You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Theresa Whitney <th...@nisd.net> on 2017/03/31 19:18:41 UTC

changing tomcat default password

I am trying to address a security vulnerability notification for several
servers.  We have tomcat6 installed.  The notification indicates that I
need to change the default passwords in the admin-users.xml file.  When I
view the file it looks like everything is commented out.  And there are
several places where a password is set.  I have also confirmed that the
tomcat service is running and the only dependencies are for winsock and
tcpip drivers.

I am not familiar with tomcat or making any changes to any configurations.

Can I just change the password in the xml file?
Do I need to stop and restart services and if so, just the tomcat service?
What is affected by stopping and restarting services?

Sorry for my ignorance ... I am a total newbie.

-- 
Theresa Whitney
Systems Administrator - Server Support
Northside ISD
ph: (210) 397-7727
email:  theresa.whitney@nisd.net

RE: changing tomcat default password

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Theresa Whitney [mailto:theresa.whitney@nisd.net] 
> Subject: changing tomcat default password

> I am trying to address a security vulnerability notification for several
> servers.  We have tomcat6 installed.

Right there is your biggest security problem - Tomcat 6 has reached end of life and may not receive any more fixes.  To quote from the "Which version?" page:

"Users of Tomcat 6 should be aware that Tomcat 6 has now reached end of life. Users of Tomcat 6.x should upgrade to Tomcat 7.x or later."
http://tomcat.apache.org/whichversion.html


> The notification indicates that I need to change the default passwords
> in the admin-users.xml file.

No such file is distributed with a standard Tomcat; are you sure you have the right file name?  In which directory is it located?

> Can I just change the password in the xml file?

Difficult to say, since it's not part of an official Tomcat.

> Sorry for my ignorance ... I am a total newbie.

As we all were at some point.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


-----Original Message-----


-- 
Theresa Whitney
Systems Administrator - Server Support
Northside ISD
ph: (210) 397-7727
email:  theresa.whitney@nisd.net

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org