Help

DatabaseConnection.xml - Password

rmoses87
New Contributor

Posted on ‎06-22-2019 05:38 AM

So we've been using Jamf for about 6-7 months now at my org. I noticed during the installation and configuration that the password to connect the JSS to the Database is stored in plain-text in the Database.xml. I thought.. this is a terrible idea to leave the password in here like this, so I selected the option to not store the password. The problem? Everytime Tomcat restarts (like during monthly patching cycles of servers), I have to go in and Edit database connection and put in the correct password. At first I thought, no big deal, but this is super annoying.

How is this a thing for an "Enterprise" tool?

Labels:
3 REPLIES 3

donmontalvo
Esteemed Contributor III

Posted on ‎06-22-2019 07:00 AM

Should be possible to script that has the password salted, no? Inject the password, start/restart the service, remove the password. Totally grasping at straws, but...

--
https://donmontalvo.com
0 Kudos

iJake
Valued Contributor

Posted on ‎06-22-2019 07:26 AM

This is very common. Control access to your tomcat servers and lock down what IPs/hosts can use MySQL credentials.

tlarkin
Honored Contributor

Posted on ‎06-24-2019 09:12 PM

There is no vault or secure DB credential storage for jamf (yet). Ideally, you would gate direct access to Tomcats behind some sort of appliance like HA Proxy, Nginx, a VIP/Load balancer, etc. Then require a VPN connection or other forms of auth/access control to your direct host that is serving Tomcat. Then in your MySQL grants, be very explicit on what hosts can access the DB like mentioned above.

This doesn't negate the fact that the credentials are stored in clear text, but it does add layers of access/security to the database itself.

0 Kudos