geronimo-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Malgeri (JIRA)" <>
Subject [jira] Commented: (GERONIMO-2925) Key used for encryption same for all server instances
Date Fri, 02 Mar 2007 23:06:51 GMT


Michael Malgeri commented on GERONIMO-2925:

It refers to WAS CE because it comes from a customer using WAS CE not Geronimo. I assumed
the fix would be applied in Geronimo and WAS CE would pick it up. The customer is "we" in
the message and I did a cut and paste.  We'll get more info from the customer and post when

> Key used for encryption same for all server instances
> -----------------------------------------------------
>                 Key: GERONIMO-2925
>                 URL:
>             Project: Geronimo
>          Issue Type: Bug
>      Security Level: public(Regular issues) 
>          Components: security
>    Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0
>            Reporter: Michael Malgeri
>            Priority: Critical
> We understand that WASCE use AES to encrypt the password.  You do 
> javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
> This key is same for all the WASCE server instances.  Anyone getting access to a downloaded
version of the software can have the algorithm and decrypt the password.  So we need your
urgent help on the following:
> 1. provide a solution with key management that we can control
> 2. provide a pluggable encryption solution so that we can use our internal algorithms
and key management
> At least,
> 3. the key should be dynamically generated in each of the installations that would reduce
the ability to decrypt to someone who has access to the server.

This message is automatically generated by JIRA.
You can reply to this email to add a comment to the issue online.

View raw message