You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Vijay <am...@gmail.com> on 2010/08/27 11:41:23 UTC
clear text keystore password in server.xml
Hello,
I am looking to secure the keystore password that is stored as
clear text in server.xml.
Looking at the various online forums, here are the suggested options I came
across:
1. Restrict the access permissions of server.xml so that only the
administrator is able to access server.xml
2. Do not save the keystore password in server.xml. Instead use the
system property -Djavax.net.ssl.keyStorePassword="clear text keystore
password" to pass the password to tomcat. [this is available in Tomcat
5.5.29 onwards <https://issues.apache.org/bugzilla/show_bug.cgi?id=38774>
]
Problem with both the approaches is that the password is in clear text and
we deem it as a potential security risk.
I am looking for a way to use only encrypted passwords.
I am looking to write a wrapper class that decrypts the password passed as
an environment variable to tomcat, and then sets the system property
javax.net.ssl.keyStorePassword inside the JVM itself.
Something in the lines of :
public class WrapperTomcatBootstrap {
public static void main(String args[]) {
String encryptedKeystorePassword =
System.getenv("ENCRYPTED_KEYSTORE_PASSWORD");
if(encryptedKeystorePassword != null) {
String decryptedPassword =
PcsfCryptographer.decryptData(encryptedKeystorePassword);
System.setProperty("javax.net.ssl.keyStorePassword",
decryptedPassword);
}
Bootstrap.main(args);
}
}
For some reason this doesnt seem to work. Tomcat is listening on both
http/https mode, requests to http port are getting redirected to the https
port.. but no web pages are being served. Nothing in the logs too :(
- Are there an problems with the approach above ?
- Is there a better way to work with encrypted passwords?
The tomcat version I am using is 5.5.30
Thanks in advance for any pointers/ suggestions in this direction!
Vijay
Re: [OT] clear text keystore password in server.xml
Posted by Pid <pi...@pidster.com>.
On 04/09/2010 12:41, Pid wrote:
> On 04/09/2010 11:05, Rainer Jung wrote:
>> On 02.09.2010 18:55, Pid wrote:
>>> On 02/09/2010 17:31, Christopher Schultz wrote:
>>>> Pid,
>>>>
>>>> On 9/2/2010 11:51 AM, Pid wrote:
>>>>> ..lots of info is available by JMX, once the server is up. In Java 6
>>>>> you can attach to the process locally, without having to configure the
>>>>> JMX ports because it injects the management agent into the virtual
>>>>> machine.
>>>>
>>>> I hadn't considered that, never having used JMX. Are you saying that
>>>> anyone with local access can snoop a JVM? What are the strategies
>>>> available to prohibit that? Can you disable local JMX altogether? How
>>>> about some kind of authentication?
>>>
>>> Pretty much. I'm not sure how to disable it, I've only just got the
>>> hang of enabling it.
>>>
>>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
>>>
>>>
>>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
>>> for that.
>>
>> I thought it uses a local file created by the JVM which only allows
>> access, if you are the same user (or root). The marketing terminology
>> for this Java 6 feature was "attach on demand".
>
> OK, that useful to know. I was assuming there was a JVM option to
> prevent dynamic attachments, but that I just hadn't found it. File perm
> based restrictions makes sense.
It's possible to prevent attachment via the SecurityManager. Obvious
really. Doh.
p
Re: [OT] clear text keystore password in server.xml
Posted by Pid <pi...@pidster.com>.
On 04/09/2010 11:05, Rainer Jung wrote:
> On 02.09.2010 18:55, Pid wrote:
>> On 02/09/2010 17:31, Christopher Schultz wrote:
>>> Pid,
>>>
>>> On 9/2/2010 11:51 AM, Pid wrote:
>>>> ..lots of info is available by JMX, once the server is up. In Java 6
>>>> you can attach to the process locally, without having to configure the
>>>> JMX ports because it injects the management agent into the virtual
>>>> machine.
