Story #7559
Develop plan for securing application passwords in the CN stack
0%
Description
There are many components that use passwords in configuration files. While we do restrict who can access our servers and what they can view when on the server, it's still not entirely secure to have property files with cleartext passwords.
Here are components that are known to be configured with cleartext passwords
* d1_identity_manager (LDAP)
* d1_noderegistry (LDAP)
* d1_replication (postgres)
* d1_portal_servlet (postgres)
* Metacat (postgres)
* all hazelcast connections
Related issues
History
#1 Updated by Ben Leinfelder almost 9 years ago
- Related to Task #7545: Secure test service passwords in LDAP configuration added
#2 Updated by Dave Vieglais almost 9 years ago
One option is to replace our current password "manager" gpg files with the "pass" tool. http://www.passwordstore.org/
Initial evaluation suggests it seems to work fairly well for our needs as it still uses gpg (can keep using all our keys), provides for hierarchical arrangement of entries, has integrated support for git, and can be used in scripts.
This at least helps with the password management and enables easy distribution to the servers (pass can be installed from apt).
Minor hassle is that it requires gnu-getopt on OS-X which needs to be installed through brew, which most of us probably use anyway.
#3 Updated by Dave Vieglais almost 7 years ago
- Assignee changed from Matthew Jones to Dave Vieglais
#4 Updated by Dave Vieglais almost 7 years ago
- Sprint set to Infrastructure backlog
