I'm trying to encode the passwords that appear in kamctlrc file. I don't know if it is possible.
Is there a way to do it?
Best wishes,
D.
kamctlrc is the config file configuration file for kamctl and kamdbctl tools, which use it to get database info, default domain and some daemon config options.
It's a text file with ATTRIBUTE=VALUE formatting.
The passwords are configured in plain text in the config file, if you edit kamctlrc with a text editor (if you've installed from the repos it'll probably be in /etc/kamailio/kamctlrc ) you should see fields like DBRWPW=password and DBROOTPW=password for the Database Read/Write Password and the root database password respectively.
Here's an example kamctlrc file from the Kamailio team.
Here's some info on setting up kamctlrc to work with MySQL database backend.
Related
Our application server (Apache Tomcat Plume) that use jta-managed data source through tomee.xml file should access database server just in secure (HTTPS) mode with two way ssl or client authentication.
So we have to put keystore and truststore plain passwords into setenv.sh or other places in row format. (I m not sure that is the first and last method to do that?) and what happens is tomcat logging mechanism log all these secret information in plain format into log files like catalina.out.
That what (locating raw passwords in config files) is we do not want. Actually we must ( although it s not appear a big threaten while user have access to files, could find real password atleast), encrypt password and use it in environment variables.
Central Question
In other word, how can we set jvm properties and environment variables in encrypted mode?
Re: Hide or disable Tomcat command line arguments logging (the title of this question)
This logging is done by VersionLoggerListener it is possible to configure it, or just remove it from configuration (server.xml).
Re: plaintext passwords handling
This is covered in Tomcat FAQ.
A Vault can be used to store secrets.
I don't want to save the file containing the database password in the webroot of apache so I moved it to var/www (the server root) and include it from there.
Is this creating new security issues which weren't there before or can I leave it there?
The security issue that it creates, is that anyone who has access to the server, can get your DB credentials. Also, depending on the file and folder, there is a possibility that the file can be downloaded (really depends on the file and security settings on your web app). The industry standard solution is to encrypt the credentials in that file.
I put password_persist.txt file in client site, because esb works as windows server. but we are concern about security of this password. because everyone can have access to that.
They don't want to use password_tmp file every time.
Is there any solution for hiding it or hash it?
Thanks in advance
We run our ESB as a windows service with the Log On As set to a user we setup specifically to run our ESB and other wso2 products (ex. domain\wso2user). We then use a data security product, in our case Vormetric, to lock that file down so that only that user we have setup to run our windows service has access to that file. All other users are denied access to viewing that file.
We worked with our security team to arrive at this solution so I would recommend speaking to yours and seeing if they have a solution in place for this type of scenario. My only experience with this is using Vormetric but I am sure there are countless other products out there that will provide similar functionality.
Joe
Another solution would be to take the base64 encoded key-store password, decode it and generate the password-temp file at server startup using the server startup script. In Linux you could include
echo d3NvMmNhcmJvbgo= | base64 -d | tee $CARBON_HOME/password-tmp
at the start of the
elif [ "$CMD" = "start" ]; then block. You should be able to do something similar for windows as well. It would be better to go with encryption though.
Is there anyway to directly code on a server, meaning you open the file from the server and save it there?
Or is there any method faster than traditional ftp that automatically syncs to the server when you save locally?
Using SVN is a good option.
Read this: Combined SVN FTP system
If you're just talking about text files then some text editors support this, e.g. BBEdit, which can open and save directly to/from FTP/SFTP etc.
Currently I am working on a C linux daemon that takes user input for an SQL connection string, then stores the information into a local conf file (client side). The purpose of the daemon is to submit data to an SQL database at a set interval in that every time the daemon is loaded it will look to the local conf for the SQL connection string. Also by using the command line argument -c, the user can reconfigure the SQL connection string in the event that the information changes. Would anyone be willing to share a way of securing this conf file so that it is not plain text. Keep in mind that I still need to be able to access and read in from the conf file as there is other conf settings present. Thanks in advance guys.
Edit: I do eventually plan to use SSL to submit the data between the client side and the SQL server.
The (only?) way to secure the file is to change its permissions to make it readable only to the user that runs the daemon.
Eg. if you are running the daemon as user 'foo' and group 'foo', you should:
chown foo.foo my-conf-file
chmod 600 my-conf-file
(Or even chmod it to 400 to prevent accidental modification, but I guess in this case you'll lose the -c option functionality).
NOTE: Also remember that it is quite dangerous to pass connection strings on the command line since they will be visible from the process listing!
You could also use some GPG stuff to encrypt the file, but I don't see the point there since then you have to protect the key you use to decript the file, and you get the exact same problem as before.
If you have no place to keep your secrets, cryptography will not help you. If your daemon is somehow able to decode password not using any secret, then anyone can do this too. So you have to rely on system protection, such as file access mode flags to keep keys.