sha2encoder: plain text password logged
search cancel

sha2encoder: plain text password logged


Article ID: 207862


Updated On:


CA Application Performance Management (APM / Wily / Introscope)



There is a security problem in the SHA2encoder: The password is logged in plain text in /product/sha2/configuration/*.log.

Example contents (for dummy password "xx":): 

     !SESSION 2020-11-10 12:35:05.442 -----------------------------------------------
     java.vendor=Oracle Corporation
     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx
     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx

     !ENTRY org.eclipse.update.configurator 4 0 2020-11-10 12:35:07.384
     !MESSAGE Could not install bundle plugins/commons-codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from:         update@plugins/org.apache.commons.codec_1.10.jar




Release : 10.7.0

Component : Introscope



Root cause is that the org.apache.commons.codec bundle is present twice which causes an OSGI error and causes a log to be generated.

The password cannot be obscured but properties can be changed so that any OSGI errors are flagged in the console when running the password encoder script.


  • Steps to enable the console logging in

1) Open and change the -Declipse.consoleLog= property from false to true:

     "$JAVA_HOME/bin/java" -Declipse.consoleLog=true -jar "$installDir/launcher.jar" -configuration "$installDir/product/sha2/configuration" -install "$installDir/product/enterprisemanager" -application         com.wily.introscope.eclipseapp.SHA2Encoder $1


With this configuration option, any OSGi errors will be written to the console as shown below:

     [root@apmhost tools]# ./ help

     Debug options:

    file:/tmp/.options not found

     !SESSION 2020-11-25 11:33:07.666 -----------------------------------------------



     java.vendor=Oracle Corporation

     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_GB

     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help

     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help


     !ENTRY org.eclipse.update.configurator 4 0 2020-11-25 11:33:08.730

     !MESSAGE Could not install bundle plugins/org.apache.commons.codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: update@plugins/commons-codec_1.10.jar

     log4j:WARN No appenders could be found for logger (org.springframework.osgi.extender.internal.activator.ContextLoaderListener).

     log4j:WARN Please initialize the log4j system properly.

     log4j:WARN See for more info.



  • Steps to remove duplicate bundle:

1) Stop the Enterprise Manager

2) Go to <EM_HOME>/product/enterprise/plugins

3) Locate the file commons-codec_1.10.jar and remove from the folder. 

4) Clear the OSGi cache using the instructions here

5) Restart the Enterprise Manager


With this change, the log should not be created in /product/sha2/configuration/*.log so the password will not be exposed


A defect is raised to address the issue with the duplicate bundles and would be included in works to deliver 10.7 SP4