pkispawn writes the Directory Manager credentials in clear text to /etc/pki/pki-tomcat/password.conf, line internaldb=PASSWORD. The file is a persistent. Standa Laznicka from the FreeIPA team has investigated usage of internaldb. The line seems to be optional and not used beyond installation. FreeIPA 4.5 removes the entry, https://github.com/freeipa/freeipa/blob/master/ipaserver/install/dogtaginstance.py#L225
/etc/pki/pki-tomcat/password.conf
internaldb=PASSWORD
I'd rather not write the entry to the file at all. Dogtag's installer should use a dedicated temporary file on a tmpfs instead. /etc is on a persistent disk and the password could be written to physical devices (hard disk, SSD).
/etc
In FreeIPA, the Directory Manager password is used in these options used in pkispawn:
pkispawn
pki_backup_password pki_client_pkcs12_password pki_admin_password pki_ds_password
and additionally when creating a clone:
pki_security_domain_password pki_clone_pkcs12_password
Metadata Update from @mharmsen: - Custom field component adjusted to General - Custom field feature adjusted to '' - Custom field origin adjusted to Community - Custom field proposedmilestone adjusted to '' - Custom field proposedpriority adjusted to '' - Custom field reviewer adjusted to '' - Custom field type adjusted to defect - Custom field version adjusted to '' - Issue set to the milestone: 0.0 NEEDS_TRIAGE
Metadata Update from @mharmsen: - Issue priority set to: ---
Per PKI Bug Council of 04/27/2017: 10.5 - critical
Metadata Update from @mharmsen: - Issue priority set to: critical (was: ---) - Issue set to the milestone: 10.5 (was: 0.0 NEEDS_TRIAGE)
Metadata Update from @mharmsen: - Issue priority set to: major (was: critical)
The reason IPA does not use this entry is because IPA uses cert-auth to connect from the dogtag instance to its internalDB. I think IPA selects this with the appropriate pkispawn parameters.
In this case, the ds password is no longer needed post-install. This is not true by default. By default, this line in password.conf is used to connect dogtag to its internaldb.
I suppose we can remove this entry in the case where we configure cert-auth for the dogtag<->ds connection, but we need to confirm we can do this.
[20171025] - Offline Triage ==> 10.6
Metadata Update from @mharmsen: - Issue set to the milestone: 10.6 (was: 10.5)
Per further discussions with Ade, we would like IPA to clean up the stuff that is not required due to the way IPA sets up Dogtag. This is not perfect, but the Dogtag backlog is huge so we'd like to be realistic about what is / isn't ever going to get done.
Metadata Update from @ftweedal: - Issue close_status updated to: wontfix
Metadata Update from @mharmsen: - Issue set to the milestone: 10.5.2 (was: 10.6)
Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.
This issue has been cloned to GitHub and is available here: https://github.com/dogtagpki/pki/issues/2782
If you want to receive further updates on the issue, please navigate to the GitHub issue and click on Subscribe button.
Subscribe
Thank you for understanding, and we apologize for any inconvenience.
Login to comment on this ticket.