geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Aman Nanner/MxI Technologies <aman.nan...@mxi.com>
Subject Re: Plaintext passwords in Geronimo plans and config files
Date Sun, 25 Feb 2007 18:01:26 GMT
Actually, the "keystorePassword" for the Tomcat SSL Web Connector is indeed
getting encrypted by the server in the config.xml, so it seems that the
encryption for passwords in config.xml is built-in by default.

ammulder@gmail.com wrote on 02-22-2007 01:24:24 PM:

> On 2/22/07, David Jencks <david_jencks@yahoo.com> wrote:
> > I haven't found the code that does this, but I think that it encrypts
> > config.xml rather than any plans.  I could be very wrong although
> > since plans aren't needed at runtime I can't see how encryption could
> > be applied to them.
>
> I think it's in "util" or one of the alphabetically late modules in
> the list.  :)  I'm pretty sure we could find it by looking at the code
> that saves config.xml property values.
>
> Anyway, I assume that encryption in config.xml is what we're talking
> about here -- that is, encryption in the server config files after the
> application is deployed, not encryption in the deployment plan that's
> used only once.  But it should be possible to hook in the encryption
> to saved plans or any other places where we have data that should be
> concealed.  As you pointed out it's not really safe against a skilled
> attacker with access to the server configuration, but it could provide
> the level of "no plain text passwords in server configuration"
> assurance.
>
> Thanks,
>        Aaron
>
> > > On 2/22/07, Aman Nanner/MxI Technologies <aman.nanner@mxi.com> wrote:
> > >>
> > >> Hi,
> > >>
> > >> I have noticed that passwords in plans and configuration files in
> > >> Geronimo
> > >> (1.2-beta) are not encrypted by the server, and remain in
> > >> plaintext.  For
> > >> example, passwords in:
> > >>
> > >> 1) Datasource connector plans
> > >> 2) ActiveMQ connector plans
> > >> 3) TomcatWebSSL Keystore passwords
> > >> 4) Geronimo properties realm passwords
> > >>
> > >> Having these plaintext passwords in these configuration files pose
an
> > >> inherent security risk that would prevent us from deploying
> > >> Geronimo out to
> > >> customer sites.  Are there any plans to have all these passwords
> > >> encrypted?
> > >>
> > >> Thanks,
> > >> Aman
> > >>
> > >>
_____________________________________________________________________
> > >> _____________
> > >> * This message is intended only for the use of the individual or
> > >> entity to which it is addressed, and may contain information that
> > >> is privileged, confidential and exempt from disclosure under
> > >> applicable law. Unless you are the addressee (or authorized to
> > >> receive for the addressee), you may not use, copy or disclose the
> > >> message or any information contained in the message. If you have
> > >> received this message in error, please advise the sender by reply
> > >> e-mail , and delete the message, or call (collect) 001 613 747
> > >> 4698. *
> > >>
> > >>
> >
> >

__________________________________________________________________________________
* This message is intended only for the use of the individual or entity to which it is addressed,
and may contain information that is privileged, confidential and exempt from disclosure under
applicable law. Unless you are the addressee (or authorized to receive for the addressee),
you may not use, copy or disclose the message or any information contained in the message.
If you have received this message in error, please advise the sender by reply e-mail , and
delete the message, or call (collect) 001 613 747 4698. *


Mime
View raw message