Security issue by the "-Dwrapper.key" argument in Release Automation Agent

Document ID : KB000094711
Last Modified Date : 04/05/2018
Show Technical Document Details
Introduction:
The agent has a service wrapper which enables the agent to run as windows service or Unix daemon. The wrapper process starts up the agent and monitor its health to make sure it is up and running but security teams may focus by stating this could expose the agent or the server to any security issue during security audits.
Question:
Does "-Dwrapped.key=" argument expose the agent or the server to any security issue.
Environment:
CA Release Automation 6.5
Answer:
The wrapper.key is re-generated on every start of the wrapper and is being used to communicate between the wrapper and the process of the agent. For security reasons, the agent will only allow connections from localhost and will expect to receive the key specified in a property named "wrapper.key". The only impact of stealing the key is to be able to stop/start the agent when running from the same server. No risk for the agent logic or the Management, Execution Server.