ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
SOI User names and passwords are shown in the source code
Article ID: 111004
CA Service Operations Insight (SOI)
Is it a security risk that SOI has usernames and encrypted passwords in configuration files ?
SOI 4.0 SOI 4.2
SOI UI and Manager are admin portals. SOI application connects to various connectors such as databases, smtp, etc. These user configuration details such as hostname,username,password,port are entered by the administrator. When the administrator revisits the configuration pages, he sees the password value in encrypted form and not in clear text. (input type="hidden" size="30" name="smtpPassword_value" value="EIBxlDsGeasfM1IL15ipNity4MXh19HPi4eJgmH6TQ5W") 1. Only SOI Application can decrypt the encrypted value 2. Only Administrator have access to Configuration Pages 3. The Configuration details are added in administrator pages only by the admin 4. Even when attacker gains admin credentials through various means, he can only see the password in encrypted form and cannot decrypt the password.