There is a security problem in the SHA2encoder: The password is logged in plain text in /product/sha2/configuration/*.log.
Example contents (for dummy password "xx":):
!SESSION 2020-11-10 12:35:05.442 -----------------------------------------------
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
Framework arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder xx
Command-line arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder xx
!ENTRY org.eclipse.update.configurator 4 0 2020-11-10 12:35:07.384
!MESSAGE Could not install bundle plugins/commons-codec_1.10.jar Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: [email protected]/org.apache.commons.codec_1.10.jar
Root cause is that the org.apache.commons.codec bundle is present twice which causes an OSGI error and causes a log to be generated.
The password cannot be obscured but properties can be changed so that any OSGI errors are flagged in the console when running the password encoder script.
Release : 10.7.0
Component : Introscope
1) Open SHA2Encoder.sh and change the
With this configuration option, any OSGi errors will be written to the console as shown below:
1) Stop the Enterprise Manager
2) Go to <EM_HOME>/product/enterprise/plugins
3) Locate the file commons-codec_1.10.jar and remove from the folder.
4) Clear the OSGi cache using the instructions here
5) Restart the Enterprise Manager
With this change, the log should not be created in /product/sha2/configuration/*.log so the password will not be exposed
A defect is raised to address the issue with the duplicate bundles and would be included in works to deliver 10.7 SP4