[teiid-issues] [JBoss JIRA] Created: (TEIID-729) Default keystore may lead to confusion or provide false sense of security in encrypting passwords
Ramesh Reddy (JIRA)
jira-events at lists.jboss.org
Mon Jul 20 11:34:29 EDT 2009
Default keystore may lead to confusion or provide false sense of security in encrypting passwords
-------------------------------------------------------------------------------------------------
Key: TEIID-729
URL: https://jira.jboss.org/jira/browse/TEIID-729
Project: Teiid
Issue Type: Bug
Components: Common
Affects Versions: 6.1.0
Reporter: Ramesh Reddy
Assignee: Ramesh Reddy
Fix For: 6.2.0
Currently Teiid source code contains a default "teiid.keystore", which is then used by any component (connector binding) in encrypting password. Designer does use this to encrypt the password as it does not have it's own private keystore. This poses
1) False sense of security, as this is mere obfuscation as "keystore" available to anybody.
2) If the Designer provides a keystore of its own, now it becomes the burden on the user to share this same keystore on the runtime environment to enable decrypting the password. Currently this major issue in connector binding as not starting, or somebody imports previous configuration where the passwords are encrypted with different keystore.
The simple solution is not provide a "default" keystore. If Designer does not provide a private keystore, then passwords in plain text in the connector binding properties. That will seamlessly run in Teiid runtime, if user does not care about having clear text passwords. That may be situation in DEV environments. In production environments during runtime (if required) Teiid will provide tools and instructions as to how to encrypt passwords.
If the user does provide keystore in the Designer then it is user responsibility to share this keystore with runtime environment, that they work in sync in encrypting and decrypting the password.
Users will be provided with scripts to generate a keystore with Teiid kit, with which they can use to encrypt the passwords. So, this will make the encryption as an option rather than requirement in the Teiid system.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://jira.jboss.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
More information about the teiid-issues
mailing list