Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-15494

Encrypted passwords showing as clear text in JMX console settings

    Details

      Description

      When using encrypted settings, I've been able to find in MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes, the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted.

      Also, the 'cryptodoc.jce.keystore.password' entry shows the keystore password in the clear as well while the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      A partner believes this to be a security hole, as anyone with controlRole or monitorRole access will be able to see the passwords for the keystore.

      I was able to reproduce on 5.0.2.5.

      Steps to reproduce:

      1. Install 5.0.2.5
      2. In alfresco-encrypted.properties add these properties:

      cryptodoc.jce.keystore.path=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.keystore.password=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.aliases=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.passwords=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)

      3. In alfresco-global.properties add these properties:

      cryptodoc.jce.keystore.path=${cryptodoc.jce.keystore.path.enc}
      cryptodoc.jce.keystore.password=${cryptodoc.jce.keystore.password.enc}
      cryptodoc.jce.key.aliases=${cryptodoc.jce.key.aliases.enc}
      cryptodoc.jce.key.passwords=${cryptodoc.jce.key.passwords.enc}

      4. Start Alfresco.

      5. Attach to the JMX console using jconsole.

      6. Have a look at MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes -> 'cryptodoc.jce.key.passwords' entry

      7. Have a look at MBeans under Alfreso -> Global Properties -> Attributes -> ryptodoc.jce.keystore.password

      Observed:

      In Step #6 the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted even though they are encrypted in the properties file.

      In Step #7 the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      Expected:

      In Step #6 the passwords should not be shown as clear text but rather the property as shown in Step #7.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                closedbugs Closed Bugs
                Reporter:
                hseritt Harlin Seritt [X] (Inactive)
              • Votes:
                0 Vote for this issue
                Watchers:
                9 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day, 2 hours, 42 minutes
                  1d 2h 42m