SA parameter password security

During the SA installation or upgrade process, some cleartext passwords specified for core parameters are automatically obfuscated and some are not. Some passwords are obfuscated when SA Core Components start up, such as the SA Provisioning Build Manager password when the Web Services Data Access Engine server starts up. Passwords in some files must be manually obfuscated, such as passwords in the installation logs and Installer response files.

There are several ways to manually secure cleartext passwords. Which you choose will depend on your security requirements:

  • Encrypt the response files and installation logs.
  • Purge sensitive information from the Installer response files.
  • Store the Installer response files and logs on a secure server.

Cleartext passwords The following table lists cleartext passwords that are automatically obfuscated and passwords that must be manually secured:

Cleartext passwords

Cleartext Password

Filename

Automatically Obfuscated

Manually Secured

admin

/var/opt/opsware/twist/?DefaultAuthenticatorInit.ldift

 

buildmgr

/var/opt/opsware/crypto/buildmgr/twist.passwd

/var/opt/opsware/crypto/occ/twist.passwd

/var/opt/opsware/twist/?DefaultAuthenticatorInit.ldift

 

cleartext admin

/etc/opt/opsware/twist/startup.properties

 

detuser

/var/opt/opsware/crypto/twist/detuserpwd

/var/opt/opsware/crypto/OPSWhub/twist.pwd

 

integration

/var/opt/opsware/twist/?DefaultAuthenticatorInit.ldift

 

 

Installer response files:

/var/opt/opsware/install_opsware/cdf/*
(infrastructure component host)

/var/log/cdf_tmp.xml (on host where installer invoked)

/var/opt/opsware/install_opsware/resp (pre-10.0 response files)

/var/tmp/*

/var/log/opsware/install_opsware/truth/truth_install_*

/var/log/opsware/install_opsware/hpsa_console_logs

 

 

 

 

 

 

 

 

 

 

 

spin

/etc/opt/opsware/spin/spin.args

 

vault

/var/opt/opsware/crypto/vault/vault.pwd

 

Securing Installer log and CDFs

Depending on the level of your security requirements, it is recommended that the installation or upgrade team should encrypt or move installation log files to a secure server. Remember that certain CDFs are needed for SA Core upgrades and Secondary Core installations and the log files are useful for troubleshooting so completely removing them is not recommended.