Number of logs files and encrypt manager passwd

[Spencer Lamont R CONTR USSTRATCOM/J646 <la...@stratcom.mil>]

To all: 

   I am looking for the file in which to set the number of logs to keep.  Also I tried to encrypt the manager password to the manager web page. I did the steps with the realm and users file, but when I went to access the page it would not work. When I put the unencrypted passwd back it works.

   THX.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Number of logs files and encrypt manager passwd

[Spencer Lamont R CONTR USSTRATCOM/J646 <la...@stratcom.mil>]

Suggestions

-----Original Message-----
From: André Warnier [mailto:aw@ice-sa.com] 
Sent: Monday, July 15, 2013 10:35 AM
To: Tomcat Users List
Subject: Re: Number of logs files and encrypt manager passwd

Spencer Lamont R CONTR USSTRATCOM/J646 wrote:
> Dan:
> 
>  1. 7.0.14
> 2. attachment.
> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

You realise that this is somewhat ridiculous, I suppose ?
What these instructions make you do, is replace one plain-text password in
the file, by another plain-text password.  That the 2d password happens to
be the result of hashing the first one does not change that.
Anyone getting access to the tomcat-users.xml file, can now use the password
that is in there, to login as manager.

Of course, the key here is "Anyone getting access to the tomcat-users.xml
file". That is what you should protect.  If any unauthorised person can get
access to any of your server's configuration files, you are in deep trouble
anyway.

> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646 
> <la...@stratcom.mil> wrote:
> 
>> To all: 
>>
>>   I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the 
> default configuration does not offer a way to do what you are asking.  
> It simply creates a new log file every day.  You would need to 
> manually clean them up with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up 
> old files.
> 
>   https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. 
>> I
> did the steps with the realm and users file, but when I went to access 
> the page it would not work. When I put the unencrypted passwd back it
works.
> 
> You're going to need to provide more information here.  Start by 
> including this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 
> 6.0.x or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include 
> the XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Number of logs files and encrypt manager passwd

[André Warnier <aw...@ice-sa.com>]

Spencer Lamont R CONTR USSTRATCOM/J646 wrote:
> Dan:
> 
>  1. 7.0.14
> 2. attachment.
> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

You realise that this is somewhat ridiculous, I suppose ?
What these instructions make you do, is replace one plain-text password in the file, by 
another plain-text password.  That the 2d password happens to be the result of hashing the 
first one does not change that.
Anyone getting access to the tomcat-users.xml file, can now use the password that is in 
there, to login as manager.

Of course, the key here is "Anyone getting access to the tomcat-users.xml file". That is 
what you should protect.  If any unauthorised person can get access to any of your 
server's configuration files, you are in deep trouble anyway.

> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646
> <la...@stratcom.mil> wrote:
> 
>> To all: 
>>
>>   I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the default
> configuration does not offer a way to do what you are asking.  It simply
> creates a new log file every day.  You would need to manually clean them up
> with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up old
> files.
> 
>   https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. I
> did the steps with the realm and users file, but when I went to access the
> page it would not work. When I put the unencrypted passwd back it works.
> 
> You're going to need to provide more information here.  Start by including
> this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 6.0.x
> or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include the
> XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Number of logs files and encrypt manager passwd

[Daniel Mikusa <dm...@gopivotal.com>]

On Jul 15, 2013, at 11:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646 <la...@stratcom.mil> wrote:

> Dan:

Please don't top post.  Reply inline or after to preserve the flow of the conversation.

> 
> 1. 7.0.14

This is really old.  The security risks from running such an old version are undoubtedly greater than having your manager passwords in plain text in a file that is appropriated secured with OS level permissions.

  http://tomcat.apache.org/security-7.html

> 2. attachment.

In the future, please inline your config info.  It's easier and quicker to read that way.  Plus, the list will sometimes strips off attachments.  

> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

Most of the realms support the "digest" attribute that you mentioned, but I don't see it listed for the one that you are using.

  http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#UserDatabase_Realm_-_org.apache.catalina.realm.UserDatabaseRealm

You could try using the MemoryRealm instead.  It's very similar to UserDatabaseRealm, but it lists support for the "digest" attribute.

  http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#Memory_Based_Realm_-_org.apache.catalina.realm.MemoryRealm

As a side note, I wouldn't suggest using either of these realms in production.  For production deployments, you'd be better off using the JDBC or LDAP backed realms.

Dan


> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646
> <la...@stratcom.mil> wrote:
> 
>> To all: 
>> 
>>  I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the default
> configuration does not offer a way to do what you are asking.  It simply
> creates a new log file every day.  You would need to manually clean them up
> with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up old
> files.
> 
>  https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. I
> did the steps with the realm and users file, but when I went to access the
> page it would not work. When I put the unencrypted passwd back it works.
> 
> You're going to need to provide more information here.  Start by including
> this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 6.0.x
> or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include the
> XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> <non-plaintext passwords.docx><server xml.ORIGINAL>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Number of logs files and encrypt manager passwd

[Spencer Lamont R CONTR USSTRATCOM/J646 <la...@stratcom.mil>]

Dan:

 1. 7.0.14
2. attachment.
3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

THX.

-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
Sent: Monday, July 15, 2013 9:31 AM
To: Tomcat Users List
Subject: Re: Number of logs files and encrypt manager passwd

On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646
<la...@stratcom.mil> wrote:

> To all: 
> 
>   I am looking for the file in which to set the number of logs to keep.  

You can configure logging in "conf/logging.properties", however the default
configuration does not offer a way to do what you are asking.  It simply
creates a new log file every day.  You would need to manually clean them up
with a cron job or scheduled task.

Alternatively, you could enable Log4j which automatically cleans up old
files.

  https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j

> Also I tried to encrypt the manager password to the manager web page. I
did the steps with the realm and users file, but when I went to access the
page it would not work. When I put the unencrypted passwd back it works.

You're going to need to provide more information here.  Start by including
this.

1.) What version of Tomcat are you running?  Include the whole number, 6.0.x
or 7.0.x.

2.) How do you have your realm and user's configured?  Please include the
XML configuration, minus comments and any sensitive information.

3.) Are you trying to use encryption or hashing?

Dan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Number of logs files and encrypt manager passwd

[Daniel Mikusa <dm...@gopivotal.com>]

On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646 <la...@stratcom.mil> wrote:

> To all: 
> 
>   I am looking for the file in which to set the number of logs to keep.  

You can configure logging in "conf/logging.properties", however the default configuration does not offer a way to do what you are asking.  It simply creates a new log file every day.  You would need to manually clean them up with a cron job or scheduled task.

Alternatively, you could enable Log4j which automatically cleans up old files.

  https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j

> Also I tried to encrypt the manager password to the manager web page. I did the steps with the realm and users file, but when I went to access the page it would not work. When I put the unencrypted passwd back it works.

You're going to need to provide more information here.  Start by including this…

1.) What version of Tomcat are you running?  Include the whole number, 6.0.x or 7.0.x.

2.) How do you have your realm and user's configured?  Please include the XML configuration, minus comments and any sensitive information.

3.) Are you trying to use encryption or hashing?

Dan
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org