[
https://issues.apache.org/jira/browse/GERONIMO-2925?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12477541
]
Michael Malgeri commented on GERONIMO-2925:
-------------------------------------------
It refers to WAS CE because it comes from a customer using WAS CE not Geronimo.
I assumed the fix would be applied in Geronimo and WAS CE would pick it up. The
customer is "we" in the message and I did a cut and paste. We'll get more info
from the customer and post when available.
> Key used for encryption same for all server instances
> -----------------------------------------------------
>
> Key: GERONIMO-2925
> URL: https://issues.apache.org/jira/browse/GERONIMO-2925
> Project: Geronimo
> Issue Type: Bug
> Security Level: public(Regular issues)
> Components: security
> Affects Versions: 1.1.1, 1.1.2, 1.1.x, 1.2, 2.0
> Reporter: Michael Malgeri
> Priority: Critical
>
> We understand that WASCE use AES to encrypt the password. You do
> javax.crypto.Cipher.getInstance("AES") and init() with a hard-coded key.
> This key is same for all the WASCE server instances. Anyone getting access
> to a downloaded version of the software can have the algorithm and decrypt
> the password. So we need your urgent help on the following:
> 1. provide a solution with key management that we can control
> 2. provide a pluggable encryption solution so that we can use our internal
> algorithms and key management
> At least,
> 3. the key should be dynamically generated in each of the installations that
> would reduce the ability to decrypt to someone who has access to the server.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
