Network Management

dear iMC pros,

after struggeling with LDAP logon problems following a PLAT upgrade from E0708 to E0710, i took a look into the imcforeground.log file and was flabbergasted to find entries like these

2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is f8[DELETED]password is f0[DELETED]
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is [user name]password is [plain text password!!]

2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is 5b[DELETED]password is 7e[DELETED]
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is adminpassword is [plain text password!!]

and i have to repectfully ask: WTF?!

tested with LDAP and TACACS authentication.
searching through the settings and some CONF files, i could not find a way to turn off that ominous deCodePwdFlag flag. the only way to at least suppress this behaviour, was for me to turn jserver log level from INFO to WARN.

have i done something wrong?
has anyone else experienced this?
how do i turn this off altogether?
why would anyone want to write plain text passwords to log files?!?

cheers!

Hello,

are the logs from E0708 or E0710? I want to test it in the lab

Regards.

Vasil

dear iMC pros,

after struggeling with LDAP logon problems following a PLAT upgrade from E0708 to E0710, i took a look into the imcforeground.log file and was flabbergasted to find entries like these

2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is f8[DELETED]password is f0[DELETED]
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is [user name]password is [plain text password!!]

2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is 5b[DELETED]password is 7e[DELETED]
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is adminpassword is [plain text password!!]

and i have to repectfully ask: WTF?!

tested with LDAP and TACACS authentication.
searching through the settings and some CONF files, i could not find a way to turn off that ominous deCodePwdFlag flag. the only way to at least suppress this behaviour, was for me to turn jserver log level from INFO to WARN.

have i done something wrong?
has anyone else experienced this?
how do i turn this off altogether?
why would anyone want to write plain text passwords to log files?!?

cheers!

thanks for your reply.

the logs were taken from version E0710.

Hello,

are the logs from E0708 or E0710? I want to test it in the lab

Regards.

Vasil

dear iMC pros,

after struggeling with LDAP logon problems following a PLAT upgrade from E0708 to E0710, i took a look into the imcforeground.log file and was flabbergasted to find entries like these

2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is f8[DELETED]password is f0[DELETED]
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is [user name]password is [plain text password!!]

2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is 5b[DELETED]password is 7e[DELETED]
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is adminpassword is [plain text password!!]

and i have to repectfully ask: WTF?!

tested with LDAP and TACACS authentication.
searching through the settings and some CONF files, i could not find a way to turn off that ominous deCodePwdFlag flag. the only way to at least suppress this behaviour, was for me to turn jserver log level from INFO to WARN.

have i done something wrong?
has anyone else experienced this?
how do i turn this off altogether?
why would anyone want to write plain text passwords to log files?!?

cheers!

Hello,

thank you for the information.

We have a confirmation from our engineering team that the issue will be fixed in the E0710P02 this month.

Regards,

Vasil

Original Message:
Sent: Oct 06, 2023 05:19 AM
From: EBZ-IT
Subject: HPE iMC: plain text passwords in imcforeground.log

thanks for your reply.

the logs were taken from version E0710.

Original Message:
Sent: Oct 06, 2023 01:30 AM
From: vasilyotov
Subject: HPE iMC: plain text passwords in imcforeground.log

Hello,

are the logs from E0708 or E0710? I want to test it in the lab

Regards.

Vasil

Original Message:
Sent: Oct 05, 2023 03:41 AM
From: EBZ-IT
Subject: HPE iMC: plain text passwords in imcforeground.log

dear iMC pros,

after struggeling with LDAP logon problems following a PLAT upgrade from E0708 to E0710, i took a look into the imcforeground.log file and was flabbergasted to find entries like these

2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is f8[DELETED]password is f0[DELETED]
2023-10-04 11:59:43 [INFO ] [http-nio-8443-exec-10] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is [user name]password is [plain text password!!]

2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] deCodePwdFlag is true
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] old nameVal is 5b[DELETED]password is 7e[DELETED]
2023-10-04 12:54:37 [INFO ] [http-nio-8443-exec-19] [com.imc.plat.operator.view.OperatorBean::onLogin] new name is adminpassword is [plain text password!!]

and i have to repectfully ask: WTF?!

tested with LDAP and TACACS authentication.
searching through the settings and some CONF files, i could not find a way to turn off that ominous deCodePwdFlag flag. the only way to at least suppress this behaviour, was for me to turn jserver log level from INFO to WARN.

have i done something wrong?
has anyone else experienced this?
how do i turn this off altogether?
why would anyone want to write plain text passwords to log files?!?

cheers!