Information Security risk assessed with new scoring methods.

New Rating: Low

CVSS: 7.7 x low likelihood .5 = 3.9

AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N/E:U/RL:U/RC:R/CR:H/IR:H/AR:H/MAV:L/MAC:X/MPR:X/MUI:X/MS:X/MC:X/MI:X/MA:X

Because the rancid data should be written in clear text we need an option not only to encrypt but also to decrypt.
The best is to generate a public/private key for each opennms installation.
The user that provides username and password should encrypt this information using the "opennms specific server public key".
Opennms then saves the data into requisition and into the database using the encrypted value.
Then When pushing the Authentication data to .cloginrc Rancid authentication file should use the private key to decrypt and send the password in clear text.

This should be easy to deploy.

The RancidprovisioningAdapter is the only piece of software in opennms that uses that information.
I guess you are using the Rancid Adapter.

It has been written in the following way:

a) make sync between opennms requisition and rancid group (opennms is the master)
that means that opennms will write and delete entries in router.db
according with the requisitions. The only constraint is tha opennms requisition
and rancid group must have the same name

b) opennms also push the authentication data in .cloginrc.
The way this is done is using the "username" "password" "enable" "autoenable" "connection"
column in assets database table. (Well usually when you provision the node you also provide
that information in the requisition as "asset field"). Here the problem is that if you do not
provide that data the RancidAdapter then the "Authentication" is forced to use
default value in RancidAdapter.

BTW also rancid .cloginrc is a clear text file

The user with ROLE_ADMIN are able to view the connection information in Asset Detail Page too.