Thanks Nirmal - I'll probably have a few more security questions to follow...
Should I post my questions to priv...@stratos.apache.org? Or should we setup a security@ email address? On Mon, May 19, 2014 at 2:26 PM, Nirmal Fernando <nirmal070...@gmail.com> wrote: > > > > On Mon, May 19, 2014 at 4:20 PM, chris snow <chsnow...@gmail.com> wrote: >> >> hi Devs, >> >> Does an agent authenticate itself to Stratos? > > Yes, Chris. > >> >> If not, is it possible >> that an agent could write spoofed events to the MB? >> >> It also looks like the agent has access to the bam admin user name and >> password [1]: >> >> -Dmonitoring.server.port=<%= @bam_port %> >> -Dmonitoring.server.secure.port=<%= @bam_secure_port %> >> -Dmonitoring.server.admin.username=<%= @bam_username %> >> -Dmonitoring.server.admin.password=<%= @bam_password %> >> >> What damage could someone (e.g. a tenant) do with possession of those >> credentials? > > > We might need to encrypt them and store in agent's side?! >> >> >> Many thanks, >> >> Chris >> >> >> --- >> [1] >> https://github.com/apache/incubator-stratos/blob/master/tools/puppet3/modules/agent/templates/bin/stratos.sh.erb > > > > > -- > Best Regards, > Nirmal > > Nirmal Fernando. > PPMC Member & Committer of Apache Stratos, > Senior Software Engineer, WSO2 Inc. > > Blog: http://nirmalfdo.blogspot.com/ -- Check out my professional profile and connect with me on LinkedIn. http://lnkd.in/cw5k69
