Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.

Certificate password stored in plain text in the Tomcat server.xml file - insecure

Idea ID 2706486

Re: Certificate password stored in plain text in the Tomcat server.xml file - insecure - Status changed to: Accepted

When configuring MF Connect 4.2 to enable HTTPs: The instruction require that the java Keystore password to be the same as the password for the certificate it holds.

Then the password is put into the Tomcat server.xml file in plain text.

There are two problems with this:
- The Certificate password is now stored in plain text in the system using the certificate
- The Keystore password is stored in plain text, enabling the exportation of the above Certificate

If the MF Connect functioned with a separated password for the Certificate, then the exposure would be limited to the Keystore on the machine. With the Keystore using the Certificates password the exposure is extended to include our certificate which is signed by our Certificate Authority.

Our security section does not like any password to be stored in any plain text file. It needs to be encrypted or at a minimum obfuscated.

 

2 Comments
Micro Focus Contributor
Micro Focus Contributor
Status changed to: Accepted

Planned to deliver documentation on securing password option in 4.2 Hot Fix.

Valued Contributor.. Alex_J Valued Contributor..
Valued Contributor..

Thanks for the update.

Looking forward to seeing the results.

Alex

The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.