Uploaded image for project: 'Service Packs and Hot Fixes'
  1. Service Packs and Hot Fixes
  2. MNT-15494

Encrypted passwords showing as clear text in JMX console settings

    Details

      Description

      When using encrypted settings, I've been able to find in MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes, the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted.

      Also, the 'cryptodoc.jce.keystore.password' entry shows the keystore password in the clear as well while the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      A partner believes this to be a security hole, as anyone with controlRole or monitorRole access will be able to see the passwords for the keystore.

      I was able to reproduce on 5.0.2.5.

      Steps to reproduce:

      1. Install 5.0.2.5
      2. In alfresco-encrypted.properties add these properties:

      cryptodoc.jce.keystore.path=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.keystore.password=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.aliases=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)
      cryptodoc.jce.key.passwords=ENC(aJdetaTwyge7xyKgQxRwrr1zgVKwCps9UgYvgYIps779puYTtzGfin18E2XXTwqzdC6hX6NKmJU7eT136Mkb2w==)

      3. In alfresco-global.properties add these properties:

      cryptodoc.jce.keystore.path=${cryptodoc.jce.keystore.path.enc}
      cryptodoc.jce.keystore.password=${cryptodoc.jce.keystore.password.enc}
      cryptodoc.jce.key.aliases=${cryptodoc.jce.key.aliases.enc}
      cryptodoc.jce.key.passwords=${cryptodoc.jce.key.passwords.enc}

      4. Start Alfresco.

      5. Attach to the JMX console using jconsole.

      6. Have a look at MBeans, under Alfresco -> Configuration -> ContentStore -> managed -> encrypted -> attributes -> 'cryptodoc.jce.key.passwords' entry

      7. Have a look at MBeans under Alfreso -> Global Properties -> Attributes -> ryptodoc.jce.keystore.password

      Observed:

      In Step #6 the 'cryptodoc.jce.key.passwords' entry shows the passwords decrypted even though they are encrypted in the properties file.

      In Step #7 the 'cryptodoc.jce.key.passwords' entry under 'GlobalProperties -> Attributes' shows it pointing to ${cryptodoc.jce.key.passwords.enc}.

      Expected:

      In Step #6 the passwords should not be shown as clear text but rather the property as shown in Step #7.

        Attachments

          Issue Links

            Structure

              Activity

                People

                • Assignee:
                  closedbugs Closed Bugs
                  Reporter:
                  hseritt Harlin Seritt [X] (Inactive)
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Time Tracking

                    Estimated:
                    Original Estimate - Not Specified
                    Not Specified
                    Remaining:
                    Remaining Estimate - 0 minutes
                    0m
                    Logged:
                    Time Spent - 1 day, 2 hours, 42 minutes
                    1d 2h 42m

                      Structure Helper Panel