July 2014 - overlord-issues - Jboss List Archives

[JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1

by Brett Meyer (JIRA)

[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.... ] Brett Meyer updated SRAMP-380: ------------------------------ Fix Version/s: 0.6.0 (was: 0.5.0) > Passwords in clear text when running in Fuse 6.1 > ------------------------------------------------ > > Key: SRAMP-380 > URL: https://issues.jboss.org/browse/SRAMP-380 > Project: S-RAMP > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.6.0 > > > When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files. > I don't know if there is something similar to be done in Fuse 6.1 > In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords). > In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1

by David virgil naranjo (JIRA)

[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.... ] David virgil naranjo updated SRAMP-380: --------------------------------------- Git Pull Request: https://github.com/Governance/overlord-commons/pull/94 > Passwords in clear text when running in Fuse 6.1 > ------------------------------------------------ > > Key: SRAMP-380 > URL: https://issues.jboss.org/browse/SRAMP-380 > Project: S-RAMP > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.5.0 > > > When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files. > I don't know if there is something similar to be done in Fuse 6.1 > In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords). > In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SRAMP-511) Create a Fuse console command for creating the SAML keystore

by Brett Meyer (JIRA)

[ https://issues.jboss.org/browse/SRAMP-511?page=com.atlassian.jira.plugin.... ] Brett Meyer updated SRAMP-511: ------------------------------ Git Pull Request: https://github.com/Governance/overlord-commons/pull/88 > Create a Fuse console command for creating the SAML keystore > ------------------------------------------------------------ > > Key: SRAMP-511 > URL: https://issues.jboss.org/browse/SRAMP-511 > Project: S-RAMP > Issue Type: Feature Request > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.5.0 > > > The console command should create a keystore and populate it with a new KeyPair. It should prompt the user for the password(s) and store the result in the correct place for Fuse/Fabric8. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1

by Brett Meyer (JIRA)

[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.... ] Brett Meyer commented on SRAMP-380: ----------------------------------- Pasting some comments from [~eric.wittmann]: {quote} I'm skeptical that users.properties will be useful, although I hope I'm wrong. The reason is that users.properties is the file used by fuse/jetty to set up the default realm users and their roles. The format is: username=password,csv,list,of,roles I do not know if it can be used as a general place to stash encrypted values. While it is great if they auto-encrypt the passwords in that file on startup that only solves 1/2 of the problem. The other .5 is that we store passwords to other systems (e.g. dtgov stores an s-ramp user/password combo) that our code needs to access to work properly. RTGov client does the same thing (needs to store credentials of a potentially remote rtgov server). Again - hopefully I'm wrong but wanted you guys to understand the full scope. In EAP what we do is store the passwords in the EAP Vault, which results in a vault-string that we store in our .properties files as: ${vault:VAULT_STRING_HERE} We have a property resolver that knows how to resolve ${vault:} style properties from our .properties files (custom property resolvers is a commons-config feature). {quote} > Passwords in clear text when running in Fuse 6.1 > ------------------------------------------------ > > Key: SRAMP-380 > URL: https://issues.jboss.org/browse/SRAMP-380 > Project: S-RAMP > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.5.0 > > > When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files. > I don't know if there is something similar to be done in Fuse 6.1 > In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords). > In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1

by Brett Meyer (JIRA)

[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.... ] Brett Meyer edited comment on SRAMP-380 at 7/28/14 8:54 AM: ------------------------------------------------------------ Pasting some comments from [~eric.wittmann]: {quote} I'm skeptical that users.properties will be useful, although I hope I'm wrong. The reason is that users.properties is the file used by fuse/jetty to set up the default realm users and their roles. The format is: username=password,csv,list,of,roles I do not know if it can be used as a general place to stash encrypted values. While it is great if they auto-encrypt the passwords in that file on startup that only solves 1/2 of the problem. The other .5 is that we store passwords to other systems (e.g. dtgov stores an s-ramp user/password combo) that our code needs to access to work properly. RTGov client does the same thing (needs to store credentials of a potentially remote rtgov server). Again - hopefully I'm wrong but wanted you guys to understand the full scope. In EAP what we do is store the passwords in the EAP Vault, which results in a vault-string that we store in our .properties files as: $\{vault:VAULT_STRING_HERE\} We have a property resolver that knows how to resolve $\{vault:\} style properties from our .properties files (custom property resolvers is a commons-config feature). {quote} was (Author: brmeyer): Pasting some comments from [~eric.wittmann]: {quote} I'm skeptical that users.properties will be useful, although I hope I'm wrong. The reason is that users.properties is the file used by fuse/jetty to set up the default realm users and their roles. The format is: username=password,csv,list,of,roles I do not know if it can be used as a general place to stash encrypted values. While it is great if they auto-encrypt the passwords in that file on startup that only solves 1/2 of the problem. The other .5 is that we store passwords to other systems (e.g. dtgov stores an s-ramp user/password combo) that our code needs to access to work properly. RTGov client does the same thing (needs to store credentials of a potentially remote rtgov server). Again - hopefully I'm wrong but wanted you guys to understand the full scope. In EAP what we do is store the passwords in the EAP Vault, which results in a vault-string that we store in our .properties files as: ${vault:VAULT_STRING_HERE} We have a property resolver that knows how to resolve ${vault:} style properties from our .properties files (custom property resolvers is a commons-config feature). {quote} > Passwords in clear text when running in Fuse 6.1 > ------------------------------------------------ > > Key: SRAMP-380 > URL: https://issues.jboss.org/browse/SRAMP-380 > Project: S-RAMP > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.5.0 > > > When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files. > I don't know if there is something similar to be done in Fuse 6.1 > In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords). > In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1

by David virgil naranjo (JIRA)