>>>
>>> I hadn't considered that, never having used JMX. Are you saying that
>>> anyone with local access can snoop a JVM? What are the strategies
>>> available to prohibit that? Can you disable local JMX altogether? How
>>> about some kind of authentication?
>>
>> Pretty much. I'm not sure how to disable it, I've only just got the
>> hang of enabling it.
>>
>> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
>>
>>
>> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
>> for that.
>
> I thought it uses a local file created by the JVM which only allows
> access, if you are the same user (or root). The marketing terminology
> for this Java 6 feature was "attach on demand".
OK, that useful to know. I was assuming there was a JVM option to
prevent dynamic attachments, but that I just hadn't found it. File perm
based restrictions makes sense.
> See also
>
> http://weblogs.java.net/blog/emcmanus/archive/2005/09/mustang_jdk_now.html
>
> with some examples here:
>
> http://blogs.sun.com/sundararajan/entry/using_mustang_s_attach_api
>
> http://blogs.sun.com/sundararajan/entry/my_experiments_with_attach_on
>
> and API Javadoc:
>
> http://download-llnw.oracle.com/javase/6/docs/jdk/api/attach/spec/index.html
Excellent, thanks, I'll have a read.
p
Re: [OT] clear text keystore password in server.xml
Posted by Rainer Jung <ra...@kippdata.de>.
On 02.09.2010 18:55, Pid wrote:
> On 02/09/2010 17:31, Christopher Schultz wrote:
>> Pid,
>>
>> On 9/2/2010 11:51 AM, Pid wrote:
>>> ..lots of info is available by JMX, once the server is up. In Java 6
>>> you can attach to the process locally, without having to configure the
>>> JMX ports because it injects the management agent into the virtual machine.
>>
>> I hadn't considered that, never having used JMX. Are you saying that
>> anyone with local access can snoop a JVM? What are the strategies
>> available to prohibit that? Can you disable local JMX altogether? How
>> about some kind of authentication?
>
> Pretty much. I'm not sure how to disable it, I've only just got the
> hang of enabling it.
>
> http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
>
> Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
> for that.
I thought it uses a local file created by the JVM which only allows
access, if you are the same user (or root). The marketing terminology
for this Java 6 feature was "attach on demand".
See also
http://weblogs.java.net/blog/emcmanus/archive/2005/09/mustang_jdk_now.html
with some examples here:
http://blogs.sun.com/sundararajan/entry/using_mustang_s_attach_api
http://blogs.sun.com/sundararajan/entry/my_experiments_with_attach_on
and API Javadoc:
http://download-llnw.oracle.com/javase/6/docs/jdk/api/attach/spec/index.html
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] clear text keystore password in server.xml
Posted by Pid <pi...@pidster.com>.
On 02/09/2010 17:31, Christopher Schultz wrote:
> Pid,
>
> On 9/2/2010 11:51 AM, Pid wrote:
>>> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>>>> 1. Use a password entered on the console during start-up (the "Apache
>>>> httpd strategy")
>
>> java.io.Console makes this easy in Java 6, but...
>
> Right: before Java 6, you'd have to enter the password clear-text on the
> console. :(
>
>>>> All other strategies simply move the problem to some other component.
>>>> Protecting one password requires another password which requires
>>>> protecting which ... you get the idea.
>
>> ..lots of info is available by JMX, once the server is up. In Java 6
>> you can attach to the process locally, without having to configure the
>> JMX ports because it injects the management agent into the virtual machine.
>
> I hadn't considered that, never having used JMX. Are you saying that
> anyone with local access can snoop a JVM? What are the strategies
> available to prohibit that? Can you disable local JMX altogether? How
> about some kind of authentication?
Pretty much. I'm not sure how to disable it, I've only just got the
hang of enabling it.
http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html
Also: sun.management.ConnectorAddressLink, but I can't find a javadoc
for that.
p
>> Worse, if they're already on your server they've probably got a much
>> bigger surface area to attack, than just Tomcat. And if they get root,
>> it's all over.
