore.bat scripts files are added to the kit.

keystore.sh -create  ---> will create a "teiid.keystore" in the "deploy" directory of the kit

keystore.sh -encrypt <password> --> will encrypt the password using the "teiid.keystore" and spit out the encrypted version.

The automatic creation of the "teiid.keystore" is removed from the run.sh and run.bat, so that the creation of the kesystore is consistent with "server" and "embedded" modes.

> Default keystore may lead to confusion or provide false sense of security in encrypting passwords
> -------------------------------------------------------------------------------------------------
>
>                 Key: TEIID-729
>                 URL: https://jira.jboss.org/jira/browse/TEIID-729
>             Project: Teiid
>          Issue Type: Bug
>          Components: Common
>    Affects Versions: 6.1.0
>            Reporter: Ramesh Reddy
>            Assignee: Ramesh Reddy
>             Fix For: 6.2.0
>
>
> Currently Teiid source code contains a default "teiid.keystore", which is then used by any component (connector binding) in encrypting password. Designer does use this to encrypt the password as it does not have it's own private keystore. This poses 
> 1) False sense of security, as this is mere obfuscation as "keystore" available to anybody. 
> 2) If the Designer provides a keystore of its own, now it becomes the burden on the user to share this same keystore on the runtime environment to enable decrypting the password. Currently this major issue in connector binding as not starting, or somebody imports previous configuration where the passwords are encrypted with different keystore.
> The simple solution is not provide a "default" keystore. If Designer does not provide a private keystore,  then passwords in plain text in the connector binding properties.  That will seamlessly run in Teiid runtime, if user does not care about having clear text passwords. That may be situation in DEV environments. In production environments during runtime (if required) Teiid will provide tools and instructions as to how to encrypt passwords.
> If the user does provide keystore in the Designer then it is user responsibility to share this keystore with runtime environment, that they work in sync in encrypting and decrypting the password.
> Users will be provided with scripts to generate a keystore with Teiid kit, with which they can use to encrypt the passwords. So, this will make the encryption as an option rather than requirement in the Teiid system.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the teiid-issues mailing list