Skip to content

Improvement - password to create domain #961

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
textanalyticsman opened this issue Aug 5, 2021 · 4 comments
Closed

Improvement - password to create domain #961

textanalyticsman opened this issue Aug 5, 2021 · 4 comments
Labels
enhancement New feature or request SOA

Comments

@textanalyticsman
Copy link

textanalyticsman commented Aug 5, 2021
edited
Loading

Hello,

According to documentation here

The tool can also read the passphrase from standard input (for example, stdin) to allow the tool to run without any user input

Actually I have been using this way to provide passwords. However, someone can get the password just by executing PS (I am working just on Linux) while the process is still alive.

Could you provide a better way to call the script without facing this security challenge?

By the way, I am calling the script by using this

shell: "printf '%s\n' passwordmodel passwordopss | weblogic-deploy/bin/createDomain.sh ...

Best regards,
TAM
@CarolynRountree
Copy link
Contributor

The only passwords in createdomain is RCU, are these the passwords? You can put all the RCU information in the model according to the below. Please clarify that this is what you are talking about.

https://oracle.github.io/weblogic-deploy-tooling/rcuinfo/

@textanalyticsman
Copy link
Author

I am using a password to decrypt the models as they are encrypted and another password for OPSS wallet.

@textanalyticsman
Copy link
Author

Hi,

This is the command I am running

/u01/wdt/weblogic-deploy/bin/createDomain.sh -oracle_home /u01/weblogic/middleware/SOA -use_encryption -
domain_parent /u01/weblogic/domains -domain_type SOA -model_file /u01/domain/soa-domain.yaml,/u01/domain/soa-
top.yaml,/u01/domain/soa-wm.yaml,/u01/domain/soa-startshut-classes.yaml,/u01/domain/soa-
container.yaml,/u01/domain/soa-db.yaml,/u01/domain/soa-store.yaml,/u01/domain/soa-queues.yaml,/u01/domain/soa-
coh.yaml,/u01/domain/soa-dep.yaml -archive_file /u01/domain/archive.zip -opss_wallet /u01/domain/opss-voyager

Previous script will ask for a password to unencrypt the model and a password to read the OPSS wallet. I know we can pass them by using the stdin. For example, I can use printf to pass credentials, using environment variables to pass them, a hidden file with credential with proper privileges. However, all these ways are easy to break by a potential attacker.

Therefore, could you suggest a better way to proceed?

Thanks a lot for your support.

Best regards,
TAM

@CarolynRountree CarolynRountree mentioned this issue Aug 24, 2021
Merged
@robertpatrick robertpatrick added SOA enhancement New feature or request labels Dec 23, 2021
@robertpatrick
Copy link
Member

If I run this command: echo MYPASSWORD | createDomain.sh ...

ps does not show the echo MYPASSWORD, as it is completes instantaneously.

% ps -wwf
  UID   PID  PPID   C STIME   TTY           TIME CMD
  501  1830  1824   0 Wed09AM ttys000    0:00.43 -zsh
  501  1828  1825   0 Wed09AM ttys001    0:00.46 -zsh
  501  1829  1826   0 Wed09AM ttys002    0:00.68 -zsh
  501 18136  1829   0 11:38AM ttys002    0:00.00 /bin/sh ./createDomain.sh -oracle_home=/opt/weblogic/jrf12214 ...

PR #972 added the ability to read the encryption passphrase from a file or an environment variable. Closing this issue as resolved. Please feel free to reopen or create another issue if this does not resolve your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request SOA
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@textanalyticsman @robertpatrick @CarolynRountree