In Service Optimization configuration, sensitive settings are often stored in clear text,
which means that they are clearly readable to anyone with suitable access. Xoom addresses this
problem by transparently encrypting sensitive settings, making that information irretrievable from
XoomXML files while, at the same time, preserving all use cases.
- The content of an actual XML node containing sensitive information is replaced with a string
“xoom-encrypted:” followed by the encrypted content. Xoom
will automatically encrypt the content on retrieval and decrypt it on
deployment.
- The same setting within the same item is encrypted consistently. This makes the
encryption compatible with configuration versioning.
- One occasional exception to this is when the structure of the XML around the sensitive
setting changes. When that happens, the encrypted value may be different even though the
sensitive information itself remains the same. In those cases the item as a whole will
have changed anyway, so there is no false positive from the point of view of
configuration versioning or difference detection.
- The same content in different places in the configuration will be encrypted
differently. This adds security, as it makes it impossible for the attacker that knows one
password to find out where else that same password may be of use.
These features were introduced in Xoom 3.7, replacing the previous method of removing
sensitive information with the Remove Sensitive Information report. This had the
unfortunate side-effect of making it necessary to re-enter sensitive information on the target
system after deploying XoomXML files that have been cleaned in this way.
