You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by a....@bluewin.ch on 2023/01/17 17:34:15 UTC
Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner
AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hi Mark
I will provide a config example tomorrow. Let you know the details.
I have them on the other machine.
In general it is like that - we have a webserver certificate (p12), which we use to have the https protocol. The certificate comes together with a p12.pwd file and this password of the certificate is stored in the web.xml. I want now to remove this password by configuring just the path to this file.
In case someone renew the certificate, the restart of tomcat can be done anytime as always the correct password is used.
Regards
Alexander
-----Ursprüngliche Nachricht-----
Von: Mark Thomas <ma...@apache.org>
Gesendet: Dienstag, 17. Januar 2023 18:49
An: users@tomcat.apache.org
Betreff: Re: Password in Tomcat 9.x
On 17/01/2023 17:34, a.grubner@bluewin.ch wrote:
> Hello together
>
> I would like to understand, when implementing passwords into web.xml,
> then I would like NOT to implement a password, I want to include the
> path to a certificate (p12.pwd). I want to basically avoid, changing
> all the time the password, when I renew my webserver certificate in the configuration.
>
> Which version of Tomcat 9.x is able to do this? Will it be for seen,
> that 9.x can do this?
>
> If no 9.x can do, which other Tomcat can do this?
What password are you trying to set in web.xml? Please provide a configuration snippet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Password in Tomcat 9.x
Posted by Mark Thomas <ma...@apache.org>.
On 17/01/2023 17:34, a.grubner@bluewin.ch wrote:
> Hello together
>
> I would like to understand, when implementing passwords into web.xml, then I
> would like NOT to implement a password, I want to include the path to a
> certificate (p12.pwd). I want to basically avoid, changing all the time the
> password, when I renew my webserver certificate in the configuration.
>
> Which version of Tomcat 9.x is able to do this? Will it be for seen, that
> 9.x can do this?
>
> If no 9.x can do, which other Tomcat can do this?
What password are you trying to set in web.xml? Please provide a
configuration snippet.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Alex,
I am not a tomcat developer but as there are several alternatives, I suppose that this is not a big benefit.
Most users just remove the password.. at least it's my experience.
I don't see benefits by putting a password on the key as long as the folder permissions are set properly.
Greetings, Thomas
> -----Ursprüngliche Nachricht-----
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Donnerstag, 19. Januar 2023 19:31
> An: 'Tomcat Users List' <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hoi Thomas
>
> Thank you for your feedback.
>
> Do you know if in future apache tomcat releases, this will be possible to put a
> path? It would be the easiest for everyone, my opinion...
>
> Thanks
> Alex
>
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Mittwoch, 18. Januar 2023 22:03
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
>
> thanks for the clarification. Now I got the topic.
>
> I don't think that you can use a path there.
>
> The options I have in mind are:
> - Use properties:
> https://stackoverflow.com/questions/11926181/environment-system-variables-
> in
> -server-xml
> - Remove password or set it to the same password.
> This won't decrease security in my opinion.
>
> Greetings,
> Thomas
>
> > -----Ursprüngliche Nachricht-----
> > Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> > Gesendet: Mittwoch, 18. Januar 2023 20:28
> > An: 'Tomcat Users List' <us...@tomcat.apache.org>
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hoi Thomas
> >
> > Thanks for your feedback.
> >
> > I checked - here I can give you the following.
> >
> > I have a webserver certificate (p12) stored on the filesystem. It has
> > the p12.pwd also this location. Owner and group are well protected
> > from other technical users.
> >
> > Now, the config file, where the webserver cert is used is in the
> server.xml.
> >
> > Inside there:
> >
> > clientAuth="true" sslProtocol="TLS"
> > keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
> > keystorePass="PASSWORD"
> > truststore="TRUSTSTORE_CERTIFICATE.jks"
> > truststorePass="PASSWORD"
> > sslEnable="True"
> > protocol="org.apache.coyote.http11.Http11Prococol"
> >
> > Now I would like to remove the PASSWORD from the keystorePass and put
> > in there the path to the pwd of the webserver certificate. Same also
> > for the truststore.
> >
> > - Is that possible? If yes, how is that to be done?
> >
> > Thanks for your feedback.
> >
> > Regards
> > Alex
> >
> >
> >
> >
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Thomas Hoffmann (Speed4Trade GmbH)
> > <Th...@speed4trade.com.INVALID>
> > Gesendet: Mittwoch, 18. Januar 2023 07:12
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hello Alex,
> > I usually remove the password on the p12 file via openssl.
> > Protecting with password and writing the password in clear text
> > somewhere doesn't improve security much I think.
> > Dunno if this is a possible way to go for you.
> > Greetings,
> > Thomas
> > ________________________________
> > Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> > Gesendet: Dienstag, 17. Januar 2023 21:01:00
> > An: 'Tomcat Users List'
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hoi Thomas
> >
> > Received also from Mark an email where he requested an example of the
> > web.xml. Will provide you this tomorrow. Below is what I wrote him.
> >
> > Regards
> > Alex
> >
> > #
> > #
> > #
> > Hi Mark
> >
> > I will provide a config example tomorrow. Let you know the details.
> >
> > I have them on the other machine.
> >
> > In general it is like that - we have a webserver certificate (p12),
> > which we use to have the https protocol. The certificate comes
> > together with a p12.pwd file and this password of the certificate is
> stored in the web.xml.
> > I want now to remove this password by configuring just the path to
> > this
> file.
> >
> > In case someone renew the certificate, the restart of tomcat can be
> > done anytime as always the correct password is used.
> >
> > Regards
> > Alexander
> > #
> > #
> > #
> >
> > -----Ursprüngliche Nachricht-----
> > Von: Thomas Hoffmann (Speed4Trade GmbH)
> > <Th...@speed4trade.com.INVALID>
> > Gesendet: Dienstag, 17. Januar 2023 19:19
> > An: Tomcat Users List <us...@tomcat.apache.org>
> > Betreff: AW: Password in Tomcat 9.x
> >
> > Hello Alex,
> > I am not sure what your goal is.
> > Webserver certificate (with private key) is used for encryption / ssl
> > /
> tls.
> > Password is used for user authentication and in web.xml you only
> > specify the auth method, not any passwords. Or do you plan auth with
> client certificates?
