[overlord-issues] [JBoss JIRA] (SRAMP-380) Passwords in clear text when running in Fuse 6.1
David virgil naranjo (JIRA)
issues at jboss.org
Mon Jul 28 05:59:32 EDT 2014
[ https://issues.jboss.org/browse/SRAMP-380?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12988218#comment-12988218 ]
David virgil naranjo commented on SRAMP-380:
--------------------------------------------
As they commented in the forum post, the encryption can be enabled modifying one configuration file located in the etc folder.
The encryption is done when the user is added throw the karaf console, using the jaas commands.
When a user is added, appended to the etc/users.properties, the new user line is not getting encrypted.
Possibilities:
Add the user/password information encrypted. By default the fuse 6.1 encryption is the MD5/Hexadecimal. The format would be something like:
admin = {CRYPT}73550311dcde010200eadb8a42ef1a96{CRYPT}
But if the users are added encrypted in the users.properties is MANDATORY that the encryption is enabled in the {fuse_home}/etc/org.apache.karaf.jaas.cfg
> Passwords in clear text when running in Fuse 6.1
> ------------------------------------------------
>
> Key: SRAMP-380
> URL: https://issues.jboss.org/browse/SRAMP-380
> Project: S-RAMP
> Issue Type: Bug
> Security Level: Public(Everyone can see)
> Reporter: Eric Wittmann
> Assignee: David virgil naranjo
> Fix For: 0.5.0
>
>
> When we install into JBoss EAP we make sure that we don't have any clear text passwords in any configuration files. This is made possible by using the Vault, which allows us to store passwords in the vault and then refer to those vault locations from our config files.
> I don't know if there is something similar to be done in Fuse 6.1
> In addition, the login credentials for supported users in EAP are not stored in clear text (the EAP Application Realm config files store an encrypted version of the passwords).
> In Fuse 6.1 we are storing the login user credentials in a users.properties file in clear text.
--
This message was sent by Atlassian JIRA
(v6.2.6#6264)
More information about the overlord-issues
mailing list