Siteminder Adminui Keystore Password Exposure
Article ID: 138655
Updated On:
Products
Issue/Introduction
In Security auditing , there may be flag that the adminui process may expose keystore password information.
/opt/CA/siteminder/adminu/runtime/bin/java -D[Standalone] -server -Xms1024m -Xmx1536m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djavax.net.ssl.keyStore=/opt/CA/siteminder/adminui/standalone/configuration/security/key.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=smadminui -Djavax.net.ssl.trustStore=/opt/CA/siteminder/adminui/standalone/configuration/security/trust.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=smadminui -Dorg.jboss.boot.log.file=/opt/CA/siteminder/adminui/standalone/log/server.log -Dlogging.configuration=file:/opt/CA/siteminder/adminui/standalone/configuration/logging.properties -jar /opt/CA/siteminder/adminui/jboss-modules.jar -mp /opt/CA/siteminder/adminui/modules org.jboss.as.standalone -Djboss.home.dir=/opt/CA/siteminder/adminui -Djboss.server.base.dir=/opt/CA/siteminder/adminui/standalone -c standalone-full.xml
Environment
PRODUCT: Siteminder
COMPONENT : SITEMINDER -POLICY SERVER
VERSION : 12.8.x
OS: ANY
Cause
This data is exposed in the 'standalone-full.xml' file by default.
Resolution
1) Back-up the Siteminder AdminUI "standalone.conf" file
WINDOWS:
Default: <SMAdminUI_Install_Dir>CA\siteminder\adminui\bin\standalone.conf
UNIX:
<SMAdminUI_Install_Dir>/CA/siteminder/adminui/bin/standalone.conf
2) Comment out the following entries in the Siteminder AdminUI "standalone.conf" file
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"
When running [ps -ef|grep java] it should no longer return the passwords for the key store and trust store.
Feedback