> >
> > Greetings, Thomas
> > ________________________________
> > Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> > Gesendet: Dienstag, 17. Januar 2023 18:34:15
> > An: users@tomcat.apache.org
> > Betreff: Password in Tomcat 9.x
> >
> > Hello together
> >
> >
> >
> > I would like to understand, when implementing passwords into web.xml,
> > then I would like NOT to implement a password, I want to include the
> > path to a certificate (p12.pwd). I want to basically avoid, changing
> > all the time the password, when I renew my webserver certificate in
> > the
> configuration.
> >
> >
> >
> > Which version of Tomcat 9.x is able to do this? Will it be for seen,
> > that 9.x can do this?
> >
> > If no 9.x can do, which other Tomcat can do this?
> >
> >
> >
> > Thank you
> >
> > Alexander Grubner
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Password in Tomcat 9.x
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Alex,
On 1/19/23 13:31, a.grubner@bluewin.ch wrote:
> Do you know if in future apache tomcat releases, this will be
> possible to put a path? It would be the easiest for everyone, my
> opinion...
I believe there are currently two ways to do with with existing Tomcat
releases:
1. service binding property source
2. XML entities
We don't need another mechanism for this.
-chris
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Mittwoch, 18. Januar 2023 22:03
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
>
> thanks for the clarification. Now I got the topic.
>
> I don't think that you can use a path there.
>
> The options I have in mind are:
> - Use properties:
> https://stackoverflow.com/questions/11926181/environment-system-variables-in
> -server-xml
> - Remove password or set it to the same password.
> This won't decrease security in my opinion.
>
> Greetings,
> Thomas
>
>> -----Ursprüngliche Nachricht-----
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Mittwoch, 18. Januar 2023 20:28
>> An: 'Tomcat Users List' <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Thanks for your feedback.
>>
>> I checked - here I can give you the following.
>>
>> I have a webserver certificate (p12) stored on the filesystem. It has
>> the p12.pwd also this location. Owner and group are well protected
>> from other technical users.
>>
>> Now, the config file, where the webserver cert is used is in the
> server.xml.
>>
>> Inside there:
>>
>> clientAuth="true" sslProtocol="TLS"
>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
>> keystorePass="PASSWORD"
>> truststore="TRUSTSTORE_CERTIFICATE.jks"
>> truststorePass="PASSWORD"
>> sslEnable="True"
>> protocol="org.apache.coyote.http11.Http11Prococol"
>>
>> Now I would like to remove the PASSWORD from the keystorePass and put
>> in there the path to the pwd of the webserver certificate. Same also
>> for the truststore.
>>
>> - Is that possible? If yes, how is that to be done?
>>
>> Thanks for your feedback.
>>
>> Regards
>> Alex
>>
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Mittwoch, 18. Januar 2023 07:12
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I usually remove the password on the p12 file via openssl.
>> Protecting with password and writing the password in clear text
>> somewhere doesn't improve security much I think.
>> Dunno if this is a possible way to go for you.
>> Greetings,
>> Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 21:01:00
>> An: 'Tomcat Users List'
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Received also from Mark an email where he requested an example of the
>> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>>
>> Regards
>> Alex
>>
>> #
>> #
>> #
>> Hi Mark
>>
>> I will provide a config example tomorrow. Let you know the details.
>>
>> I have them on the other machine.
>>
>> In general it is like that - we have a webserver certificate (p12),
>> which we use to have the https protocol. The certificate comes
>> together with a p12.pwd file and this password of the certificate is
> stored in the web.xml.
>> I want now to remove this password by configuring just the path to this
> file.
>>
>> In case someone renew the certificate, the restart of tomcat can be
>> done anytime as always the correct password is used.
>>
>> Regards
>> Alexander
>> #
>> #
>> #
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Dienstag, 17. Januar 2023 19:19
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I am not sure what your goal is.
>> Webserver certificate (with private key) is used for encryption / ssl /
> tls.
>> Password is used for user authentication and in web.xml you only
>> specify the auth method, not any passwords. Or do you plan auth with
> client certificates?
>>
>> Greetings, Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 18:34:15
>> An: users@tomcat.apache.org
>> Betreff: Password in Tomcat 9.x
>>
>> Hello together
>>
>>
>>
>> I would like to understand, when implementing passwords into web.xml,
>> then I would like NOT to implement a password, I want to include the
>> path to a certificate (p12.pwd). I want to basically avoid, changing
>> all the time the password, when I renew my webserver certificate in the
> configuration.
>>
>>
>>
>> Which version of Tomcat 9.x is able to do this? Will it be for seen,
>> that 9.x can do this?
>>
>> If no 9.x can do, which other Tomcat can do this?
>>
>>
>>
>> Thank you
>>
>> Alexander Grubner
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hoi Thomas
Thank you for your feedback.
Do you know if in future apache tomcat releases, this will be possible to
put a path? It would be the easiest for everyone, my opinion...
Thanks
Alex
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.INVALID>
Gesendet: Mittwoch, 18. Januar 2023 22:03
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
thanks for the clarification. Now I got the topic.
I don't think that you can use a path there.
The options I have in mind are:
- Use properties:
https://stackoverflow.com/questions/11926181/environment-system-variables-in
-server-xml
- Remove password or set it to the same password.
This won't decrease security in my opinion.
Greetings,
Thomas
> -----Ursprüngliche Nachricht-----
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Mittwoch, 18. Januar 2023 20:28
> An: 'Tomcat Users List' <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hoi Thomas
>
> Thanks for your feedback.
>
> I checked - here I can give you the following.
>
> I have a webserver certificate (p12) stored on the filesystem. It has
> the p12.pwd also this location. Owner and group are well protected
> from other technical users.
>
> Now, the config file, where the webserver cert is used is in the
server.xml.
>
> Inside there:
>
> clientAuth="true" sslProtocol="TLS"
> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
> keystorePass="PASSWORD"
> truststore="TRUSTSTORE_CERTIFICATE.jks"
> truststorePass="PASSWORD"
> sslEnable="True"
> protocol="org.apache.coyote.http11.Http11Prococol"
>
> Now I would like to remove the PASSWORD from the keystorePass and put
> in there the path to the pwd of the webserver certificate. Same also
> for the truststore.
