It's all about the answers!

Ask a question

Question regarding password file in Jazz Build Engine

Karthik Krishnan (8805114162) | asked Oct 17 '16, 10:29 a.m.
edited Oct 17 '16, 10:30 a.m.
 JBE has an option to create Password text file which could be consumed instead of providing password a plain text.

In windows, the build engine must run under the build user which means the password file should be accessible for this user. 

In a hypothetical case, If an user wants to modify the build scripts in way to get thhis password file (ex: via simple batch file commands), 

if the attacker / user get holds of the password file, what are the security issues we could for see?

- Can the attacker decrypt the password fairly easily?
- Could the attacker create try to run a JBE pointing to already running build engine ? Since to create new build engine in RTC, user need necessary privileges 

What security measures could RTC admin's apply in this case? It isn't easy to even detect this in the first place.


Accepted answer

permanent link
Alan Sampson (93749) | answered Oct 17 '16, 11:59 a.m.
edited Oct 17 '16, 12:01 p.m.
This knowledge base entry duscusses the build toolkit password file.  Note that it specifically states:

"The password file is not strongly encrypted. Any user with access to the file can potentially decrypt it. Set appropriate operating system file permissions on the password file to prevent access from anyone other than the user running the Jazz Build Engine and the Ant tasks. The main benefit of using a password file instead of the password command line argument (for the Jazz Build Engine) or password attribute (for Ant tasks) is to avoid the password being repeated in the clear in build scripts, and the shell history."

Once someone has the password for an account I would expect they can do anything that the account has privileges to do. As stated in the note above; the password file is provided to negate the need to expose a password in clear text in a build script etc.

Karthik Krishnan selected this answer as the correct answer

Karthik Krishnan commented Oct 20 '16, 12:22 p.m.

thank you for your explanations.

Your answer

Register or to post your answer.