There is a security problem in the SHA2encoder: The password is logged in plain text in /product/sha2/configuration/*.log.
Example contents (for dummy password "xx":):
!SESSION 2020-11-10 12:35:05.442 -----------------------------------------------
eclipse.buildId=M20060629-1905
java.version=1.8.0_112
java.vendor=Oracle Corporation
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_US
Framework arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder xx
Command-line arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder xx
!ENTRY org.eclipse.update.configurator 4 0 2020-11-10 12:35:07.384
!MESSAGE Could not install bundle plugins/commons-codec_1.10.jar Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: update@plugins/org.apache.commons.codec_1.10.jar
Release : 10.7.0
Component : Introscope
Root cause is that the org.apache.commons.codec bundle is present twice which causes an OSGI error and causes a log to be generated.
The password cannot be obscured but properties can be changed so that any OSGI errors are flagged in the console when running the password encoder script.
1) Open SHA2Encoder.sh and change the -Declipse.consoleLog= property from false to true:
"$JAVA_HOME/bin/java" -Declipse.consoleLog=true -jar "$installDir/launcher.jar" -configuration "$installDir/product/sha2/configuration" -install "$installDir/product/enterprisemanager" -application com.wily.introscope.eclipseapp.SHA2Encoder $1
With this configuration option, any OSGi errors will be written to the console as shown below:
[root@apmhost tools]# ./SHA2Encoder.sh help
Debug options:
file:/tmp/.options not found
!SESSION 2020-11-25 11:33:07.666 -----------------------------------------------
eclipse.buildId=M20060629-1905
java.version=1.8.0_112
java.vendor=Oracle Corporation
BootLoader constants: OS=linux, ARCH=x86_64, WS=gtk, NL=en_GB
Framework arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder help
Command-line arguments: -application com.wily.introscope.eclipseapp.SHA2Encoder help
!ENTRY org.eclipse.update.configurator 4 0 2020-11-25 11:33:08.730
!MESSAGE Could not install bundle plugins/org.apache.commons.codec_1.10.jar Bundle "org.apache.commons.codec" version "1.10.0" has already been installed from: update@plugins/commons-codec_1.10.jar
log4j:WARN No appenders could be found for logger (org.springframework.osgi.extender.internal.activator.ContextLoaderListener).
log4j:WARN Please initialize the log4j system properly.
log4j:WARN See http://logging.apache.org/log4j/1.2/faq.html#noconfig for more info.
help:2a.100000.dhoB3Iq6x6dlVkTMQu4L9g==.rU6L/bPwLjvq9JS79MFBWg==
1) Stop the Enterprise Manager
2) Go to <EM_HOME>/product/enterprise/plugins
3) Locate the file commons-codec_1.10.jar and remove from the folder.
4) Clear the OSGi cache using the instructions here
5) Restart the Enterprise Manager
With this change, the log should not be created in /product/sha2/configuration/*.log so the password will not be exposed
A defect is raised to address the issue with the duplicate bundles and would be included in works to deliver 10.7 SP4