>
> - Is that possible? If yes, how is that to be done?
>
> Thanks for your feedback.
>
> Regards
> Alex
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Mittwoch, 18. Januar 2023 07:12
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
> I usually remove the password on the p12 file via openssl.
> Protecting with password and writing the password in clear text
> somewhere doesn't improve security much I think.
> Dunno if this is a possible way to go for you.
> Greetings,
> Thomas
> ________________________________
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Dienstag, 17. Januar 2023 21:01:00
> An: 'Tomcat Users List'
> Betreff: AW: Password in Tomcat 9.x
>
> Hoi Thomas
>
> Received also from Mark an email where he requested an example of the
> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>
> Regards
> Alex
>
> #
> #
> #
> Hi Mark
>
> I will provide a config example tomorrow. Let you know the details.
>
> I have them on the other machine.
>
> In general it is like that - we have a webserver certificate (p12),
> which we use to have the https protocol. The certificate comes
> together with a p12.pwd file and this password of the certificate is
stored in the web.xml.
> I want now to remove this password by configuring just the path to this
file.
>
> In case someone renew the certificate, the restart of tomcat can be
> done anytime as always the correct password is used.
>
> Regards
> Alexander
> #
> #
> #
>
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Dienstag, 17. Januar 2023 19:19
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
> I am not sure what your goal is.
> Webserver certificate (with private key) is used for encryption / ssl /
tls.
> Password is used for user authentication and in web.xml you only
> specify the auth method, not any passwords. Or do you plan auth with
client certificates?
>
> Greetings, Thomas
> ________________________________
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Dienstag, 17. Januar 2023 18:34:15
> An: users@tomcat.apache.org
> Betreff: Password in Tomcat 9.x
>
> Hello together
>
>
>
> I would like to understand, when implementing passwords into web.xml,
> then I would like NOT to implement a password, I want to include the
> path to a certificate (p12.pwd). I want to basically avoid, changing
> all the time the password, when I renew my webserver certificate in the
configuration.
>
>
>
> Which version of Tomcat 9.x is able to do this? Will it be for seen,
> that 9.x can do this?
>
> If no 9.x can do, which other Tomcat can do this?
>
>
>
> Thank you
>
> Alexander Grubner
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: AW: AW: Password in Tomcat 9.x
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Alex,
On 1/21/23 08:24, a.grubner@bluewin.ch wrote:
> Then how do you manage the webserver certitficate in Tomcat? Where do you store the password? I would like to do it of course always without, but the architecture is like that I have.
>
> Webserver certificate.p12
> Webserver certificate.p12.pwd Password_today Password tomorrow
>
> Tomcat/conf/server.xml
>
> I would like to reference the pwd file in server.xml. You cannot enter the server and get to the directory until you do the sudo to its technical user.
>
> How can you do this? When you have an automated certificate approach running, renewing certificates which are in the range to renew.
> How to avoid setting ; in a password? This also causes or can cause issues.
>
> Thank you for your advice. More security is better, but it must be in the position to be handled easy. Every manual change I want to avoid.
FWIW any Tomcat servers I run which use automatically-provisioned
certificates (e.g. via ACME) write those certificates to unencrypted key
stores. No passwords whatsoever. Such passwords only give the illusion
of security IMHO.
-chris
> -----Ursprüngliche Nachricht-----
> Von: Mark H. Wood <mw...@iupui.edu>
> Gesendet: Freitag, 20. Januar 2023 14:43
> An: users@tomcat.apache.org
> Betreff: Re: AW: AW: Password in Tomcat 9.x
>
> On Thu, Jan 19, 2023 at 07:33:04PM +0100, a.grubner@bluewin.ch wrote:
>> I asked Thomas as well, if he knows if this could be solved with placing the path to the file - in my opinion, this is a easy, safe possiblitiy to allocate any certs. That would be very helpful to have such tomcat.
>
> I think there has been something missing in this discussion. Several people have advised removing the password from the credentials file.
> This is not just giving up and trading security for practicality.
> Storing a cleartext password on the same system with the password-protected object is equivalent to having no password, because anyone who can get the protected object can get the password from the same place.
>
> The only way that encrypting the container can increase security is to provide the password from outside the system whenever it is needed -- e.g. have an operator type it in. The purpose of encrypting the container seems to be to protect it *in transit from one system to another*, after which a human will decrypt it for use.
>
> So: it is unlikely that anyone will do more work on the code for no more benefit.
>
> When I think about it, this is just another layer of the reason that these credentials containers *can* be encrypted: such a file contains all of the materials which are needed to evade security, so there must be an external source of control to protect the contents: something which is not part of the materials and can be kept separate from them, carried by different means.
>
> --
> Mark H. Wood
> Lead Technology Analyst
>
> University Library
> Indiana University - Purdue University Indianapolis
> 755 W. Michigan Street
> Indianapolis, IN 46202
> 317-274-0749
> www.ulib.iupui.edu
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: AW: AW: Password in Tomcat 9.x
Posted by "Mark H. Wood" <mw...@iupui.edu>.
On Sat, Jan 21, 2023 at 02:24:46PM +0100, a.grubner@bluewin.ch wrote:
> Hello Mark
>
> Then how do you manage the webserver certitficate in Tomcat? Where do you store the password? I would like to do it of course always without, but the architecture is like that I have.
>
> Webserver certificate.p12
> Webserver certificate.p12.pwd Password_today Password tomorrow
>
> Tomcat/conf/server.xml
>
> I would like to reference the pwd file in server.xml. You cannot enter the server and get to the directory until you do the sudo to its technical user.
>
> How can you do this? When you have an automated certificate approach running, renewing certificates which are in the range to renew.
> How to avoid setting ; in a password? This also causes or can cause issues.
>
> Thank you for your advice. More security is better, but it must be in the position to be handled easy. Every manual change I want to avoid.
I don't store the password. (Perhaps I should ask: do you mean the
passphrase for the private key, or the passphrase for the PKCS12
container?)
