7.3 Password Protection

You should take measures to protect the passwords and credentials on both the Cloud Manager Orchestration Server and the Cloud Manager Orchestration Agents by ensuring that only the user account of the Orchestration Server (currently root or Administrator, by default) has access to the /store and /tls directories on the server, so that general users are prevented from obtaining the password. On agents, allow only the agent users (normally root or Administrator) to have access to the agent.properties file, which contains the agent’s authentication credential.

Currently, the Orchestration Server restricts file access on the server, but we recommend that you disallow shell accounts on server machines for general users as a precaution.

For users, none of the NetIQ-provided client utilities stores the user-entered password to disk in either plain text or hashed form. However, temporary once-per-session credentials are stored to the disk in the users $HOME/.novell/zos/client directory. Theft of this session credential could allow someone else to take over that user session, but not to steal the user’s password. Users can protect their logged-in session by making sure the permissions either on their home directory or on the ~/.novell/zos/client directory are set to forbid both read and write access by other users.

Orchestration Agents use the same authentication protocol and password hashing as users (agent passwords are stored to disk in hashed form, not plain text) with the exception that agent passwords are not salted, allowing agents to be renamed by the server. Because agent passwords are not salted, we recommend that you generate and use random non-mnemonic strings for agent passwords.

Administrators can enhance security when configuring new agents by setting the zos.agent.password property to the asterisk character ( * ). This causes the agent to automatically generate a new random credential not based on any easily guessable plain text word. When the new agent is “accepted” by the administrator, the newly generated credential is stored by the server. This is the default behavior when the Orchestration Agent is first installed.

n addition, the zos.agent.password property can be set to a plain text password in agent.properties. If this is done, the agent automatically replaces the plain text password with the hashed version when it next starts. This allows administrators to more easily set up an initial password for agents.