Passwords in the configuration
nevisAuth sometimes requires passwords to access resources such as keystores, LDAP back ends or RADIUS servers. There are methods to minimize the risk that those passwords are disclosed to people or services that lack the required privileges. Depending on which method you choose, the risk of disclosure varies.
The support of the syntax presented below is dependent on each AuthState implementation. It is only supported by properties where we expect to receive a password or key material.
The following list describes and classifies the methods and provides syntax examples:
Plain passwords
Storing passwords in clear text is the simplest and least secure method. Users and services that have access to the configuration file, such as the esauth4.xml file, will also have access to the passwords used to access other resources.
Example:
mysecretPasswords from external files
Passwords can be stored in external files and accessed through a URL to the filesystem. Using this method, passwords will not be disclosed in the configuration itself. Only system administrators with the privileges to read the file will have access to the plain text passwords.
Example:
file:///path/to/passphrase/file/passphrase.txtPiped passwords through commands
It is possible to read passwords from external files. Thus, the passwords cannot be stolen if the esauth4.xml file is shared among other unprivileged users or services, for example, if checked into a repository. The passwords must remain with limited permission on the machine running the nevisAuth process.
pipe:///opt/neviskeybox/bin/keystorepwget
/var/opt/keybox/nevis/authSigner_keystore.jksnevisCred
Using nevisCred is the most secure method for storing passwords. nevisCred is a credential manager designed to store AES-encrypted passwords using a master key, a hardcoded key and a password identifier. Refer to the nevisCred reference guide for details about the internals, setup and configuration.
Example:
neviscred://keybox.default.nevis.authSigner