Here I have to create a Certificate Signing Request and send it to the
registrar for signature. Since I am creating the private key at the
same time, I can have it created without encryption. Perhaps the
tools that you use have such an option? I generate the request and
key with:
openssl req \
-new \
-newkey rsa:4096 \
-nodes \
-keyout SOMETHING.key \
-out SOMETHING.req
If I were packing up the certificate(s) and key in a PKCS12, I would
use "openssl pkcs12 -export -nodes ..." (to leave the private key
unencrypted). But, now that I've been researching it, there may not
*be* a way to specify "no encryption" of the PKCS12 structure itself,
only ways to express a zero-length password.
Of course I pay strict attention to file and directory permissions.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
AW: AW: AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hello Mark
Then how do you manage the webserver certitficate in Tomcat? Where do you store the password? I would like to do it of course always without, but the architecture is like that I have.
Webserver certificate.p12
Webserver certificate.p12.pwd Password_today Password tomorrow
Tomcat/conf/server.xml
I would like to reference the pwd file in server.xml. You cannot enter the server and get to the directory until you do the sudo to its technical user.
How can you do this? When you have an automated certificate approach running, renewing certificates which are in the range to renew.
How to avoid setting ; in a password? This also causes or can cause issues.
Thank you for your advice. More security is better, but it must be in the position to be handled easy. Every manual change I want to avoid.
Thank you
Alex
-----Ursprüngliche Nachricht-----
Von: Mark H. Wood <mw...@iupui.edu>
Gesendet: Freitag, 20. Januar 2023 14:43
An: users@tomcat.apache.org
Betreff: Re: AW: AW: Password in Tomcat 9.x
On Thu, Jan 19, 2023 at 07:33:04PM +0100, a.grubner@bluewin.ch wrote:
> I asked Thomas as well, if he knows if this could be solved with placing the path to the file - in my opinion, this is a easy, safe possiblitiy to allocate any certs. That would be very helpful to have such tomcat.
I think there has been something missing in this discussion. Several people have advised removing the password from the credentials file.
This is not just giving up and trading security for practicality.
Storing a cleartext password on the same system with the password-protected object is equivalent to having no password, because anyone who can get the protected object can get the password from the same place.
The only way that encrypting the container can increase security is to provide the password from outside the system whenever it is needed -- e.g. have an operator type it in. The purpose of encrypting the container seems to be to protect it *in transit from one system to another*, after which a human will decrypt it for use.
So: it is unlikely that anyone will do more work on the code for no more benefit.
When I think about it, this is just another layer of the reason that these credentials containers *can* be encrypted: such a file contains all of the materials which are needed to evade security, so there must be an external source of control to protect the contents: something which is not part of the materials and can be kept separate from them, carried by different means.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
Re: AW: AW: Password in Tomcat 9.x
Posted by "Mark H. Wood" <mw...@iupui.edu>.
On Thu, Jan 19, 2023 at 07:33:04PM +0100, a.grubner@bluewin.ch wrote:
> I asked Thomas as well, if he knows if this could be solved with placing the path to the file - in my opinion, this is a easy, safe possiblitiy to allocate any certs. That would be very helpful to have such tomcat.
I think there has been something missing in this discussion. Several
people have advised removing the password from the credentials file.
This is not just giving up and trading security for practicality.
Storing a cleartext password on the same system with the
password-protected object is equivalent to having no password, because
anyone who can get the protected object can get the password from the
same place.
The only way that encrypting the container can increase security is to
provide the password from outside the system whenever it is needed --
e.g. have an operator type it in. The purpose of encrypting the
container seems to be to protect it *in transit from one system to
another*, after which a human will decrypt it for use.
So: it is unlikely that anyone will do more work on the code for no
more benefit.
When I think about it, this is just another layer of the reason that
these credentials containers *can* be encrypted: such a file contains
all of the materials which are needed to evade security, so there must
be an external source of control to protect the contents: something
which is not part of the materials and can be kept separate from them,
carried by different means.
--
Mark H. Wood
Lead Technology Analyst
University Library
Indiana University - Purdue University Indianapolis
755 W. Michigan Street
Indianapolis, IN 46202
317-274-0749
www.ulib.iupui.edu
AW: AW: AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Thank you Chris, I will read that.
Best
Alex
-----Ursprüngliche Nachricht-----
Von: Christopher Schultz <ch...@christopherschultz.net>
Gesendet: Samstag, 21. Januar 2023 16:11
An: users@tomcat.apache.org
Betreff: Re: AW: AW: Password in Tomcat 9.x
Alex,
On 1/19/23 13:33, a.grubner@bluewin.ch wrote:
> I asked Thomas as well, if he knows if this could be solved with
> placing the path to the file - in my opinion, this is a easy, safe
> possibility to allocate any certs. That would be very helpful to have
> such tomcat.
You could use an XML entity for this purpose. Tomcat specifically enables XML entity expansion to allow for such things.
Also, one of the solutions I presented allows you to use files on the disk. Please read about the service binding property source. I think it's *precisely what you are requesting*.
-chris
> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz <ch...@christopherschultz.net>
> Gesendet: Mittwoch, 18. Januar 2023 23:30
> An: users@tomcat.apache.org
> Betreff: Re: AW: Password in Tomcat 9.x
>
> Thomas and Alex,
>
> On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>> Hello Alex,
>>
>> thanks for the clarification. Now I got the topic.
>>
>> I don't think that you can use a path there.
>>
>> The options I have in mind are:
>> - Use properties:
>> https://stackoverflow.com/questions/11926181/environment-system-varia
>> bles-in-server-xml
>> - Remove password or set it to the same password.
>> This won't decrease security in my opinion.
>
> +1 the easiest way to do this IMO is to simply remove the password
> +from
> the key store.
>
> Yet another option is to use the
> org.apache.tomcat.util.digester.ServiceBindingPropertySource "property
> source". Check out
> https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and
> read about "property replacements". I think you can achieve your goals
> using that plus your files on the disk as-is.
>
> Hope that helps,
> -chris
>
>>> -----Ursprüngliche Nachricht-----
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Mittwoch, 18. Januar 2023 20:28
>>> An: 'Tomcat Users List' <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hoi Thomas
>>>
>>> Thanks for your feedback.
>>>
>>> I checked - here I can give you the following.
>>>
>>> I have a webserver certificate (p12) stored on the filesystem. It
>>> has the p12.pwd also this location. Owner and group are well
>>> protected from other technical users.
