Project

General

Profile

Story #7559

Develop plan for securing application passwords in the CN stack

Added by Ben Leinfelder almost 6 years ago. Updated almost 4 years ago.

Status:
New
Priority:
Normal
Assignee:
Category:
Architecture Design
Target version:
-
Start date:
2015-12-15
Due date:
% Done:

0%

Story Points:

Description

There are many components that use passwords in configuration files. While we do restrict who can access our servers and what they can view when on the server, it's still not entirely secure to have property files with cleartext passwords.

Here are components that are known to be configured with cleartext passwords
* d1_identity_manager (LDAP)
* d1_noderegistry (LDAP)
* d1_replication (postgres)
* d1_portal_servlet (postgres)
* Metacat (postgres)
* all hazelcast connections


Related issues

Related to CN REST - Task #7545: Secure test service passwords in LDAP configuration Closed 2015-12-15

History

#1 Updated by Ben Leinfelder almost 6 years ago

  • Related to Task #7545: Secure test service passwords in LDAP configuration added

#2 Updated by Dave Vieglais almost 6 years ago

One option is to replace our current password "manager" gpg files with the "pass" tool. http://www.passwordstore.org/

Initial evaluation suggests it seems to work fairly well for our needs as it still uses gpg (can keep using all our keys), provides for hierarchical arrangement of entries, has integrated support for git, and can be used in scripts.

This at least helps with the password management and enables easy distribution to the servers (pass can be installed from apt).

Minor hassle is that it requires gnu-getopt on OS-X which needs to be installed through brew, which most of us probably use anyway.

#3 Updated by Dave Vieglais almost 4 years ago

  • Assignee changed from Matthew Jones to Dave Vieglais

#4 Updated by Dave Vieglais almost 4 years ago

  • Sprint set to Infrastructure backlog

Also available in: Atom PDF

Add picture from clipboard (Maximum size: 14.8 MB)