>
> +1
>
> -chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] clear text keystore password in server.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Pid,
On 9/2/2010 11:51 AM, Pid wrote:
>> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>>> 1. Use a password entered on the console during start-up (the "Apache
>>> httpd strategy")
>
> java.io.Console makes this easy in Java 6, but...
Right: before Java 6, you'd have to enter the password clear-text on the
console. :(
>>> All other strategies simply move the problem to some other component.
>>> Protecting one password requires another password which requires
>>> protecting which ... you get the idea.
>
> ..lots of info is available by JMX, once the server is up. In Java 6
> you can attach to the process locally, without having to configure the
> JMX ports because it injects the management agent into the virtual machine.
I hadn't considered that, never having used JMX. Are you saying that
anyone with local access can snoop a JVM? What are the strategies
available to prohibit that? Can you disable local JMX altogether? How
about some kind of authentication?
> Worse, if they're already on your server they've probably got a much
> bigger surface area to attack, than just Tomcat. And if they get root,
> it's all over.
+1
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx/0UQACgkQ9CaO5/Lv0PAtVgCaA0q97gYTRPrqB9FfiKCFhzPW
cFUAnRrKtuYAp7Ee5xTTDc66CEuU8AQM
=a7//
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Pid <pi...@pidster.com>.
On 02/09/2010 16:37, David kerber wrote:
> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Luca,
>>
>> On 8/30/2010 2:42 AM, Luca Gervasi wrote:
>>> I'm working to secure this, but...it's not too easy (and i'm surely not
>>> a skilled programmer...).
>>>
>>> But I hope this topic will be kept up!
>>
>> There is virtually nothing you can do about this. The only solutions
>> here are:
>>
>> 1. Use a password entered on the console during start-up (the "Apache
>> httpd strategy")
java.io.Console makes this easy in Java 6, but...
> Or a minor variant of this, such as entering the pwd on a secure web
> page just after startup, though this has other disadvantages.
>
>
>> 2. Remove the password from the keystore
>>
>> Removing the password from the keystore is just about as (in)secure as
>> having the password in server.xml in plain-text.
>>
>> All other strategies simply move the problem to some other component.
>> Protecting one password requires another password which requires
>> protecting which ... you get the idea.
..lots of info is available by JMX, once the server is up. In Java 6
you can attach to the process locally, without having to configure the
JMX ports because it injects the management agent into the virtual machine.
Worse, if they're already on your server they've probably got a much
bigger surface area to attack, than just Tomcat. And if they get root,
it's all over.
p
RE: clear text keystore password in server.xml
Posted by George Sexton <ge...@mhsoftware.com>.
> -----Original Message-----
> From: David kerber [mailto:dckerber@verizon.net]
> Sent: Thursday, September 02, 2010 9:37 AM
> To: Tomcat Users List
> Subject: Re: clear text keystore password in server.xml
>
> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Luca,
> >
> > On 8/30/2010 2:42 AM, Luca Gervasi wrote:
> >> I'm working to secure this, but...it's not too easy (and i'm surely
> not
> >> a skilled programmer...).
> >>
> >> But I hope this topic will be kept up!
> >
> > There is virtually nothing you can do about this. The only solutions
> > here are:
> >
> > 1. Use a password entered on the console during start-up (the "Apache
> > httpd strategy")
>
> Or a minor variant of this, such as entering the pwd on a secure web
> page just after startup, though this has other disadvantages.
And how would this page be secured since you wouldn't have SSL capability at
that point?
>
>
> > 2. Remove the password from the keystore
> >
> > Removing the password from the keystore is just about as (in)secure
> as
> > having the password in server.xml in plain-text.
> >
> > All other strategies simply move the problem to some other component.
> > Protecting one password requires another password which requires
> > protecting which ... you get the idea.
George Sexton
MH Software, Inc.
303 438-9585
www.mhsoftware.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by David kerber <dc...@verizon.net>.
