Idea Details

Enhancement Request: Wildfly TrustStore - Remove Hard-coded Password to View TrustStore For Startup

Last activity 25 days ago
Alan Baugher's profile image
07-22-2019 12:17 PM

BACKGROUND:

1- The JDK JKS truststore requires a password to add / update the objects within.
2- The JDK JKS truststore does NOT require a password to view the objects.
- However, a password prompt will appear, but the API for the JKS will accept a NULL entry.


CHALLENGE:
CA Identity Manager r14.1 stores the JKS password in clear-text within ca-standalone-full-ha.xml

<keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>

Also impacts CA Identity Governance and CA Identity Portal


BUSINESS IMPACT:
-  Audit, security, and compliance risk.



REQUEST:

- Update the CA Identity Suite solution - CA Identity Manager, CA Identity Governance, CA Identity Portal to startup the solutions without the "hard-coded" default password of "changeit"   (or other password if changed by an administrator) from the Wildfly configuration file:   ca-standalone-full-ha.xml

1)  Recommendation -  Use the API to send a NULL to the VIEW of the truststore.

Example to showcase that the truststore does NOT require a password to VIEW data.
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv < /dev/null



2)  Alternative:   Document process and/or add feature to use a local file to mask the password.

Example to use local file to mask the password.
echo changeit > /tmp/secure_filename
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv -storepass:file /tmp/secure_filename








Comments

25 days ago

Hi Alan,

Do you think following links are useful? To use vault and masked pwd in standalone.xml:

https://docs.rapidminer.com/latest/server/configure/security/securing-passwords-in-jboss.html

https://developer.jboss.org/wiki/JBossAS7SecuringPasswords?_sscc=t

Thanks,
Sumeet

27 days ago

SUPPORTING DOCUMENTATION

REF #1.     CA PIM (aka Access Control aka Control Minder) documentation.
Description of the process used to encrypt the keystore password.
ControlMinder used the CA IdentityMinder EAR to provide a new UI for this solution.    CA IdentityMinder is the earlier version of CA IdentityManager; and now Layer7 Identity Management.



https://casupport.broadcom.com/cadocs/0/CA%20ControlMinder%2012%206%2001-ENU/Bookshelf_Files/PDF/AC_Impl_ENU.pdf

EXAMPLE:   

14. Add the following mbean between the <server> and </server> tags:
<mbean code="org.jboss.security.plugins.JaasSecurityDomain" name="jboss.security:service=PBESecurityDomain">
<constructor>
<arg type="java.lang.String" value="encrypt-keystore-password"></arg>
</constructor>
<attribute
name="KeyStoreURL">${jboss.server.home.dir}/deploy/IdentityMinder.ear/custom/
ppm/truststore/ssl.keystore</attribute>
<attribute
name="KeyStorePass">{CLASS}org.jboss.security.plugins.FilePassword:${jboss.se
rver.home.dir}/deploy/IdentityMinder.ear/custom/ppm/truststore/keystore.password</attribute>
<attribute name="Salt">welcometojboss</attribute>
<attribute name="IterationCount">13</attribute>
</mbean>



REF #2:    Encrypting the keystore password in Tomcat (similar to reference #1)
https://access.redhat.com/documentation/en-us/jboss_enterprise_application_platform/5/html/security_guide/encrypting_the_keystore_password_in_tomcat


​​​