000034543 - Java Naming and Directory Interface (JNDI) credential is displayed in cleartext on JBoss server.log in RSA Identity Management and Governance

Document created by RSA Customer Support Employee on Dec 19, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 4Show Document
  • View in full screen mode

Article Content

Article Number000034543
Applies ToRSA Product Set:  Identity Management and Governance
RSA Version/Condition: 6.9.1
Platform: JBoss
IssueThe credential of the JNDI configuration is displayed in cleartext on the JBoss server.log located in /home/oracle/jboss-4.2.2.GA/server/default/log,  Note the java.naming.security.credentials=Aveksa12, in the example below:
2016-11-22 00:06:32,403 INFO [org.hibernate.util.NamingHelper] JNDI InitialContext properties:
{java.naming.security.principal=aveksaUser, java.naming.security.credentials=Aveksa123}

ResolutionAs a workaround, change the logging setting to hide the JNDI credential and change the JNDI credential if it has been exposed.

To change the specific org.hibernate category from INFO to ERROR level logging to hide the logging

  1. Navigate to Admin > System and click on the Logs tab.
  2. Click the Settings button and the System Log Settings popup will be displayed.
  3. On the popup, click the Advanced button on the Category Log Levels section.
  4. In the Category Log Levels section, do the following:
    1. Select org.hibernate from the Group drop-down list
    2. Select org.hibernate.util.NamingHelper from the Category drop-down list (it is almost at the bottom of the list).
    3. Click the Add button to display org.hibernate.util.NamingHelper and the corresponding log level.
    4. Select ERROR for org.hibernate.util.NamingHelper.
    5. Click OK button at the bottom of the page

Change logging setting

  1. Restart ACM and then verify that the below INFO line (org.hibernate.util.NamingHelper) is now suppressed:
2016-11-29 18:35:39,321 INFO [org.hibernate.util.NamingHelper] JNDI InitialContext properties:
{java.naming.security.principal=aveksaUser, java.naming.security.credentials=Aveksa123}

To change the password on the fly in hibernate.cfg.xml

  1. Login to your system as root.
  2. Edit the hibernate.cfg.xml by changing the value of the JNDI property name hibernate.jndi.java.naming.security.credentials from Aveksa123 to your desired password.  To do this, type the following command to edit the file:
acm-691:~ # vi /home/oracle/jboss-4.2.2.GA/server/default/deploy/aveksa.ear/aveksa.war/

  1.   Once in the file, make the change to a new value, shown here as the text SomethingElse:
<?xml version='1.0' encoding='utf-8'?>
<!DOCTYPE hibernate-configuration PUBLIC "-//Hibernate/Hibernate Configuration DTD 3.0//EN"
<!-- Database connection settings -->
<property name="connection.datasource">java:comp/env/jdbc/avdb</property>
<property name="transaction.factory_class">org.hibernate.transaction.JDBCTransactionFactory</property>
<property name="hibernate.jndi.java.naming.security.principal">aveksaUser</property>
<property name="hibernate.jndi.java.naming.security.credentials">SomethingElse</property>

  1. Save the changes by pressing Esc then :wq.
  2. Restart ACM.
acm start