On 9/2/2010 11:28 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Luca,
>
> On 8/30/2010 2:42 AM, Luca Gervasi wrote:
>> I'm working to secure this, but...it's not too easy (and i'm surely not
>> a skilled programmer...).
>>
>> But I hope this topic will be kept up!
>
> There is virtually nothing you can do about this. The only solutions
> here are:
>
> 1. Use a password entered on the console during start-up (the "Apache
> httpd strategy")
Or a minor variant of this, such as entering the pwd on a secure web
page just after startup, though this has other disadvantages.
> 2. Remove the password from the keystore
>
> Removing the password from the keystore is just about as (in)secure as
> having the password in server.xml in plain-text.
>
> All other strategies simply move the problem to some other component.
> Protecting one password requires another password which requires
> protecting which ... you get the idea.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Luca,
On 8/30/2010 2:42 AM, Luca Gervasi wrote:
> I'm working to secure this, but...it's not too easy (and i'm surely not
> a skilled programmer...).
>
> But I hope this topic will be kept up!
There is virtually nothing you can do about this. The only solutions
here are:
1. Use a password entered on the console during start-up (the "Apache
httpd strategy")
2. Remove the password from the keystore
Removing the password from the keystore is just about as (in)secure as
having the password in server.xml in plain-text.
All other strategies simply move the problem to some other component.
Protecting one password requires another password which requires
protecting which ... you get the idea.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx/wqoACgkQ9CaO5/Lv0PBcrACfUVih9nF6BorLy5KCAQ8Gk2xe
k2IAni9IqXoI4TOTN6AN1qToY3ypyiTK
=DMfB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Luca Gervasi <to...@ashetic.net>.
On Fri, 2010-08-27 at 17:53 -0400, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Vijay,
>
> On 8/27/2010 5:41 AM, Vijay wrote:
> > I am looking for a way to use only encrypted passwords.
>
> Cool. How are you going to do that?
>
> > I am looking to write a wrapper class that decrypts the password passed as
> > an environment variable to tomcat, and then sets the system property
> > javax.net.ssl.keyStorePassword inside the JVM itself.
> >
> > Something in the lines of :
> >
> > public class WrapperTomcatBootstrap {
> >
> > public static void main(String args[]) {
> > String encryptedKeystorePassword =
> > System.getenv("ENCRYPTED_KEYSTORE_PASSWORD");
>
> Uh... the environment isn't safe, either. How will you protect the
> environment?
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkx4M9EACgkQ9CaO5/Lv0PChhACfdQTWJqANWEcmpYIpInNi2bzT
> 7T8AoJjS1pPfc3oXpMB/AU8coCtKMetE
> =IVNT
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
I've implemented myself something similar. It's far from be secure
enough for production enviroments, but... it works.
I'm using it just to encrypt the connection pooling password.
Actually, i subclassed the
org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory, implementing my own
class that simply picks username/password/url and replaces them in
memory using a supplied password.
...but...
So far, i wasn't able to implement an internal password input, actually
i pass it to the class using and external file (shredded after been
read), but this is really far from been secure, as the file exists on
disk for a split second.
Using enviroment or (worst) cmdline parameters is surely avoidable, as
them are both available in /proc after the startup.
Moreover, the Datasource structure is fully _clear text_ exposed using
jmx, allowing anyone has the right permission to get it clear.
You should also keep in mind what someone just pointed in the previous
messages: startup/restart could not be unattended.
I use SMF on solaris to keep tomcat up & running in an unattended
manner, but this new method forces me to avoid smf, leading to a
"per-node" greater downtime.
I'm working to secure this, but...it's not too easy (and i'm surely not
a skilled programmer...).
But I hope this topic will be kept up!
Thanks for sharing.
Luca Gervasi
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Vijay,
On 8/27/2010 5:41 AM, Vijay wrote:
> I am looking for a way to use only encrypted passwords.
Cool. How are you going to do that?
