Idea Details

IM DA security enhancement request

Last activity 07-30-2018 11:44 AM
Anon Anon's profile image
11-20-2013 10:21 PM

We found account name and clear text password in the file /opt/IMDataAggregator/apache-karaf-2.3.0/etc/dbconnection.cfg used by Data Aggregator to connect with Data Repository. This will expose the DR connection account and password to other users with that file(dbconnection.cfg) read authority.
Suggest to encrypt the password in this file in the next IM2 version. Thanks.


Comments

02-05-2018 03:56 AM

dbUser and dbAdmin (database) passwords are stored encrypted with v3.5. There is also an encryption tool in case the passwords need to be updated.

07-14-2017 09:49 AM

Thank you for raising this issue.  Host security goes a long way, but there's really no excuse for storing plain text passwords on disk.  I'll review with the engineering team.

07-13-2017 02:37 PM

This is a big problem. It should be relatively simple to apply a basic hash to the password values. This is still in clear text in 3.1.