Hi all;
any reference or documents to share on the above mentioned topic?
thanks
http://www.vmware.com/files/pdf/techpaper/VMW_10Q3_WP_vCloud_Director_Security.pdf
page 32
"User Password Protection
LDAP users’ passwords are stored in the LDAP directories. They are never stored in the vCloud Director
database. They are transmitted using the method chosen in LDAP configuration. It is recommended that you use
SSL and, if available on the target directory, Kerberos.
Local users’ passwords are salted and hashed before storage in the Oracle database. The plain text password
cannot be recovered from the database. Users are authenticated by hashing the presented password and
comparing it to the contents of their password field in the database.
The vCloud Director also maintains passwords for accessing the private keys associated with its TLS/SSL
certificates as well as the passwords to the Oracle database, vCenter servers, and vShield manager servers as
mentioned above. These passwords are encrypted using a unique key per vCloud Director installation and stored
in the $VCLOUD _ HOME/etc/global.properties file. As mentioned earlier in this document, carefully protect
any backups that contain that file."
Please note that this might have been written when Oracle was the only supported Database. Microsoft SQL server can be swapped out for the term Oracle where it appears.
what do you mean and how so?
like storing passwords? or when a user logs in?
It is more like storing user id & password
The DB only stores hashed passwords. When a user logs in, the password is hashed in the instance of the website and the hash is compared to what's in the database. I know its more complicated than that, but in simple terms that's what happens.
thanks for the info do you have any link or doc which shares such info i am currently being audited by my internal auditor on this part and would need some documentation on it
http://www.vmware.com/files/pdf/techpaper/VMW_10Q3_WP_vCloud_Director_Security.pdf
page 32
"User Password Protection
LDAP users’ passwords are stored in the LDAP directories. They are never stored in the vCloud Director
database. They are transmitted using the method chosen in LDAP configuration. It is recommended that you use
SSL and, if available on the target directory, Kerberos.
Local users’ passwords are salted and hashed before storage in the Oracle database. The plain text password
cannot be recovered from the database. Users are authenticated by hashing the presented password and
comparing it to the contents of their password field in the database.
The vCloud Director also maintains passwords for accessing the private keys associated with its TLS/SSL
certificates as well as the passwords to the Oracle database, vCenter servers, and vShield manager servers as
mentioned above. These passwords are encrypted using a unique key per vCloud Director installation and stored
in the $VCLOUD _ HOME/etc/global.properties file. As mentioned earlier in this document, carefully protect
any backups that contain that file."
Please note that this might have been written when Oracle was the only supported Database. Microsoft SQL server can be swapped out for the term Oracle where it appears.