>>>
>>> Now, the config file, where the webserver cert is used is in the server.xml.
>>>
>>> Inside there:
>>>
>>> clientAuth="true" sslProtocol="TLS"
>>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
>>> keystorePass="PASSWORD"
>>> truststore="TRUSTSTORE_CERTIFICATE.jks"
>>> truststorePass="PASSWORD"
>>> sslEnable="True"
>>> protocol="org.apache.coyote.http11.Http11Prococol"
>>>
>>> Now I would like to remove the PASSWORD from the keystorePass and
>>> put in there the path to the pwd of the webserver certificate. Same
>>> also for the truststore.
>>>
>>> - Is that possible? If yes, how is that to be done?
>>>
>>> Thanks for your feedback.
>>>
>>> Regards
>>> Alex
>>>
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Mittwoch, 18. Januar 2023 07:12
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hello Alex,
>>> I usually remove the password on the p12 file via openssl.
>>> Protecting with password and writing the password in clear text
>>> somewhere doesn't improve security much I think.
>>> Dunno if this is a possible way to go for you.
>>> Greetings,
>>> Thomas
>>> ________________________________
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Dienstag, 17. Januar 2023 21:01:00
>>> An: 'Tomcat Users List'
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hoi Thomas
>>>
>>> Received also from Mark an email where he requested an example of
>>> the web.xml. Will provide you this tomorrow. Below is what I wrote him.
>>>
>>> Regards
>>> Alex
>>>
>>> #
>>> #
>>> #
>>> Hi Mark
>>>
>>> I will provide a config example tomorrow. Let you know the details.
>>>
>>> I have them on the other machine.
>>>
>>> In general it is like that - we have a webserver certificate (p12),
>>> which we use to have the https protocol. The certificate comes
>>> together with a p12.pwd file and this password of the certificate is stored in the web.xml.
>>> I want now to remove this password by configuring just the path to this file.
>>>
>>> In case someone renew the certificate, the restart of tomcat can be
>>> done anytime as always the correct password is used.
>>>
>>> Regards
>>> Alexander
>>> #
>>> #
>>> #
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Dienstag, 17. Januar 2023 19:19
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hello Alex,
>>> I am not sure what your goal is.
>>> Webserver certificate (with private key) is used for encryption / ssl / tls.
>>> Password is used for user authentication and in web.xml you only
>>> specify the auth method, not any passwords. Or do you plan auth with client certificates?
>>>
>>> Greetings, Thomas
>>> ________________________________
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Dienstag, 17. Januar 2023 18:34:15
>>> An: users@tomcat.apache.org
>>> Betreff: Password in Tomcat 9.x
>>>
>>> Hello together
>>>
>>>
>>>
>>> I would like to understand, when implementing passwords into
>>> web.xml, then I would like NOT to implement a password, I want to
>>> include the path to a certificate (p12.pwd). I want to basically
>>> avoid, changing all the time the password, when I renew my webserver certificate in the configuration.
>>>
>>>
>>>
>>> Which version of Tomcat 9.x is able to do this? Will it be for seen,
>>> that 9.x can do this?
>>>
>>> If no 9.x can do, which other Tomcat can do this?
>>>
>>>
>>>
>>> Thank you
>>>
>>> Alexander Grubner
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>> --------------------------------------------------------------------
>>> - To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: AW: Password in Tomcat 9.x
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Alex,
On 1/19/23 13:33, a.grubner@bluewin.ch wrote:
> I asked Thomas as well, if he knows if this could be solved with
> placing the path to the file - in my opinion, this is a easy, safe
> possibility to allocate any certs. That would be very helpful to have
> such tomcat.
You could use an XML entity for this purpose. Tomcat specifically
enables XML entity expansion to allow for such things.
Also, one of the solutions I presented allows you to use files on the
disk. Please read about the service binding property source. I think
it's *precisely what you are requesting*.
-chris
> -----Ursprüngliche Nachricht-----
> Von: Christopher Schultz <ch...@christopherschultz.net>
> Gesendet: Mittwoch, 18. Januar 2023 23:30
> An: users@tomcat.apache.org
> Betreff: Re: AW: Password in Tomcat 9.x
>
> Thomas and Alex,
>
> On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
>> Hello Alex,
>>
>> thanks for the clarification. Now I got the topic.
>>
>> I don't think that you can use a path there.
>>
>> The options I have in mind are:
>> - Use properties: https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
>> - Remove password or set it to the same password.
>> This won't decrease security in my opinion.
>
> +1 the easiest way to do this IMO is to simply remove the password from
> the key store.
>
> Yet another option is to use the
> org.apache.tomcat.util.digester.ServiceBindingPropertySource "property
> source". Check out
> https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and
> read about "property replacements". I think you can achieve your goals
> using that plus your files on the disk as-is.
>
> Hope that helps,
> -chris
>
>>> -----Ursprüngliche Nachricht-----
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Mittwoch, 18. Januar 2023 20:28
>>> An: 'Tomcat Users List' <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hoi Thomas
>>>
>>> Thanks for your feedback.
>>>
>>> I checked - here I can give you the following.
>>>
>>> I have a webserver certificate (p12) stored on the filesystem. It has the p12.pwd
>>> also this location. Owner and group are well protected from other technical
>>> users.
>>>
>>> Now, the config file, where the webserver cert is used is in the server.xml.
>>>
>>> Inside there:
>>>
>>> clientAuth="true" sslProtocol="TLS"
>>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
>>> keystorePass="PASSWORD"
>>> truststore="TRUSTSTORE_CERTIFICATE.jks"
>>> truststorePass="PASSWORD"
>>> sslEnable="True"
>>> protocol="org.apache.coyote.http11.Http11Prococol"
>>>
>>> Now I would like to remove the PASSWORD from the keystorePass and put in
>>> there the path to the pwd of the webserver certificate. Same also for the
>>> truststore.
>>>
>>> - Is that possible? If yes, how is that to be done?
>>>
>>> Thanks for your feedback.
>>>
>>> Regards
>>> Alex
>>>
>>>
>>>
>>>
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Mittwoch, 18. Januar 2023 07:12
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hello Alex,
>>> I usually remove the password on the p12 file via openssl.
