Environment
Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Suuport Pack 3 applied
/etc/lagload.conf file has LAGSOAPMESSAGES debug set to 1
Identity Server configured to send the users password at authentication time
Situation
For troubleshooting purposes, an administrator can enable the logging of all soap messages between the Linux Access Gateway (LAG) proxy and Embedded Service provider (ESP). This is done by modifying the /etc/laglogs.conf file and setting the lagsoapmessages parameter from the default 0 to 1. After restarting the VMC services, all soap operations over that interface are written to the /var/log/lagsoapmessages file.
When the Identity Server (IDP) is configured to send attributes to the LAG at authentication time, and one of these attributes is the credential profile User password, the /var/log/lagsoapmessages file will include the users password in clear text as shown in the sample entry below:
<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession
XLibid="0900fe010a3872143bbb5001c18a6929d7e31982" hardExpire="1799"
id="BDAF2EC93CBADDA9BFCC22AB74DD3B9A" pid="n3@=(1GeV1=b;R@b.5H9LOG0m"
refreshCache="false" softExpire="1169"><store type="ldap"><dn>cn=ncashell,o=novell</dn><password>!testing66</password></store><authentications><contracts><contract
set="true">secure/name/password/uri</contract></contracts></authentications><roles><role>authenticated</role></roles></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope>
This obviously introduces security concerns as passwords should not be displayed in clear text in log files. Note that all other Access Manager log files do scrub the password details.
Resolution
Apply Access Manager 3.1 Support Pack 3 Interim Release 2 build or greater.