> I am looking to write a wrapper class that decrypts the password passed as
> an environment variable to tomcat, and then sets the system property
> javax.net.ssl.keyStorePassword inside the JVM itself.
>
> Something in the lines of :
>
> public class WrapperTomcatBootstrap {
>
> public static void main(String args[]) {
> String encryptedKeystorePassword =
> System.getenv("ENCRYPTED_KEYSTORE_PASSWORD");
Uh... the environment isn't safe, either. How will you protect the
environment?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx4M9EACgkQ9CaO5/Lv0PChhACfdQTWJqANWEcmpYIpInNi2bzT
7T8AoJjS1pPfc3oXpMB/AU8coCtKMetE
=IVNT
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: clear text keystore password in server.xml
Posted by "Propes, Barry L " <ba...@citi.com>.
I was told by my company we're not supposed to have passwords stored in clear text. I explained to them the architecture of Tomcat, and didn't get a clear answer on whether or not it's ok, though I think it is.
I don't know what kind of DB you're using, Vijay, but the Oracle DBA told me he could open the wallet, I could reference in my server.xml file the OCI driver reference instead of thin driver, and omit using the password, as it would be encrypted in the DB column, then decrypted when called.
I have not yet tried this out, but am thinking about going down that road.
What DB are you using, and is this an option for you?
-----Original Message-----
From: Vijay [mailto:amirisetty.vijayaraghavan@gmail.com]
Sent: Friday, August 27, 2010 7:20 AM
To: Tomcat Users List
Subject: Re: clear text keystore password in server.xml
Hi Mark,
I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap ..
I agree with this ..
This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password]
Thanks!
Vijay
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Mark Thomas <ma...@apache.org>.
On 27/08/2010 14:02, Wesley Acheson wrote:
> I've been giving this whole issue a lot of thought. And not just now
> for months now. I was wondering if the following was possible in
> theory, When tomcat is started up it prompts for the password?
> Wouldn't that help with the whole smoke and mirrors situation?
Not really. Nothing stops an attacker replacing a standard Tomcat jar
with a modified one that just spits the password straight back out on
the next restart. And if the attacker can trigger a heap dump or read
the process memory some other way they don't even need that.
You still end up relying on operating system security which in the end
is no different to just setting the permissions on the server.xml
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Wesley Acheson <we...@gmail.com>.
If the hacker has root privilages I'm pretty sure you have worse problems.
On Fri, Aug 27, 2010 at 7:14 PM, <DJ...@desknetinc.com> wrote:
> André Warnier <aw...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:
>
>> Ken Bowen wrote:
>> > If you wanted to go down this path, besides the web page for entering
>> > the password, you could add sending alerts to the cells of all your
>> > sysadmins to improve the probability of the password being entered in
> a
>> > timely manner. Perhaps Tomcats in clusters could obtain the password
>> > from their brethren.
>> >
>> And to complete the circle and make it all more user-friendly, I
>> would also add the
>> password to the SMS being sent.
>> At least it would avoid having the sysadmins sticking it on a Post-
>> It on their screens.
>
> So all the hacker with root privileges has to do is temporarily replace
> the sysadmins list with a single a phone number, and then restart Tomcat,
> and (s)he is in business...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: clear text keystore password in server.xml
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
André Warnier <aw...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:
> And to complete the circle and make it all more user-friendly, I
> would also add the password to the SMS being sent.
Just put it on Facebook...
To quote from some architecture specs: "Meaningful programming has not been achieved."
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by David kerber <dc...@verizon.net>.
On 8/27/2010 1:14 PM, DJohnson@desknetinc.com wrote:
> André Warnier<aw...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:
>
>> Ken Bowen wrote:
>>> If you wanted to go down this path, besides the web page for entering
>>> the password, you could add sending alerts to the cells of all your
>>> sysadmins to improve the probability of the password being entered in
> a
>>> timely manner. Perhaps Tomcats in clusters could obtain the password
>>> from their brethren.
>>>
>> And to complete the circle and make it all more user-friendly, I
>> would also add the
>> password to the SMS being sent.