>>> Protecting with password and writing the password in clear text somewhere
>>> doesn't improve security much I think.
>>> Dunno if this is a possible way to go for you.
>>> Greetings,
>>> Thomas
>>> ________________________________
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Dienstag, 17. Januar 2023 21:01:00
>>> An: 'Tomcat Users List'
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hoi Thomas
>>>
>>> Received also from Mark an email where he requested an example of the
>>> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>>>
>>> Regards
>>> Alex
>>>
>>> #
>>> #
>>> #
>>> Hi Mark
>>>
>>> I will provide a config example tomorrow. Let you know the details.
>>>
>>> I have them on the other machine.
>>>
>>> In general it is like that - we have a webserver certificate (p12), which we use
>>> to have the https protocol. The certificate comes together with a p12.pwd file
>>> and this password of the certificate is stored in the web.xml.
>>> I want now to remove this password by configuring just the path to this file.
>>>
>>> In case someone renew the certificate, the restart of tomcat can be done
>>> anytime as always the correct password is used.
>>>
>>> Regards
>>> Alexander
>>> #
>>> #
>>> #
>>>
>>> -----Ursprüngliche Nachricht-----
>>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>>> <Th...@speed4trade.com.INVALID>
>>> Gesendet: Dienstag, 17. Januar 2023 19:19
>>> An: Tomcat Users List <us...@tomcat.apache.org>
>>> Betreff: AW: Password in Tomcat 9.x
>>>
>>> Hello Alex,
>>> I am not sure what your goal is.
>>> Webserver certificate (with private key) is used for encryption / ssl / tls.
>>> Password is used for user authentication and in web.xml you only specify the
>>> auth method, not any passwords. Or do you plan auth with client certificates?
>>>
>>> Greetings, Thomas
>>> ________________________________
>>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>>> Gesendet: Dienstag, 17. Januar 2023 18:34:15
>>> An: users@tomcat.apache.org
>>> Betreff: Password in Tomcat 9.x
>>>
>>> Hello together
>>>
>>>
>>>
>>> I would like to understand, when implementing passwords into web.xml, then I
>>> would like NOT to implement a password, I want to include the path to a
>>> certificate (p12.pwd). I want to basically avoid, changing all the time the
>>> password, when I renew my webserver certificate in the configuration.
>>>
>>>
>>>
>>> Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x can
>>> do this?
>>>
>>> If no 9.x can do, which other Tomcat can do this?
>>>
>>>
>>>
>>> Thank you
>>>
>>> Alexander Grubner
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hoi Christoph
Also to you, thank you for your feedback.
I asked Thomas as well, if he knows if this could be solved with placing the path to the file - in my opinion, this is a easy, safe possiblitiy to allocate any certs. That would be very helpful to have such tomcat.
Thank you
Alex
-----Ursprüngliche Nachricht-----
Von: Christopher Schultz <ch...@christopherschultz.net>
Gesendet: Mittwoch, 18. Januar 2023 23:30
An: users@tomcat.apache.org
Betreff: Re: AW: Password in Tomcat 9.x
Thomas and Alex,
On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> Hello Alex,
>
> thanks for the clarification. Now I got the topic.
>
> I don't think that you can use a path there.
>
> The options I have in mind are:
> - Use properties: https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
> - Remove password or set it to the same password.
> This won't decrease security in my opinion.
+1 the easiest way to do this IMO is to simply remove the password from
the key store.
Yet another option is to use the
org.apache.tomcat.util.digester.ServiceBindingPropertySource "property
source". Check out
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and
read about "property replacements". I think you can achieve your goals
using that plus your files on the disk as-is.
Hope that helps,
-chris
>> -----Ursprüngliche Nachricht-----
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Mittwoch, 18. Januar 2023 20:28
>> An: 'Tomcat Users List' <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Thanks for your feedback.
>>
>> I checked - here I can give you the following.
>>
>> I have a webserver certificate (p12) stored on the filesystem. It has the p12.pwd
>> also this location. Owner and group are well protected from other technical
>> users.
>>
>> Now, the config file, where the webserver cert is used is in the server.xml.
>>
>> Inside there:
>>
>> clientAuth="true" sslProtocol="TLS"
>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
>> keystorePass="PASSWORD"
>> truststore="TRUSTSTORE_CERTIFICATE.jks"
>> truststorePass="PASSWORD"
>> sslEnable="True"
>> protocol="org.apache.coyote.http11.Http11Prococol"
>>
>> Now I would like to remove the PASSWORD from the keystorePass and put in
>> there the path to the pwd of the webserver certificate. Same also for the
>> truststore.
>>
>> - Is that possible? If yes, how is that to be done?
>>
>> Thanks for your feedback.
>>
>> Regards
>> Alex
>>
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Mittwoch, 18. Januar 2023 07:12
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I usually remove the password on the p12 file via openssl.
>> Protecting with password and writing the password in clear text somewhere
>> doesn't improve security much I think.
>> Dunno if this is a possible way to go for you.
>> Greetings,
>> Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 21:01:00
>> An: 'Tomcat Users List'
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Received also from Mark an email where he requested an example of the
>> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>>
>> Regards
>> Alex
>>
>> #
>> #
>> #
>> Hi Mark
>>
>> I will provide a config example tomorrow. Let you know the details.
>>
>> I have them on the other machine.
>>
>> In general it is like that - we have a webserver certificate (p12), which we use
>> to have the https protocol. The certificate comes together with a p12.pwd file
>> and this password of the certificate is stored in the web.xml.
>> I want now to remove this password by configuring just the path to this file.
>>
>> In case someone renew the certificate, the restart of tomcat can be done
>> anytime as always the correct password is used.
>>
>> Regards
>> Alexander
>> #
>> #
>> #
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Dienstag, 17. Januar 2023 19:19
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I am not sure what your goal is.
>> Webserver certificate (with private key) is used for encryption / ssl / tls.
>> Password is used for user authentication and in web.xml you only specify the
>> auth method, not any passwords. Or do you plan auth with client certificates?
>>
>> Greetings, Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 18:34:15
>> An: users@tomcat.apache.org
>> Betreff: Password in Tomcat 9.x
>>
>> Hello together
>>
>>
>>
>> I would like to understand, when implementing passwords into web.xml, then I
>> would like NOT to implement a password, I want to include the path to a
>> certificate (p12.pwd). I want to basically avoid, changing all the time the
>> password, when I renew my webserver certificate in the configuration.
