ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

sha2encoder: plain text password logged


Article ID: 207862


Updated On:


CA Application Performance Management (APM / Wily / Introscope)



There is a security problem in the SHA2encoder: The password is logged in plain text in /product/sha2/configuration/*.log.

Example contents (for dummy password "xx":): 

     !SESSION 2020-11-10 12:35:05.442 -----------------------------------------------
     java.vendor=Oracle Corporation
     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx
     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder xx

     !ENTRY org.eclipse.update.configurator 4 0 2020-11-10 12:35:07.384
     !MESSAGE Could not install bundle plugins/commons-codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from:         [email protected]/org.apache.commons.codec_1.10.jar





Root cause is that the org.apache.commons.codec bundle is present twice which causes an OSGI error and causes a log to be generated.

The password cannot be obscured but properties can be changed so that any OSGI errors are flagged in the console when running the password encoder script.


Release : 10.7.0

Component : Introscope


  • Steps to enable the console logging in

1) Open and change the -Declipse.consoleLog= property from false to true:

     "$JAVA_HOME/bin/java" -Declipse.consoleLog=true -jar "$installDir/launcher.jar" -configuration "$installDir/product/sha2/configuration" -install "$installDir/product/enterprisemanager" -application         com.wily.introscope.eclipseapp.SHA2Encoder $1


With this configuration option, any OSGi errors will be written to the console as shown below:

     [[email protected] tools]# ./ help

     Debug options:

    file:/tmp/.options not found

     !SESSION 2020-11-25 11:33:07.666 -----------------------------------------------



     java.vendor=Oracle Corporation

     BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_GB

     Framework arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help

     Command-line arguments:  -application com.wily.introscope.eclipseapp.SHA2Encoder help


     !ENTRY org.eclipse.update.configurator 4 0 2020-11-25 11:33:08.730

     !MESSAGE Could not install bundle plugins/org.apache.commons.codec_1.10.jar   Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: [email protected]/commons-codec_1.10.jar

     log4j:WARN No appenders could be found for logger (org.springframework.osgi.extender.internal.activator.ContextLoaderListener).

     log4j:WARN Please initialize the log4j system properly.

     log4j:WARN See for more info.



  • Steps to remove duplicate bundle:

1) Stop the Enterprise Manager

2) Go to <EM_HOME>/product/enterprise/plugins

3) Locate the file commons-codec_1.10.jar and remove from the folder. 

4) Clear the OSGi cache using the instructions here

5) Restart the Enterprise Manager


With this change, the log should not be created in /product/sha2/configuration/*.log so the password will not be exposed


A defect is raised to address the issue with the duplicate bundles and would be included in works to deliver 10.7 SP4