>> At least it would avoid having the sysadmins sticking it on a Post-
>> It on their screens.
>
> So all the hacker with root privileges has to do is temporarily replace
> the sysadmins list with a single a phone number, and then restart Tomcat,
> and (s)he is in business...
For a DOS attach, yes. She also needs to know the password to get
anything to work.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by DJ...@desknetinc.com.
André Warnier <aw...@ice-sa.com> wrote on 08/27/2010 12:32:43 PM:
> Ken Bowen wrote:
> > If you wanted to go down this path, besides the web page for entering
> > the password, you could add sending alerts to the cells of all your
> > sysadmins to improve the probability of the password being entered in
a
> > timely manner. Perhaps Tomcats in clusters could obtain the password
> > from their brethren.
> >
> And to complete the circle and make it all more user-friendly, I
> would also add the
> password to the SMS being sent.
> At least it would avoid having the sysadmins sticking it on a Post-
> It on their screens.
So all the hacker with root privileges has to do is temporarily replace
the sysadmins list with a single a phone number, and then restart Tomcat,
and (s)he is in business...
Re: clear text keystore password in server.xml
Posted by André Warnier <aw...@ice-sa.com>.
Ken Bowen wrote:
> If you wanted to go down this path, besides the web page for entering
> the password, you could add sending alerts to the cells of all your
> sysadmins to improve the probability of the password being entered in a
> timely manner. Perhaps Tomcats in clusters could obtain the password
> from their brethren.
>
And to complete the circle and make it all more user-friendly, I would also add the
password to the SMS being sent.
At least it would avoid having the sysadmins sticking it on a Post-It on their screens.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Ken Bowen <kb...@als.com>.
If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability of the password being entered in
a timely manner. Perhaps Tomcats in clusters could obtain the
password from their brethren.
On Aug 27, 2010, at 9:22 AM, David kerber wrote:
> On 8/27/2010 9:02 AM, Wesley Acheson wrote:
>
> ...
>
>> I've been giving this whole issue a lot of thought. And not just now
>> for months now. I was wondering if the following was possible in
>> theory, When tomcat is started up it prompts for the password?
>> Wouldn't that help with the whole smoke and mirrors situation?
>
> If you can always be sure somebody is available when tomcat is
> restarted, I would think that would work to prevent having any clear-
> text passwords on disk anywhere. It would be really easy to have a
> single web page where the administrator could go to enter the
> password after a restart, and there are some checks you could do to
> help make that fairly secure (i.e. if the password has already been
> entered, don't allow anybody to enter it again, etc).
>
> Essentially you'd be trading possible downtime for a little more
> security, but only you can make the decision as to whether that's an
> appropriate tradeoff for your app.
>
> D
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by David kerber <dc...@verizon.net>.
On 8/27/2010 9:02 AM, Wesley Acheson wrote:
...
> I've been giving this whole issue a lot of thought. And not just now
> for months now. I was wondering if the following was possible in
> theory, When tomcat is started up it prompts for the password?
> Wouldn't that help with the whole smoke and mirrors situation?
If you can always be sure somebody is available when tomcat is
restarted, I would think that would work to prevent having any
clear-text passwords on disk anywhere. It would be really easy to have
a single web page where the administrator could go to enter the password
after a restart, and there are some checks you could do to help make
that fairly secure (i.e. if the password has already been entered, don't
allow anybody to enter it again, etc).
Essentially you'd be trading possible downtime for a little more
security, but only you can make the decision as to whether that's an
appropriate tradeoff for your app.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Wesley Acheson <we...@gmail.com>.
On Fri, Aug 27, 2010 at 2:36 PM, Mark Thomas <ma...@apache.org> wrote:
> On 27/08/2010 13:19, Vijay wrote:
>> Hi Mark,
>> I guess I am getting the point you are trying to make .. As long
>> as the password or (the encrypted password and the secret key) are present
>> at some location (file system / database/ etc) .. there is a security gap ..