>>
>>
>>
>> Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x can
>> do this?
>>
>> If no 9.x can do, which other Tomcat can do this?
>>
>>
>>
>> Thank you
>>
>> Alexander Grubner
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: AW: Password in Tomcat 9.x
Posted by Christopher Schultz <ch...@christopherschultz.net>.
Thomas and Alex,
On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
> Hello Alex,
>
> thanks for the clarification. Now I got the topic.
>
> I don't think that you can use a path there.
>
> The options I have in mind are:
> - Use properties: https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
> - Remove password or set it to the same password.
> This won't decrease security in my opinion.
+1 the easiest way to do this IMO is to simply remove the password from
the key store.
Yet another option is to use the
org.apache.tomcat.util.digester.ServiceBindingPropertySource "property
source". Check out
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and
read about "property replacements". I think you can achieve your goals
using that plus your files on the disk as-is.
Hope that helps,
-chris
>> -----Ursprüngliche Nachricht-----
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Mittwoch, 18. Januar 2023 20:28
>> An: 'Tomcat Users List' <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Thanks for your feedback.
>>
>> I checked - here I can give you the following.
>>
>> I have a webserver certificate (p12) stored on the filesystem. It has the p12.pwd
>> also this location. Owner and group are well protected from other technical
>> users.
>>
>> Now, the config file, where the webserver cert is used is in the server.xml.
>>
>> Inside there:
>>
>> clientAuth="true" sslProtocol="TLS"
>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
>> keystorePass="PASSWORD"
>> truststore="TRUSTSTORE_CERTIFICATE.jks"
>> truststorePass="PASSWORD"
>> sslEnable="True"
>> protocol="org.apache.coyote.http11.Http11Prococol"
>>
>> Now I would like to remove the PASSWORD from the keystorePass and put in
>> there the path to the pwd of the webserver certificate. Same also for the
>> truststore.
>>
>> - Is that possible? If yes, how is that to be done?
>>
>> Thanks for your feedback.
>>
>> Regards
>> Alex
>>
>>
>>
>>
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Mittwoch, 18. Januar 2023 07:12
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I usually remove the password on the p12 file via openssl.
>> Protecting with password and writing the password in clear text somewhere
>> doesn't improve security much I think.
>> Dunno if this is a possible way to go for you.
>> Greetings,
>> Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 21:01:00
>> An: 'Tomcat Users List'
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hoi Thomas
>>
>> Received also from Mark an email where he requested an example of the
>> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>>
>> Regards
>> Alex
>>
>> #
>> #
>> #
>> Hi Mark
>>
>> I will provide a config example tomorrow. Let you know the details.
>>
>> I have them on the other machine.
>>
>> In general it is like that - we have a webserver certificate (p12), which we use
>> to have the https protocol. The certificate comes together with a p12.pwd file
>> and this password of the certificate is stored in the web.xml.
>> I want now to remove this password by configuring just the path to this file.
>>
>> In case someone renew the certificate, the restart of tomcat can be done
>> anytime as always the correct password is used.
>>
>> Regards
>> Alexander
>> #
>> #
>> #
>>
>> -----Ursprüngliche Nachricht-----
>> Von: Thomas Hoffmann (Speed4Trade GmbH)
>> <Th...@speed4trade.com.INVALID>
>> Gesendet: Dienstag, 17. Januar 2023 19:19
>> An: Tomcat Users List <us...@tomcat.apache.org>
>> Betreff: AW: Password in Tomcat 9.x
>>
>> Hello Alex,
>> I am not sure what your goal is.
>> Webserver certificate (with private key) is used for encryption / ssl / tls.
>> Password is used for user authentication and in web.xml you only specify the
>> auth method, not any passwords. Or do you plan auth with client certificates?
>>
>> Greetings, Thomas
>> ________________________________
>> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
>> Gesendet: Dienstag, 17. Januar 2023 18:34:15
>> An: users@tomcat.apache.org
>> Betreff: Password in Tomcat 9.x
>>
>> Hello together
>>
>>
>>
>> I would like to understand, when implementing passwords into web.xml, then I
>> would like NOT to implement a password, I want to include the path to a
>> certificate (p12.pwd). I want to basically avoid, changing all the time the
>> password, when I renew my webserver certificate in the configuration.
>>
>>
>>
>> Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x can
>> do this?
>>
>> If no 9.x can do, which other Tomcat can do this?
>>
>>
>>
>> Thank you
>>
>> Alexander Grubner
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Alex,
thanks for the clarification. Now I got the topic.
I don't think that you can use a path there.
The options I have in mind are:
- Use properties: https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
- Remove password or set it to the same password.
This won't decrease security in my opinion.
Greetings,
Thomas
> -----Ursprüngliche Nachricht-----
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Mittwoch, 18. Januar 2023 20:28
> An: 'Tomcat Users List' <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hoi Thomas
>
> Thanks for your feedback.
>
> I checked - here I can give you the following.
>
> I have a webserver certificate (p12) stored on the filesystem. It has the p12.pwd
> also this location. Owner and group are well protected from other technical
> users.
>
> Now, the config file, where the webserver cert is used is in the server.xml.
>
> Inside there:
>
> clientAuth="true" sslProtocol="TLS"
> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
> keystorePass="PASSWORD"
> truststore="TRUSTSTORE_CERTIFICATE.jks"
> truststorePass="PASSWORD"
> sslEnable="True"
> protocol="org.apache.coyote.http11.Http11Prococol"
>
> Now I would like to remove the PASSWORD from the keystorePass and put in
> there the path to the pwd of the webserver certificate. Same also for the
> truststore.
>
> - Is that possible? If yes, how is that to be done?
>
> Thanks for your feedback.
>
> Regards
> Alex
>
>
>
>
>
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Mittwoch, 18. Januar 2023 07:12
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
> I usually remove the password on the p12 file via openssl.
> Protecting with password and writing the password in clear text somewhere
> doesn't improve security much I think.
> Dunno if this is a possible way to go for you.
