Page 1 of 1
ID Security
Posted: Wed Jul 16, 2014 6:51 pm
by rajasegar
XI 2014R1.2
There is a security concern on all the ID and password stored in clear text in the CCM.
Can you please advice how get around this issue?
Thanks
Re: ID Security
Posted: Thu Jul 17, 2014 9:25 am
by tmcdonald
I can certainly put in a feature request for salted+hashed passwords in the database, but where specifically were you referring to? If you mean in the host/service definitions as arguments the way to keep them from being displayed is to place them in the resource.cfg file and reference them as $USERX$ macros.
Re: ID Security
Posted: Thu Jul 17, 2014 6:17 pm
by rajasegar
tmcdonald wrote:I can certainly put in a feature request for salted+hashed passwords in the database, but where specifically were you referring to? If you mean in the host/service definitions as arguments the way to keep them from being displayed is to place them in the resource.cfg file and reference them as $USERX$ macros.
Security team requirements.
Password cannot be displayed anywhere in clear text and must be stored in encrypted state.
This includes in the definition files *.cfg, resource.cfg & DB.
Re: ID Security
Posted: Fri Jul 18, 2014 9:17 am
by tmcdonald
The database is possible, we just need to salt+hash passwords and do a compare when authenticating.
However, since the passwords in *.cfg and resource.cfg need to be sent/used (as opposed to compared against) there is no way they can be encrypted. You can't send a FTP password to test file upload capabilities if that password is not known (i.e. it is encrypted).