12.7 Admin UI Java Keystore Vulnerability

Document ID : KB000111842
Last Modified Date : 31/08/2018
Show Technical Document Details
Introduction:
When the Admin UI's running JBoss (java) process is queried via ps -ef, the java keystore password is displayed in clear text:

smuser 22143 22075 5 Jul17 ? 18:08:10 /app/CA/siteminder/adminui/runtime/bin/java -D[Standalone] -server -Xms1024m -Xmx1536m -Djava.net.preferIPv4Stack=true -Djboss.modules.system.pkgs=org.jboss.byteman -Djava.awt.headless=true -Dcom.sun.jersey.server.impl.cdi.lookupExtensionInBeanManager=true -Djavax.net.ssl.keyStore=/app/CA/siteminder/adminui/standalone/configuration/keyStore.jks -Djavax.net.ssl.keyStoreType=jks -Djavax.net.ssl.keyStorePassword=changeit -Djavax.net.ssl.trustStore=/app/CA/siteminder/adminui/standalone/configuration/trustStore.jks -Djavax.net.ssl.trustStoreType=jks -Djavax.net.ssl.trustStorePassword=changeit -Dorg.jboss.boot.log.file=/app/CA/siteminder/adminui/standalone/log/server.log -Dlogging.configuration=file:/app/CA/siteminder/adminui/standalone/configuration/logging.properties -jar /app/CA/siteminder/adminui/jboss-modules.jar -mp /app/CA/siteminder/adminui/modules org.jboss.as.standalone -Djboss.home.dir=/app/CA/siteminder/adminui -Djboss.server.base.dir=/app/CA/siteminder/adminui/standalone -c standalone-full.xml -b 0.0.0.0 -Dnete.j2ee.vendor=jboss#
Instructions:
If SSL is not used with the WAM UI, To suppress the clear text password output, comment/delete the following entries in standalone.conf:

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.keyStorePassword=changeit"
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=changeit"

Steps to implement:
1) Stop the adminui if running
2) Make the changes
3) Start the adminui
) Check the output of ps -ef | grep java