Server.xml contains keystore password in cleartext

book

Article ID: 160577

calendar_today

Updated On:

Products

Data Loss Prevention Enforce

Issue/Introduction

On the Enforce server we store the "protect" password in clear text in the "server.xml" file.
Can this be encrypted?

Resolution

In order to get access to that file C:\Vontu\Protect\tomcat\conf\server.xml one would need to have access to the Enforce server and the DLP product installation.
Given access, a malicious user would have many vectors to disable or damage DLP monitoring.

It is recommended that customer should control authorization and access to the DLP systems very carefully.
Also, we are using out of the box tomcat, therefore a JIRA would not apply. We do set it up within the possibilities of the framework, but will not perform code changes which would affect our ability to support the framework since we would affectively own and support this new code branch.