oc.jwt.sharedSecret exposed in wasp.cfg in DXUIM
search cancel

oc.jwt.sharedSecret exposed in wasp.cfg in DXUIM

book

Article ID: 429537

calendar_today

Updated On:

Products

DX Unified Infrastructure Management (Nimsoft / UIM)

Issue/Introduction

Security system / scans may alert about the oc.jwt.sharedSecret being exposed to attackers in wasp.cfg in DXUIM.

Is oc.jwt.sharedSecret vulnerable in DX UIM? Is it still used in the wasp.cfg or can we safely remove it? 

Environment

DX UIM 23.4.2 (CU2) and earlier

Cause

Security Enhancement

Resolution

Starting with DX UIM 23.4.2 (CU2), we moved the keys to in-memory storage and with a stronger algorithm. Consequently, the oc.jwt.sharedSecret key is no longer used in wasp.

If you are running DX UIM 23.4.2 (CU2) or later, follow the steps below to remove the references to this key:

  1. Update the wasp.cfg of the UIM Server and OC Robot(s) using the Admin Console or Infrastructure Manager.
  2. Under the setup section, set oc.jwt.autogeneratetoken to false and remove the oc.jwt.sharedSecret key.
  3. Restart the wasp.

 

NOTE: This key will be completely removed from WASP in 23.4.7 (CU7).

Additional Information

Related KB: Connection String in visible in wasp.cfg

Powered by Wolken Software