Develop plan for securing application passwords in the CN stack
There are many components that use passwords in configuration files. While we do restrict who can access our servers and what they can view when on the server, it's still not entirely secure to have property files with cleartext passwords.
Here are components that are known to be configured with cleartext passwords
* d1_identity_manager (LDAP)
* d1_noderegistry (LDAP)
* d1_replication (postgres)
* d1_portal_servlet (postgres)
* Metacat (postgres)
* all hazelcast connections
#2 Updated by Dave Vieglais almost 7 years ago
One option is to replace our current password "manager" gpg files with the "pass" tool. http://www.passwordstore.org/
Initial evaluation suggests it seems to work fairly well for our needs as it still uses gpg (can keep using all our keys), provides for hierarchical arrangement of entries, has integrated support for git, and can be used in scripts.
This at least helps with the password management and enables easy distribution to the servers (pass can be installed from apt).
Minor hassle is that it requires gnu-getopt on OS-X which needs to be installed through brew, which most of us probably use anyway.