1- The JDK JKS truststore requires a password to add / update the objects within.
2- The JDK JKS truststore does NOT require a password to view the objects.
- However, a password prompt will appear, but the API for the JKS will accept a NULL entry.
CA Identity Manager r14.1 stores the JKS password in clear-text within ca-standalone-full-ha.xml
<keystore path="/opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv" keystore-password="changeit"/>
Also impacts CA Identity Governance and CA Identity Portal
- Audit, security, and compliance risk.
- Update the CA Identity Suite solution - CA Identity Manager, CA Identity Governance, CA Identity Portal to startup the solutions without the "hard-coded" default password of "changeit" (or other password if changed by an administrator) from the Wildfly configuration file: ca-standalone-full-ha.xml
1) Recommendation - Use the API to send a NULL to the VIEW of the truststore.
Example to showcase that the truststore does NOT require a password to VIEW data.
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv < /dev/null
2) Alternative: Document process and/or add feature to use a local file to mask the password.
Example to use local file to mask the password.
echo changeit > /tmp/secure_filename
keytool -v -list -storetype jks -keystore /opt/CA/VirtualAppliance/custom/wildfly-ssl-certificates/caim-srv -storepass:file /tmp/secure_filename