add-user utility FIPS comliance

Latest response

Does anyone know the algorithm/compliance inherent in the add-user utility when it adds a user/password to application-users.properties file?

For example:

./add-user joe password

In the *.properties file you see

joe=<long string of characters>

What is the process/algorithm in use to convert "password" to "<long string of characters>" and is that process/algorithm FIPS 140-2 compliant?

 

v/r

Ben

Responses

Welcome, Ben! Hopefully we have some users here who are knowledgeable about achieving FIPS compliance. If you don't see a response shortly I'll see if I can track down a Red Hat expert for you.

Hi,

The propery based security domain uses:

# By default the properties realm expects the entries to be in the format: -
# username=HEX( MD5( username ':' realm ':' password))
 

So not FIPS compliant, but we consider this to be fit for development security only.

For production you should really switch to for example the LDAP module. Other security mechanism can be used via standard JAAS.

 

Kind regards

Tom

 

Tom,

Thanks for the timely response.

v/r

Ben

Ben,

for completeness sake: the entries generated by the script "add-user.sh" are in fact FIPS compliant as we enforce the rules when entering a password. But you can bypass by editing the property file manually of course which I why I mentioned not to use this in production.

Kind regards
Tom