KB Article #177342

CG support archive includes security information - how secure is it to share such an archive?

Problem

A CG support archive includes:

Configuration files which contain among other things: encrypted passwords, shared secret and the encryption key

log files which contain encrypted passwords

How secure is this?

Does data/conf.properties contain enough information to decrypt the passwords included in the same file?

Resolution

Security related contents in CG 1.0.3 support archive:
######################################################


CGCMD support command generate an archive containing files from customer side to help support/sustaining team. This files contains information from customer.
This informations can be confidential (like password), or private. Here is private and confidential information collected in support archive:

In static configuration files:
==============================

* credential (login/password) for:

-data base
-internal storage (mongodb)
-agent cluster(hazelcast)



* hostname or IP address of:

- CG machine
- external data base (if any)
- SMTP server



* some folder path name used by CG on host


In runtime file:
================


* Credential (login/password) for:

-CG users
-LDAP Connection(s)
-Managed and un-managed product (PeSIT credential)



* hostname or IP address of:

- Managed and un-managed product
- LDAP server


* some folder path name used on managed product host.

* ldap query filter.



Hostname, IP address,folder path or ldap query filter name are not encrypted. Only password are encrypted.

Keys for encrypting/decryption password are generated randomly during installation/configuration/first startup of CG and are not included in CG support archive.
These keys are stored in folder <CG Home>/data/keys/. Key size is 128 bits, cipher algorithm is AES/CBC/PKCS5Padding, secure random number generator is SHA1PRNG. mac is HmacSHA256.

So support archive will allow to get some private data like:
hostnames of Central Governance, external database, managed and un-managed product
some folder path on Central Governance host and managed product.
LDAP query filter

But will not allow to get confidential data (no password can be decrypted without files in <CG Home>/data/keys/ ).

Still need help?

If this information wasn't helpful to you, just drop us a line. We'll get back to you as soon as possible.