>> I agree with this ..
>
> Bingo!
>
>> This said, I am trying to find a way to get tomcat work with an encrypted
>> password. [given the fact there is no way anyone can get to the secret key
>> for decrypting the password]
>
> Can't be done. As a minimum some secret has to be visible to the process
> running Tomcat. Which also means it is visible to any user with root
> privileges.
>
> By far the simplest solution is to have the tomcat user own server.xml
> and make that file owner readable only.
>
> You can, if you want to make server.xml more widely visible, use
> property replacement or XML entities to move the password to a separate
> file and then lock down that file.
>
> You also need to lock down any code run by Tomcat to stop a back-door
> being inserted. This includes web applications. Alternatively (for web
> applications) you could run under a security manager.
>
> Frankly this rapidly gets to the point where it is easier to:
> a) limit access to the machine to people you trust
> b) accept that if an attacker compromises the machine through Tomcat
> then the password is going to be compromised
>
> I have seen a lot of other 'solutions' proposed for this problem and I
> have yet to see one that isn't anything more than smoke & mirrors
> designed to fool people (many of who should know better) into thinking
> the password is far more secure than it really is.
>
> Mark
>
>>
>> Thanks!
>> Vijay
>>
>> On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 27/08/2010 11:26, Vijay wrote:
>>>> For prototyping purposes, I am embedding the secret key in the program
>>>> itself.
>>>> If the solution works out, having it in a secure database is an option I
>>> am
>>>> considering..
>>>
>>> And how do you propose to provide the password Tomcat uses to access
>>> this secure database?
>>>
>>> Mark
>>>
>>>> On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas <ma...@apache.org> wrote:
>>>>
>>>>> On 27/08/2010 10:41, Vijay wrote:
>>>>>> I am looking to write a wrapper class that decrypts the password passed
>>>>> as
>>>>>> an environment variable to tomcat, and then sets the system property
>>>>>> javax.net.ssl.keyStorePassword inside the JVM itself.
>>>>>
>>>>> And how do you propose to provide the secret key required to perform the
>>>>> decryption?
>>>>>
>>>>> Mark
>>>>>
>>>>> ---------------------------------------------------------------------
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>>
>>>>>
>>>>
>>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
I've been giving this whole issue a lot of thought. And not just now
for months now. I was wondering if the following was possible in
theory, When tomcat is started up it prompts for the password?
Wouldn't that help with the whole smoke and mirrors situation?
Regards,
Wes
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Mark Thomas <ma...@apache.org>.
On 27/08/2010 13:19, Vijay wrote:
> Hi Mark,
> I guess I am getting the point you are trying to make .. As long
> as the password or (the encrypted password and the secret key) are present
> at some location (file system / database/ etc) .. there is a security gap ..
> I agree with this ..
Bingo!
> This said, I am trying to find a way to get tomcat work with an encrypted
> password. [given the fact there is no way anyone can get to the secret key
> for decrypting the password]
Can't be done. As a minimum some secret has to be visible to the process
running Tomcat. Which also means it is visible to any user with root
privileges.
By far the simplest solution is to have the tomcat user own server.xml
and make that file owner readable only.
You can, if you want to make server.xml more widely visible, use
property replacement or XML entities to move the password to a separate
file and then lock down that file.
You also need to lock down any code run by Tomcat to stop a back-door
being inserted. This includes web applications. Alternatively (for web
applications) you could run under a security manager.
Frankly this rapidly gets to the point where it is easier to:
a) limit access to the machine to people you trust
b) accept that if an attacker compromises the machine through Tomcat
then the password is going to be compromised
I have seen a lot of other 'solutions' proposed for this problem and I
have yet to see one that isn't anything more than smoke & mirrors
designed to fool people (many of who should know better) into thinking
the password is far more secure than it really is.
Mark
>
> Thanks!
> Vijay
>
> On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 27/08/2010 11:26, Vijay wrote:
>>> For prototyping purposes, I am embedding the secret key in the program
>>> itself.