> Greetings,
> Thomas
> ________________________________
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Dienstag, 17. Januar 2023 21:01:00
> An: 'Tomcat Users List'
> Betreff: AW: Password in Tomcat 9.x
>
> Hoi Thomas
>
> Received also from Mark an email where he requested an example of the
> web.xml. Will provide you this tomorrow. Below is what I wrote him.
>
> Regards
> Alex
>
> #
> #
> #
> Hi Mark
>
> I will provide a config example tomorrow. Let you know the details.
>
> I have them on the other machine.
>
> In general it is like that - we have a webserver certificate (p12), which we use
> to have the https protocol. The certificate comes together with a p12.pwd file
> and this password of the certificate is stored in the web.xml.
> I want now to remove this password by configuring just the path to this file.
>
> In case someone renew the certificate, the restart of tomcat can be done
> anytime as always the correct password is used.
>
> Regards
> Alexander
> #
> #
> #
>
> -----Ursprüngliche Nachricht-----
> Von: Thomas Hoffmann (Speed4Trade GmbH)
> <Th...@speed4trade.com.INVALID>
> Gesendet: Dienstag, 17. Januar 2023 19:19
> An: Tomcat Users List <us...@tomcat.apache.org>
> Betreff: AW: Password in Tomcat 9.x
>
> Hello Alex,
> I am not sure what your goal is.
> Webserver certificate (with private key) is used for encryption / ssl / tls.
> Password is used for user authentication and in web.xml you only specify the
> auth method, not any passwords. Or do you plan auth with client certificates?
>
> Greetings, Thomas
> ________________________________
> Von: a.grubner@bluewin.ch <a....@bluewin.ch>
> Gesendet: Dienstag, 17. Januar 2023 18:34:15
> An: users@tomcat.apache.org
> Betreff: Password in Tomcat 9.x
>
> Hello together
>
>
>
> I would like to understand, when implementing passwords into web.xml, then I
> would like NOT to implement a password, I want to include the path to a
> certificate (p12.pwd). I want to basically avoid, changing all the time the
> password, when I renew my webserver certificate in the configuration.
>
>
>
> Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x can
> do this?
>
> If no 9.x can do, which other Tomcat can do this?
>
>
>
> Thank you
>
> Alexander Grubner
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hoi Thomas
Thanks for your feedback.
I checked - here I can give you the following.
I have a webserver certificate (p12) stored on the filesystem. It has the
p12.pwd also this location. Owner and group are well protected from other
technical users.
Now, the config file, where the webserver cert is used is in the server.xml.
Inside there:
clientAuth="true" sslProtocol="TLS"
keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
keystorePass="PASSWORD"
truststore="TRUSTSTORE_CERTIFICATE.jks"
truststorePass="PASSWORD"
sslEnable="True"
protocol="org.apache.coyote.http11.Http11Prococol"
Now I would like to remove the PASSWORD from the keystorePass and put in
there the path to the pwd of the webserver certificate. Same also for the
truststore.
- Is that possible? If yes, how is that to be done?
Thanks for your feedback.
Regards
Alex
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.INVALID>
Gesendet: Mittwoch, 18. Januar 2023 07:12
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I usually remove the password on the p12 file via openssl.
Protecting with password and writing the password in clear text somewhere
doesn't improve security much I think.
Dunno if this is a possible way to go for you.
Greetings,
Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 21:01:00
An: 'Tomcat Users List'
Betreff: AW: Password in Tomcat 9.x
Hoi Thomas
Received also from Mark an email where he requested an example of the
web.xml. Will provide you this tomorrow. Below is what I wrote him.
Regards
Alex
#
#
#
Hi Mark
I will provide a config example tomorrow. Let you know the details.
I have them on the other machine.
In general it is like that - we have a webserver certificate (p12), which we
use to have the https protocol. The certificate comes together with a
p12.pwd file and this password of the certificate is stored in the web.xml.
I want now to remove this password by configuring just the path to this
file.
In case someone renew the certificate, the restart of tomcat can be done
anytime as always the correct password is used.
Regards
Alexander
#
#
#
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 19:19
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the
auth method, not any passwords. Or do you plan auth with client
certificates?
Greetings, Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Alex,
I usually remove the password on the p12 file via openssl.
Protecting with password and writing the password in clear text somewhere doesn't improve security much I think.
Dunno if this is a possible way to go for you.
Greetings,
Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 21:01:00
An: 'Tomcat Users List'
Betreff: AW: Password in Tomcat 9.x
Hoi Thomas
Received also from Mark an email where he requested an example of the
web.xml. Will provide you this tomorrow. Below is what I wrote him.
Regards
Alex
#
#
#
Hi Mark
I will provide a config example tomorrow. Let you know the details.
I have them on the other machine.
In general it is like that - we have a webserver certificate (p12), which we
use to have the https protocol. The certificate comes together with a
p12.pwd file and this password of the certificate is stored in the web.xml.
I want now to remove this password by configuring just the path to this
file.
In case someone renew the certificate, the restart of tomcat can be done
anytime as always the correct password is used.
Regards
Alexander
#
#
#
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 19:19
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the
auth method, not any passwords. Or do you plan auth with client
certificates?
Greetings, Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by a....@bluewin.ch.
Hoi Thomas
Received also from Mark an email where he requested an example of the
web.xml. Will provide you this tomorrow. Below is what I wrote him.
Regards
Alex
#
#
#
Hi Mark
I will provide a config example tomorrow. Let you know the details.
I have them on the other machine.
In general it is like that - we have a webserver certificate (p12), which we
use to have the https protocol. The certificate comes together with a
p12.pwd file and this password of the certificate is stored in the web.xml.
I want now to remove this password by configuring just the path to this
file.
In case someone renew the certificate, the restart of tomcat can be done
anytime as always the correct password is used.
Regards
Alexander
#
#
#
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<Th...@speed4trade.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 19:19
An: Tomcat Users List <us...@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the
auth method, not any passwords. Or do you plan auth with client
certificates?
Greetings, Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
AW: Password in Tomcat 9.x
Posted by "Thomas Hoffmann (Speed4Trade GmbH)" <Th...@speed4trade.com.INVALID>.
Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the auth method, not any passwords. Or do you plan auth with client certificates?
Greetings, Thomas
________________________________
Von: a.grubner@bluewin.ch <a....@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that
9.x can do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner