Security concerns due to passwords in clear text in lagsoapmessages file

  • 7008940
  • 04-Jul-2011
  • 26-Apr-2012

Environment

Novell Access Manager 3.1 Linux Access Gateway
Novell Access Manager 3.1 Suuport Pack 3 applied
/etc/lagload.conf file has LAGSOAPMESSAGES debug set to 1
Identity Server configured to send the users password at authentication time

Situation

For troubleshooting purposes, an administrator can enable the logging of all soap messages between the Linux Access Gateway (LAG) proxy and Embedded Service provider (ESP). This is done by modifying the /etc/laglogs.conf file and setting the lagsoapmessages parameter from the default 0 to 1. After restarting the VMC services, all soap operations over that interface are written to the /var/log/lagsoapmessages file.
 
When the Identity Server (IDP) is configured to send attributes to the LAG at authentication time, and one of these attributes is the credential profile User password, the /var/log/lagsoapmessages file will include the users password in clear text as shown in the sample entry below:

<SOAP-ENV:Envelope
xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/"><SOAP-ENV:Body><NIDPSetSession
XLibid="0900fe010a3872143bbb5001c18a6929d7e31982" hardExpire="1799"
id="BDAF2EC93CBADDA9BFCC22AB74DD3B9A" pid="n3@=(1GeV1=b;R@b.5H9LOG0m"
refreshCache="false" softExpire="1169"><store type="ldap"><dn>cn=ncashell,o=novell</dn><password>!testing66</password></store><authentications><contracts><contract
set="true">secure/name/password/uri</contract></contracts></authentications><roles><role>authenticated</role></roles></NIDPSetSession></SOAP-ENV:Body></SOAP-ENV:Envelope>

This obviously introduces security concerns as passwords should not be displayed in clear text in log files. Note that all other Access Manager log files do scrub the password details.

Resolution

Apply Access Manager 3.1 Support Pack 3 Interim Release 2 build or greater.