ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.
12.7 Admin UI Java Keystore Vulnerability
Article ID: 111842
Updated On:
Products
CA Single Sign On Secure Proxy Server (SiteMinder)
CA Single Sign On SOA Security Manager (SiteMinder)
CA Single Sign-On
Issue/Introduction
When the Admin UI's running JBoss (java) process is queried via ps -ef, the java keystore password is displayed in clear text:
smuser 22143 22075 5 Jul17 ? 18:08:10 /app/CA/siteminder/adminui/runtime/bin/java -D[Standalone] -server -Xms1024m -Xmx1536m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djavax.net.ssl.keyStore=/app/CA/siteminder/adminui/standalone/configuration/keyStore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/app/CA/siteminder/adminui/standalone/configuration/trustStore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit -Dorg.jboss.boot.log.file=/app/CA/siteminder/adminui/standalone/log/server.log -Dlogging.configuration=file:/app/CA/siteminder/adminui/standalone/configuration/logging.properties -jar /app/CA/siteminder/adminui/jboss-modules.jar -mp /app/CA/siteminder/adminui/modules org.jboss.as.standalone -Djboss.home.dir=/app/CA/siteminder/adminui -Djboss.server.base.dir=/app/CA/siteminder/adminui/standalone -c standalone-full.xml -b 0.0.0.0 -Dnete.j2ee.vendor=jboss#
smuser 22143 22075 5 Jul17 ? 18:08:10 /app/CA/siteminder/adminui/runtime/bin/java -D[Standalone] -server -Xms1024m -Xmx1536m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djavax.net.ssl.keyStore=/app/CA/siteminder/adminui/standalone/configuration/keyStore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/app/CA/siteminder/adminui/standalone/configuration/trustStore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit -Dorg.jboss.boot.log.file=/app/CA/siteminder/adminui/standalone/log/server.log -Dlogging.configuration=file:/app/CA/siteminder/adminui/standalone/configuration/logging.properties -jar /app/CA/siteminder/adminui/jboss-modules.jar -mp /app/CA/siteminder/adminui/modules org.jboss.as.standalone -Djboss.home.dir=/app/CA/siteminder/adminui -Djboss.server.base.dir=/app/CA/siteminder/adminui/standalone -c standalone-full.xml -b 0.0.0.0 -Dnete.j2ee.vendor=jboss#
Environment
Release: MSPSSO99000-12.8-Single Sign-On-for Business Users-MSP
Component:
Component:
Resolution
If SSL is not used with the WAM UI, To suppress the clear text password output, comment/delete the following entries in standalone.conf:
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
Steps to implement:
1) Stop the adminui if running
2) Make the changes
3) Start the adminui
) Check the output of ps -ef | grep java
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
Steps to implement:
1) Stop the adminui if running
2) Make the changes
3) Start the adminui
) Check the output of ps -ef | grep java
Feedback
Yes
No
Powered by
