Idea ID 2706486
When configuring MF Connect 4.2 to enable HTTPs: The instruction require that the java Keystore password to be the same as the password for the certificate it holds.
Then the password is put into the Tomcat server.xml file in plain text.
There are two problems with this:
- The Certificate password is now stored in plain text in the system using the certificate
- The Keystore password is stored in plain text, enabling the exportation of the above Certificate
If the MF Connect functioned with a separated password for the Certificate, then the exposure would be limited to the Keystore on the machine. With the Keystore using the Certificates password the exposure is extended to include our certificate which is signed by our Certificate Authority.
Our security section does not like any password to be stored in any plain text file. It needs to be encrypted or at a minimum obfuscated.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.