You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by William Lee <wl...@sendmail.com> on 2001/10/12 19:10:58 UTC
Shutdown more securely
From what I've read it seems like Tomcat has this notion of shutdown
TCP port which allow anyone from localhost to shutdown the server, given
that they know the shutdown command. Is there any way to make this more
secure? I can probably vary the shutdown= attribute in the server.xml,
but isn't that the same as having a plain password in a text file? I
thought of a couple of schemes that may make this more secure. Can
somebody tell me what he/she whether each is viable/stupid/overkill?
1. Of course, you need to prompt the user for a different shutdown
string than "SHUTDOWN", and make server.xml readable only to the user.
2. Each time you start tomcat, generate a different server.xml with a
random string as the shutdown= attribute.
3. Hack tomcat and insert my own platform dependent auth scheme to check
whether the user has the privilage to shutdown the server.
I'm just saying this since my manager is worried about this and our
product running on an environment that even localhost can't be trusted.
Any suggestion is greatly appreciated. Thanks,
--
William Lee (Will) | Sendmail Inc.
Email: wlee@sendmail.com | http://www.sendmail.com
Tel: (510) 594-5505 |
Running Tomcat 4.0 SSL on one unix box with different certificates
for each virtual host.
Posted by Marat Nepomnyashy <ma...@kemperent.com>.
Hi,
We have a unix box on which we run several shopping cart sites, each under
a different virtual domain name, i.e. each site has its own virtual host
on the same machine.
Each site uses SSL on port 8443 for secure credit card and password
transactions.
As far as I know each unique domain name requires a unique security
certificate made specifically for that domain name. The name field of
the security certificate must exactly match the domain name of the
website, otherwise, browser throws a fuss.
The security certificate sent by Tomcat is generated by command:
keytool -genkey -alias tomcat -keyalg RSA
But the problem is that there can be only 1 security certificate
with a given alias, so the following error message is printed:
keytool error: java.lang.Exception: Key pair not generated, alias <tomcat>
already exists
Does anybody know how to have several security certificates, one for each
virtual domain name?
Sincerely,
Marat
Re: Shutdown more securely
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Fri, 12 Oct 2001, William Lee wrote:
> Date: Fri, 12 Oct 2001 10:10:58 -0700
> From: William Lee <wl...@sendmail.com>
> Reply-To: tomcat-user@jakarta.apache.org
> To: tomcat-user <to...@jakarta.apache.org>
> Subject: Shutdown more securely
>
> From what I've read it seems like Tomcat has this notion of shutdown
> TCP port which allow anyone from localhost to shutdown the server, given
> that they know the shutdown command. Is there any way to make this more
> secure? I can probably vary the shutdown= attribute in the server.xml,
> but isn't that the same as having a plain password in a text file? I
> thought of a couple of schemes that may make this more secure. Can
> somebody tell me what he/she whether each is viable/stupid/overkill?
>
Various approaches to this have been suggested, but none so far have
seemed feasible in *all* circumstances (i.e. in order to make it a
default).
One thing to note is that, for most installations, this issue is actually
much broader than just the shutdown password. Where do *you* store the
username/password for your database connections? Or the password to your
SSL certificates file? These are some of the other things that will
typically be found in configuration files somewhere in the Tomcat
directory hierarchy.
Obviously, a first step in a localhost-hostile environment is to make the
$CATALINA_HOME directory readable only by the username under which Tomcat
is running. A possible exception might be your log file directory,
depending on whether it contains sensitive information you don't want to
share. (A few years ago, there was a particular version of a very popular
database that logged the database administrator's username and password in
a debugging message to a world-readable log file ...).
> 1. Of course, you need to prompt the user for a different shutdown
> string than "SHUTDOWN", and make server.xml readable only to the user.
>
Implementing such a prompt would not be terribly difficult -- Tomcat 4
includes the notion of a LifecycleListener (i.e. an implementation of
org.apache.catalina.LifecycleListener) that you can register in the
server.xml file to be notified of startup and shutdown events:
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="com.mycompany.MyShutdownPasswordSetter"/>
....
</Server>
If you go this way, I would *not* suggest actually writing the password
out to a revised copy of server.xml (it kinda defeats the purpose of
asking) ... but this will also mess up your ability to perform an
automated shutdown by an authorized user who doesn't know the password.
> 2. Each time you start tomcat, generate a different server.xml with a
> random string as the shutdown= attribute.
>
If the value is in the file, and is therefore readable, how is this
actually any more secure than a value you hand-configure?
> 3. Hack tomcat and insert my own platform dependent auth scheme to check
> whether the user has the privilage to shutdown the server.
>
This can be done by subclassing the
org.apache.catalina.core.StandardServer class, and doing whatever you
want. To configure it in server.xml, just identify the classname:
<Server port="8005" shutdown="SHUTDOWN"
className="com.mycompany.MyStandardServer">
>
> I'm just saying this since my manager is worried about this and our
> product running on an environment that even localhost can't be trusted.
> Any suggestion is greatly appreciated. Thanks,
>
In a security-sensitive environment, the shutdown password is important
... but it's not the only thing that is important. Be sure to think about
all the other sensitive configuration information you have lying around as
well.
> --
> William Lee (Will) | Sendmail Inc.
> Email: wlee@sendmail.com | http://www.sendmail.com
> Tel: (510) 594-5505 |
>
>
Craig McClanahan