[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.... ] David virgil naranjo commented on SRAMP-380: -------------------------------------------- As they commented in the forum post, the encryption can be enabled modifying one configuration file located in the etc folder. The encryption is done when the user is added throw the karaf console, using the jaas commands. When a user is added, appended to the etc/users.properties, the new user line is not getting encrypted. Possibilities: Add the user/password information encrypted. By default the fuse 6.1 encryption is the MD5/Hexadecimal. The format would be something like: admin = {CRYPT}73550311dcde010200eadb8a42ef1a96{CRYPT} But if the users are added encrypted in the users.properties is MANDATORY that the encryption is enabled in the {fuse_home}/etc/org.apache.karaf.jaas.cfg > Passwords in clear text when running in Fuse 6.1 > ------------------------------------------------ > > Key: SRAMP-380 > URL: https://issues.jboss.org/browse/SRAMP-380 > Project: S-RAMP > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Eric Wittmann > Assignee: David virgil naranjo > Fix For: 0.5.0 > > > When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files. > I don't know if there is something similar to be done in Fuse 6.1 > In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords). > In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (RTGOV-542) Fix integration tests to use coniguration in standalone-full.xml

by Gary Brown (JIRA)

[ https://issues.jboss.org/browse/RTGOV-542?page=com.atlassian.jira.plugin.... ] Gary Brown resolved RTGOV-542. ------------------------------ Fix Version/s: (was: 2.0.0.Final) Resolution: Duplicate Issue Combined issue with other integration test problem RTGOV-535. > Fix integration tests to use coniguration in standalone-full.xml > ---------------------------------------------------------------- > > Key: RTGOV-542 > URL: https://issues.jboss.org/browse/RTGOV-542 > Project: RTGov (Run Time Governance) > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Gary Brown > Assignee: Gary Brown > > Tests no longer work due to missing configuration information. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (RTGOV-535) Update integration tests to use config in xml and fix SLA monitor test

by Gary Brown (JIRA)

[ https://issues.jboss.org/browse/RTGOV-535?page=com.atlassian.jira.plugin.... ] Gary Brown commented on RTGOV-535: ---------------------------------- Integration test framework needs to be updated to make use of the config in xml - or see whether old property based files will still work, as otherwise deployments need to be placed in the module structure. > Update integration tests to use config in xml and fix SLA monitor test > ---------------------------------------------------------------------- > > Key: RTGOV-535 > URL: https://issues.jboss.org/browse/RTGOV-535 > Project: RTGov (Run Time Governance) > Issue Type: Bug > Security Level: Public(Everyone can see) > Reporter: Gary Brown > Assignee: Gary Brown > Fix For: 2.0.0.Final > > > Test indicates that it receives 6 situations but expecting 3. > {noformat} > org.overlord.rtgov.tests.platforms.jbossas.slamonitor.JBossASSLAMonitorTest.testActivityEventsProcessed: java.lang.AssertionError: Expecting 3 (sla situations) processed events, but got: 6 > {noformat} -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (RTGOV-541) Set the JMSEPNManager password (in Fuse) based on the user input

by Gary Brown (JIRA)

[ https://issues.jboss.org/browse/RTGOV-541?page=com.atlassian.jira.plugin.... ] Gary Brown resolved RTGOV-541. ------------------------------ Resolution: Done > Set the JMSEPNManager password (in Fuse) based on the user input > ---------------------------------------------------------------- > > Key: RTGOV-541 > URL: https://issues.jboss.org/browse/RTGOV-541 > Project: RTGov (Run Time Governance) > Issue Type: Task > Security Level: Public(Everyone can see) > Reporter: Gary Brown > Assignee: Gary Brown > Fix For: 2.0.0.Final > > > Currently the JMSEPNManager password is not set to the password entered by the user in the RTGov installer. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

[JBoss JIRA] (RTGOV-541) Set the JMSEPNManager password (in Fuse) based on the user input

by Gary Brown (JIRA)

[ https://issues.jboss.org/browse/RTGOV-541?page=com.atlassian.jira.plugin.... ] Gary Brown updated RTGOV-541: ----------------------------- Git Pull Request: https://github.com/Governance/rtgov/pull/170 > Set the JMSEPNManager password (in Fuse) based on the user input > ---------------------------------------------------------------- > > Key: RTGOV-541 > URL: https://issues.jboss.org/browse/RTGOV-541 > Project: RTGov (Run Time Governance) > Issue Type: Task > Security Level: Public(Everyone can see) > Reporter: Gary Brown > Assignee: Gary Brown > Fix For: 2.0.0.Final > > > Currently the JMSEPNManager password is not set to the password entered by the user in the RTGov installer. -- This message was sent by Atlassian JIRA (v6.2.6#6264)

9 years, 11 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

overlord-issues July 2014