RHBA-2017:1818 - Bug Fix Advisory

Topic

An updated ovirt-engine-extension-aaa-jdbc package is now available.

Description

The ovirt-engine-extension-aaa-jdbc package provides ovirt-aaa-jdbc-tool, a tool used to create, view, and manage users and groups on the internal domain. The tool can also be used to reset the password of the internal administrative user (admin@internal), and to create additional local domains.

Changes to the ovirt-engine-extension-aaa-jdbc component:

• Previously, administrators had to enter an unencrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'. The password was then encrypted inside ovirt-aaa-jdbc-tool and stored in the database.

This update enables administrators to use the new --encrypted option to enter an already encrypted password when invoking 'ovirt-aaa-jdbc-tool user password-reset'.

However there are some caveats when providing encrypted passwords:

1. Entering an encrypted password means that password validity tests cannot be performed, so they are skipped and the password is accepted even if it does not comply with the password validation policy.

2. A password has to be encrypted using the same configured algorithm. To encrypt passwords, administrators can use the '/usr/share/ovirt-engine/bin/ovirt-engine-crypto-tool.sh' tool, which provides the 'pbe-encode' command to encrypt passwords using the default PBKDF2WithHmacSHA1 algorithm. (BZ#1452668)

Solution

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

For details on how to apply this update, refer to:

https://access.redhat.com/articles/2974891

Affected Products

• Red Hat Virtualization 4.1 x86_64

Fixes

• BZ - 1452668 - [downstream clone - 4.1.4] [RFE] possibility to enter encrypted passwords in --password option

CVEs

(none)

References

(none)