How best to store sensitive files in SCM?
My team is doing some "DevOps" prototyping and one of the principles is that you construct and deploy your test and production systems based on automation scripts and configuration files stored in SCM. We are using RTC 3.0 for SCM and build.
Some of the configuration files are quite sensitive - e.g. SSH private keys - but must be stored in SCM to allow for full automation. I'm wondering if anyone could shed light on best practices for storing sensitive files like this in SCM. Here was my first take: 1. Upgrade to RTC 3.0.1 for the finer-grained SCM Read Permissions support 2. Create a new team area ("Sensitive Data Team") for functional users and a small number of admin users 3. Create a component ("Sensitive Data") that contains things like SSH private keys, password files, etc. Does this sound like the best approach or are there better ways? |
3 answers
Geoffrey Clemm (30.1k●3●30●35)
| answered Jul 14 '11, 7:33 a.m.
FORUM ADMINISTRATOR / FORUM MODERATOR / JAZZ DEVELOPER
That looks about right to me.
Note that if you cannot upgrade to RTC 3.0.1, you can replace steps 1 and 2 with just "create a project area which allows read access by only the list of users that should have read access to the sensitive data", and make this project area the owner of the sensitive component. Also, you might want to look at work item 168196 "Provide read permission at the folder/file granularity" to confirm that this would allow you to simplify step 3 (i.e., you'd just specify access control on those files, and not have to create a separate component for them). Cheers, Geoff On 7/14/2011 7:08 AM, bill wrote: My team is doing some "DevOps" prototyping and one of the |
We are using RTC with TomCat, and have setup Tomcat for LDAP authentication of users.
When a user starts an Eclipse client, they are asked for *2* passwords - one is their LDAP authentication password, and the other is the "secure password" that goes with the RTC connection (I think). I don't see a reason for having 2 passwords; is there something I'm missing? If not, is there a way to remove the need for the 2nd password in some configuration setting? -Marshall Schor |
You should only ever be prompted for one password. If you have chosen the 'save your password' option, then you will be prompted by Eclipse to secure your password storage if running on Linux or OS X. When running on Windows, the password for your secure storage is automatically managed. If you chose not to save your password, then you should be prompted to enter your LDAP password, because it wasn't saved. |
Your answer
Dashboards and work items are no longer publicly available, so some links may be invalid. We now provide similar information through other means. Learn more here.