A Platespin Orchestrate Security; User And Administrator Password Hashing Methods; User And Agent Password Authentication - Novell PLATESPIN ORCHESTRATE 2.0.2 - ADMINISTRATOR REFERENCE 06-17-2009 Reference
Administrator reference
Hide thumbs
Also See for PLATESPIN ORCHESTRATE 2.0.2 - ADMINISTRATOR REFERENCE 06-17-2009:
- Client manual (164 pages) ,
- Reference (100 pages) ,
- Getting started (24 pages)
Table of Contents
Advertisement
PlateSpin Orchestrate Security
A
This section explains various security issues related to PlateSpin
Section A.1, "User and Administrator Password Hashing Methods," on page 27
Section A.2, "User and Agent Password Authentication," on page 27
Section A.3, "Password Protection," on page 28
Section A.4, "TLS Encryption," on page 28
Section A.5, "Security for Administrative Services," on page 29
Section A.6, "Plain Text Visibility of Sensitive Information," on page 30
A.1 User and Administrator Password Hashing
Methods
All passwords stored in PlateSpin Orchestrate are hashed using Secure Hash Alogrithm-1 (SHA-1).
However, user passwords are no longer hashed when sent from the client to the server. Instead, the
plain text password entered by the user is sent over an encrypted authentication connection to the
server to obtain a unique per-session credential issued by the server. This allows the server to "plug
in" to alternative user directories such as Active Directory or OpenLDAP. Agent credentials are still
stored, singly hashed, on the disk on the agent machine. The first pass hashing prevents "user
friendly" passwords entered by administrators from being compromised by storing them on the
agent machines. The server's password database (for agents and for users not using an alternative
user directory) stores all passwords in a double-hashed form to prevent a stolen password database
from being used to obtain passwords.
WARNING: The zosadmin command line and the PlateSpin Orchestrate Development Client do
not use SSL encryption, nor do they support TLS/SSL, so they should only be used over a secure
network.
All agent and client connections support TLS encryption. This includes the zos command line and
the PlateSpin Orchestrate Agent.
A.2 User and Agent Password Authentication
The PlateSpin Orchestrate Server stores all user and agent passwords in its data store as double-
hashed strings. User clients such as the zos command send the plain text password over a TLS
encrypted authentication connection to obtain a randomly generated per-session credential issued by
the server. This session credential is retained by the client, either in memory or in a temporary disk
file for the duration of the session.
It is not possible to obtain the user's password from the session credential, however. It should be
protected to prevent unauthorized users from taking over the session. Agents send a singly hashed
password as their login credential, which is in turn hashed once more on the server to authenticate
new agent connections. Upon authentication, agents receive the same type of session credential as
user clients.
®
Orchestrate from Novell
PlateSpin Orchestrate Security
A
®
:
27
Advertisement
Table of Contents
