Spotfire Ideas Portal
As per our security requirements, we need to change all our passwords per every 90 days. Our passwords are auto generated and stored in Secret Server which will expire the passwords and re-generate new ones every 90 days. So we need a way to change the Spotfire bootstrap password without having to completely re-generating the bootstrap file. we have many internal (CI/CD/QA/UAT) and external (PROD) environments and recreating the bootstrap with the exact same information is highly risky and error prone. We were hoping there is a CLI to change the bootstrap password by just providing the old password. We were surprised there is no easy way to do this. This is of high value to us. Appreciate if you could add this feature as a part of a future release or hotfix.
| Implemented in | 7.7 |
The same goes for update-bootstrap: https://docs.tibco.com/pub/spotfire_server/7.11.7/doc/html/TIB_sfire_server_tsas_admin_help/GUID-E594DFDE-2732-49C1-A748-D25B049E977A.html
The config-encryption was added in Spotfire Server 7.7 and is thus available in all subsequent versions: https://docs.tibco.com/pub/spotfire_server/7.11.7/doc/html/TIB_sfire_server_tsas_admin_help/GUID-659D4C45-553E-4AFB-A259-3ED88B3FFC4A.html
Hi,
Can you please let us know if this feature is added to Spotfire 7.11 as a hotfix or is it available only when we upgrade to a different version. If so, what version has this feature?
Thanks,
Vinodh Mylvaganam
Lead Software Engineer
5500 SW Meadows Road
Suite 300 Lake Oswego, Oregon 97035
Office 503-303-1161 | Mobile 971-227-8100
vmylvaganam@huronconsultinggroup.com
www.huronconsultinggroup.com
If you're referring to the encryption to the encryption password (that is stored in the bootstrap.xml file) then you can use the config-encryption command (added in 7.7). Other information can be updated using the update-bootstrap command (also added in 7.7).
If your bootstrap password is compromised then you can go and recreate the bootstrap file using the relevant command, I don't see any problem there. Your requirement was based in the need to change passwords every 90 days, which I think it's nonsense as it's an outdated security practice. And if you bootstrap password is getting compromised on a frequent basis then you should look at why that happens (address the root cause) rather than putting a process in place to address the effect.
In any case it looks like you are asking for something that's already there as the update-bootstrap config command lets you update bootstrap files.
https://docs.tibco.com/pub/spotfire_server/7.9.0/doc/html/TIB_sfire_server_tsas_admin_help/GUID-E594DFDE-2732-49C1-A748-D25B049E977A.html
So, are you saying if the bootstrap password is compromised somehow, we are never to change it? All that we are asking is for a way to change the bootstrap password without having to recreate the bootstrap. Any application that is secured with a password should have some way to change it when needed. Be it getting changed on a periodic basis or not is secondary. There should definitely be a way to change it if the password is forgotten or compromised.
And for your information, this request is not from our IT department. This is coming from our clients IT departments. We are not going to advise all of them with the NIST recommendations.
This is nonsense. You shouldn't be changing Application passwords. In fact NIST (the National Institute of Standards and Technology) has finally changed their advice and now they recommend no more periodic password changes. Talk to your IT Security team and have them update their policies based on the best practice.
https://venturebeat.com/2017/04/18/new-password-guidelines-say-everything-we-thought-about-passwords-is-wrong/