>>> If the solution works out, having it in a secure database is an option I
>> am
>>> considering..
>>
>> And how do you propose to provide the password Tomcat uses to access
>> this secure database?
>>
>> Mark
>>
>>> On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas <ma...@apache.org> wrote:
>>>
>>>> On 27/08/2010 10:41, Vijay wrote:
>>>>> I am looking to write a wrapper class that decrypts the password passed
>>>> as
>>>>> an environment variable to tomcat, and then sets the system property
>>>>> javax.net.ssl.keyStorePassword inside the JVM itself.
>>>>
>>>> And how do you propose to provide the secret key required to perform the
>>>> decryption?
>>>>
>>>> Mark
>>>>
>>>> ---------------------------------------------------------------------
>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>>
>>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Vijay <am...@gmail.com>.
Hi Mark,
I guess I am getting the point you are trying to make .. As long
as the password or (the encrypted password and the secret key) are present
at some location (file system / database/ etc) .. there is a security gap ..
I agree with this ..
This said, I am trying to find a way to get tomcat work with an encrypted
password. [given the fact there is no way anyone can get to the secret key
for decrypting the password]
Thanks!
Vijay
On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas <ma...@apache.org> wrote:
> On 27/08/2010 11:26, Vijay wrote:
> > For prototyping purposes, I am embedding the secret key in the program
> > itself.
> > If the solution works out, having it in a secure database is an option I
> am
> > considering..
>
> And how do you propose to provide the password Tomcat uses to access
> this secure database?
>
> Mark
>
> > On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas <ma...@apache.org> wrote:
> >
> >> On 27/08/2010 10:41, Vijay wrote:
> >>> I am looking to write a wrapper class that decrypts the password passed
> >> as
> >>> an environment variable to tomcat, and then sets the system property
> >>> javax.net.ssl.keyStorePassword inside the JVM itself.
> >>
> >> And how do you propose to provide the secret key required to perform the
> >> decryption?
> >>
> >> Mark
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: clear text keystore password in server.xml
Posted by Mark Thomas <ma...@apache.org>.
On 27/08/2010 11:26, Vijay wrote:
> For prototyping purposes, I am embedding the secret key in the program
> itself.
> If the solution works out, having it in a secure database is an option I am
> considering..
And how do you propose to provide the password Tomcat uses to access
this secure database?
Mark
> On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas <ma...@apache.org> wrote:
>
>> On 27/08/2010 10:41, Vijay wrote:
>>> I am looking to write a wrapper class that decrypts the password passed
>> as
>>> an environment variable to tomcat, and then sets the system property
>>> javax.net.ssl.keyStorePassword inside the JVM itself.
>>
>> And how do you propose to provide the secret key required to perform the
>> decryption?
>>
>> Mark
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: clear text keystore password in server.xml
Posted by Vijay <am...@gmail.com>.
For prototyping purposes, I am embedding the secret key in the program
itself.
If the solution works out, having it in a secure database is an option I am
considering..
On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas <ma...@apache.org> wrote:
> On 27/08/2010 10:41, Vijay wrote:
> > I am looking to write a wrapper class that decrypts the password passed
> as
> > an environment variable to tomcat, and then sets the system property
> > javax.net.ssl.keyStorePassword inside the JVM itself.
>
> And how do you propose to provide the secret key required to perform the
> decryption?
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
------------------------------------------------------------
A. Vijayaraghavan
Senior Software Engineer
Mob : +91 98861 70810
Informatica Business Solutions PVT LTD
"The Data Integration Company" (TM)
Re: clear text keystore password in server.xml
Posted by Mark Thomas <ma...@apache.org>.
On 27/08/2010 10:41, Vijay wrote:
> I am looking to write a wrapper class that decrypts the password passed as
> an environment variable to tomcat, and then sets the system property
> javax.net.ssl.keyStorePassword inside the JVM itself.
And how do you propose to provide the secret key required to perform the
decryption?
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org