JOC - JobScheduler Operations Center
  1. JOC - JobScheduler Operations Center
  2. JOC-690

JOC Cockpit should support hashed passwords for keyStorePassword, keyManagerPassword, and trustStorePassword

    Details

    • Type: Feature Feature
    • Status: Dismissed (View Workflow)
    • Priority: Major Major
    • Resolution: Works as designed
    • Affects Version/s: None
    • Fix Version/s: 1.12.9
    • Component/s: None
    • Labels:
      None

      Description

      Current Situation

      • The JOC Cockpit HTTPS Authentication requires to add keystore and trustore passwords to access the keystore or private keys in JETTY_BASE/start.ini file. These passwords are stored in the configuration files as plain text. To make the passwords secure it should accept the hashed password.
      • The hashed passwords are accepted and can be used in /Scheduler_DATA/config/private/private.conf file when we setup authentication for JobScheduler Master webservice like:
        jobscheduler.master.auth.users {
        JOBSCHEDULER_ID = "HASH_SCHEME:HASHED_PASSWORD"
        }
        
      • The hashed passwords are accepted and can be used in <agent_data>/config/private also when we setup authentication between Master and Agent.
        jobscheduler.agent.auth.users {
        JOBSCHEDULER_ID = "HASH_SCHEME:HASHED_PASSWORD"
        }
        
      • The hashed passwords when used while configuring jetty are not accepted by JOC Cockpit, the Jetty documentation confirms, jetty can configure hash passwords with the parameters
        jetty.sslContext.keyStorePassword, jetty.sslContext.keyManagerPassword, and jetty.sslContext.trustStorePassword.
      • When JETTY is configured with hashed passwords the JOC Cokcpit throws exception "java.security.PrivilegedActionException: java.io.IOException: Keystore was tampered with, or password was incorrect" . Refer to the attached 2019_03_07.stderrout.log file for more details.

      Desired Behavior

      • The JOC Cockpit should also support hash passwords while configuring Jetty as accepted by JobScheduler Master, Agent and even in JOC Cockpit when used in JETTY_BASE/resources/joc/shiro.ini.

        Activity

        Hide
        Armin Noll added a comment -

        Dear SOS team,

        we are also concerned about the clear text password in factory.ini when specifying the keystore password:

        -Djavax.net.ssl.keyStorePassword="password"

        Can you please consider allowing here a hashed password as well?

        Regards
        Armin Noll

        Show
        Armin Noll added a comment - Dear SOS team, we are also concerned about the clear text password in factory.ini when specifying the keystore password: -Djavax.net.ssl.keyStorePassword="password" Can you please consider allowing here a hashed password as well? Regards Armin Noll
        Hide
        Oliver Haufe added a comment -

        There's been a big misunderstanding here.
        TrustStore, KeyStore and KeyStoreManager passwords cannot be hashed!

        Also in Jetty's start.ini these passwords are not hashed.
        They are only obfuscated (e.g. jetty.sslContext.keyStorePassword= OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4) with Jetty's own algorithm.

        It is easy to determine the password:

        java -cp lib/jetty-util-9.4.12.v20180830.jar org.eclipse.jetty.util.security.password "OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4"
        

        And you get storepwd as result.

        Obfuscated passwords only pretend security, so I would do without them altogether.

        Show
        Oliver Haufe added a comment - There's been a big misunderstanding here. TrustStore, KeyStore and KeyStoreManager passwords cannot be hashed! Also in Jetty's start.ini these passwords are not hashed. They are only obfuscated (e.g. jetty.sslContext.keyStorePassword= OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4 ) with Jetty's own algorithm. It is easy to determine the password: java -cp lib/jetty-util-9.4.12.v20180830.jar org.eclipse.jetty.util.security.password "OBF:1vny1zlo1x8e1vnw1vn61x8g1zlu1vn4" And you get storepwd as result. Obfuscated passwords only pretend security, so I would do without them altogether.

          People

          • Assignee:
            Oliver Haufe
            Reporter:
            Kanika Agrawal
          • Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: