You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by xcorpius <xc...@protonmail.com.INVALID> on 2021/06/07 08:56:13 UTC
RE: Question about encrypting database passwords in the context.xml file - Tomcat 9
Hello again!
Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
Wouldn't it be the same problem? Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
I think people who develop Tomcat should consider this option.
Thank you very much to all.
Xcorpius
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Friday, 30 de April de 2021 11:21, xcorpius <xc...@protonmail.com> wrote:
> :-)
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
>
> > And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
> > Dream * Excel * Explore * Inspire
> > Jon McAlexander
> > Infrastructure Engineer
> > Asst Vice President
> > Middleware Product Engineering
> > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> > 8080 Cobblestone Rd | Urbandale, IA 50322
> > MAC: F4469-010
> > Tel 515-988-2508 | Cell 515-988-2508
> > jonmcalexander@wellsfargo.com
> > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
> > This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> >
> > > -----Original Message-----
> > > From: xcorpius xcorpius@protonmail.com.INVALID
> > > Sent: Monday, April 26, 2021 8:36 AM
> > > To: users@tomcat.apache.org
> > > Subject: Re: Question about encrypting database passwords in the
> > > context.xml file - Tomcat 9
> > > Thanks Olaf!!!!
> > > -------- Mensaje original --------
> > > On 26 abr. 2021 14:02, Olaf Kock escribió:
> > >
> > > > On 26.04.21 13:10, xcorpius wrote:
> > > >
> > > > > Hi,
> > > > > I wanted to ask about how to encrypt database passwords in the
> > > > > context.xml file in Tomcat 9.
> > > >
> > > > >
> > > >
> > > > Hi,
> > > > please check this article:
> > >
> > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
> > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> > >
> > > > It covers the topic once and for all...
> > > > Olaf
> > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Posted by xcorpius <xc...@protonmail.com.INVALID>.
Thanks Mark for your clarifications.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 7 de June de 2021 11:42, Mark Thomas <ma...@apache.org> wrote:
> On 07/06/2021 09:56, xcorpius wrote:
>
> > Hello again!
> > Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
> > But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
> > Wouldn't it be the same problem?
>
> No.
>
> > Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
>
> Digesting != encrypting.
>
> Digests are one-way functions. A digested password is no use to a client
> that needs to authenticate itself to a server.
>
> > I think people who develop Tomcat should consider this option.
>
> Fortunately, the Tomcat committers have a sufficiently sound
> understanding of both basic logic and basic cryptography not to waste
> their time on such an exercise.
>
> Mark
>
> > Thank you very much to all.
> > Xcorpius
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Friday, 30 de April de 2021 11:21, xcorpius xcorpius@protonmail.com wrote:
> >
> > > :-)
> > > Sent with ProtonMail Secure Email.
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
> > >
> > > > And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
> > > > Dream * Excel * Explore * Inspire
> > > > Jon McAlexander
> > > > Infrastructure Engineer
> > > > Asst Vice President
> > > > Middleware Product Engineering
> > > > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > MAC: F4469-010
> > > > Tel 515-988-2508 | Cell 515-988-2508
> > > > jonmcalexander@wellsfargo.com
> > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
> > > > This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> > > >
> > > > > -----Original Message-----
> > > > > From: xcorpius xcorpius@protonmail.com.INVALID
> > > > > Sent: Monday, April 26, 2021 8:36 AM
> > > > > To: users@tomcat.apache.org
> > > > > Subject: Re: Question about encrypting database passwords in the
> > > > > context.xml file - Tomcat 9
> > > > > Thanks Olaf!!!!
> > > > > -------- Mensaje original --------
> > > > > On 26 abr. 2021 14:02, Olaf Kock escribió:
> > > > >
> > > > > > On 26.04.21 13:10, xcorpius wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > > I wanted to ask about how to encrypt database passwords in the
> > > > > > > context.xml file in Tomcat 9.
> > > > > >
> > > > > > >
> > > > > >
> > > > > > Hi,
> > > > > > please check this article:
> > > > >
> > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
> > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> > > > >
> > > > > > It covers the topic once and for all...
> > > > > > Olaf
> > > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Posted by xcorpius <xc...@protonmail.com.INVALID>.
Thanks Mark,
This answer clears all my doubts.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 7 de June de 2021 13:19, Mark Thomas <ma...@apache.org> wrote:
> On 07/06/2021 11:44, xcorpius wrote:
>
> > Just one more thing.
> > I understand my mistake with the difference between encryption and digest.
> >
> > > Fortunately, the Tomcat committers have a sufficiently sound
> > > understanding of both basic logic and basic cryptography not to waste
> > > their time on such an exercise.
> >
> > Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't?
>
> It can't.
>
> All Weblogic is doing is moving the goalposts. The database password may
> be encrypted that just means the decryption key needs to be provided in
> plain text instead. No matter how many levels of indirection (or perhaps
> that should be misdirection) are applied, ultimately the application
> server process needs access to a secret in plain text.
>
> However complex the window dressing, it will come down to the operating
> system limiting access to the plain text secret to one or more users.
> This is fundamentally no different to the Tomcat recommendation to use
> OS file permissions to limit access to the configuration file where the
> secret is stored to the user used by Tomcat and root (or equivalent).
>
> If you want to allow more general read access to configuration files
> then there are simple ways to move the secrets to a separate, more
> tightly controlled file.
>
> Mark
>
> > https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477
> > Thanks,
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Monday, 7 de June de 2021 11:42, Mark Thomas markt@apache.org wrote:
> >
> > > On 07/06/2021 09:56, xcorpius wrote:
> > >
> > > > Hello again!
> > > > Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
> > > > But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
> > > > Wouldn't it be the same problem?
> > >
> > > No.
> > >
> > > > Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
> > >
> > > Digesting != encrypting.
> > > Digests are one-way functions. A digested password is no use to a client
> > > that needs to authenticate itself to a server.
> > >
> > > > I think people who develop Tomcat should consider this option.
> > >
> > > Fortunately, the Tomcat committers have a sufficiently sound
> > > understanding of both basic logic and basic cryptography not to waste
> > > their time on such an exercise.
> > > Mark
> > >
> > > > Thank you very much to all.
> > > > Xcorpius
> > > > Sent with ProtonMail Secure Email.
> > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > On Friday, 30 de April de 2021 11:21, xcorpius xcorpius@protonmail.com wrote:
> > > >
> > > > > :-)
> > > > > Sent with ProtonMail Secure Email.
> > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > > > On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
> > > > >
> > > > > > And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
> > > > > > Dream * Excel * Explore * Inspire
> > > > > > Jon McAlexander
> > > > > > Infrastructure Engineer
> > > > > > Asst Vice President
> > > > > > Middleware Product Engineering
> > > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > > > MAC: F4469-010
> > > > > > Tel 515-988-2508 | Cell 515-988-2508
> > > > > > jonmcalexander@wellsfargo.com
> > > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
> > > > > > This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> > > > > >
> > > > > > > -----Original Message-----
> > > > > > > From: xcorpius xcorpius@protonmail.com.INVALID
> > > > > > > Sent: Monday, April 26, 2021 8:36 AM
> > > > > > > To: users@tomcat.apache.org
> > > > > > > Subject: Re: Question about encrypting database passwords in the
> > > > > > > context.xml file - Tomcat 9
> > > > > > > Thanks Olaf!!!!
> > > > > > > -------- Mensaje original --------
> > > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió:
> > > > > > >
> > > > > > > > On 26.04.21 13:10, xcorpius wrote:
> > > > > > > >
> > > > > > > > > Hi,
> > > > > > > > > I wanted to ask about how to encrypt database passwords in the
> > > > > > > > > context.xml file in Tomcat 9.
> > > > > > > >
> > > > > > > > >
> > > > > > > >
> > > > > > > > Hi,
> > > > > > > > please check this article:
> > > > > > >
> > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
> > > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> > > > > > >
> > > > > > > > It covers the topic once and for all...
> > > > > > > > Olaf
> > > > > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > > >
> > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > > --
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml
file - Tomcat 9
Posted by Mark Thomas <ma...@apache.org>.
On 07/06/2021 11:44, xcorpius wrote:
> Just one more thing.
>
> I understand my mistake with the difference between encryption and digest.
>
>
>> Fortunately, the Tomcat committers have a sufficiently sound
>> understanding of both basic logic and basic cryptography not to waste
>> their time on such an exercise.
>
> Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't?
It can't.
All Weblogic is doing is moving the goalposts. The database password may
be encrypted that just means the decryption key needs to be provided in
plain text instead. No matter how many levels of indirection (or perhaps
that should be misdirection) are applied, ultimately the application
server process needs access to a secret in plain text.
However complex the window dressing, it will come down to the operating
system limiting access to the plain text secret to one or more users.
This is fundamentally no different to the Tomcat recommendation to use
OS file permissions to limit access to the configuration file where the
secret is stored to the user used by Tomcat and root (or equivalent).
If you want to allow more general read access to configuration files
then there are simple ways to move the secrets to a separate, more
tightly controlled file.
Mark
>
> https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477
>
> Thanks,
>
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, 7 de June de 2021 11:42, Mark Thomas <ma...@apache.org> wrote:
>
>> On 07/06/2021 09:56, xcorpius wrote:
>>
>>> Hello again!
>>> Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
>>> But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
>>> Wouldn't it be the same problem?
>>
>> No.
>>
>>> Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
>>
>> Digesting != encrypting.
>>
>> Digests are one-way functions. A digested password is no use to a client
>> that needs to authenticate itself to a server.
>>
>>> I think people who develop Tomcat should consider this option.
>>
>> Fortunately, the Tomcat committers have a sufficiently sound
>> understanding of both basic logic and basic cryptography not to waste
>> their time on such an exercise.
>>
>> Mark
>>
>>> Thank you very much to all.
>>> Xcorpius
>>> Sent with ProtonMail Secure Email.
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Friday, 30 de April de 2021 11:21, xcorpius xcorpius@protonmail.com wrote:
>>>
>>>> :-)
>>>> Sent with ProtonMail Secure Email.
>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
>>>>
>>>>> And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
>>>>> Dream * Excel * Explore * Inspire
>>>>> Jon McAlexander
>>>>> Infrastructure Engineer
>>>>> Asst Vice President
>>>>> Middleware Product Engineering
>>>>> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>> MAC: F4469-010
>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>> jonmcalexander@wellsfargo.com
>>>>> Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
>>>>> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: xcorpius xcorpius@protonmail.com.INVALID
>>>>>> Sent: Monday, April 26, 2021 8:36 AM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: Question about encrypting database passwords in the
>>>>>> context.xml file - Tomcat 9
>>>>>> Thanks Olaf!!!!
>>>>>> -------- Mensaje original --------
>>>>>> On 26 abr. 2021 14:02, Olaf Kock escribió:
>>>>>>
>>>>>>> On 26.04.21 13:10, xcorpius wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I wanted to ask about how to encrypt database passwords in the
>>>>>>>> context.xml file in Tomcat 9.
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>> please check this article:
>>>>>>
>>>>>> https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
>>>>>> TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
>>>>>>
>>>>>>> It covers the topic once and for all...
>>>>>>> Olaf
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> --
>>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml
file - Tomcat 9
Posted by Christopher Schultz <ch...@christopherschultz.net>.
xcorpius,
On 6/7/21 06:44, xcorpius wrote:
> Just one more thing.
>
> I understand my mistake with the difference between encryption and digest.
>
>
>> Fortunately, the Tomcat committers have a sufficiently sound
>> understanding of both basic logic and basic cryptography not to waste
>> their time on such an exercise.
>
> Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't?
>
> https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477
context.xml:
...
<Resource username="scott"
password="passwordfile=secret.txt;NRFCIWRNFUGUWRMWUOGRXGRHOWRZFGWHFEO" />
...
secret.txt
password=tiger
This is the level of security JBoss provides. If it's more complicated
than that, it just degrades to this solution.
I cannot fathom why "configuration files must not contain plaintext
credentials" somehow doesn't cover secret.txt. Maybe context.xml counts
as a "configuration file" but secret.txt counts as a "password file". I
dunno.
If you use the Tomcat Vault, you still have to have the vault password
somewhere. That's why we say it's "moving the goalposts": it doesn't
actually solve the problem: it just moves the problem elsewhere.
We have tried to make everything we've said in this thread abundantly
clear in the FAQ. If you think something isn't very clear, please let us
know how we can improve it.
-chris
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Monday, 7 de June de 2021 11:42, Mark Thomas <ma...@apache.org> wrote:
>
>> On 07/06/2021 09:56, xcorpius wrote:
>>
>>> Hello again!
>>> Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
>>> But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
>>> Wouldn't it be the same problem?
>>
>> No.
>>
>>> Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
>>
>> Digesting != encrypting.
>>
>> Digests are one-way functions. A digested password is no use to a client
>> that needs to authenticate itself to a server.
>>
>>> I think people who develop Tomcat should consider this option.
>>
>> Fortunately, the Tomcat committers have a sufficiently sound
>> understanding of both basic logic and basic cryptography not to waste
>> their time on such an exercise.
>>
>> Mark
>>
>>> Thank you very much to all.
>>> Xcorpius
>>> Sent with ProtonMail Secure Email.
>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>> On Friday, 30 de April de 2021 11:21, xcorpius xcorpius@protonmail.com wrote:
>>>
>>>> :-)
>>>> Sent with ProtonMail Secure Email.
>>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>>>> On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
>>>>
>>>>> And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
>>>>> Dream * Excel * Explore * Inspire
>>>>> Jon McAlexander
>>>>> Infrastructure Engineer
>>>>> Asst Vice President
>>>>> Middleware Product Engineering
>>>>> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>>>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>>>> MAC: F4469-010
>>>>> Tel 515-988-2508 | Cell 515-988-2508
>>>>> jonmcalexander@wellsfargo.com
>>>>> Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
>>>>> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>>>>>
>>>>>> -----Original Message-----
>>>>>> From: xcorpius xcorpius@protonmail.com.INVALID
>>>>>> Sent: Monday, April 26, 2021 8:36 AM
>>>>>> To: users@tomcat.apache.org
>>>>>> Subject: Re: Question about encrypting database passwords in the
>>>>>> context.xml file - Tomcat 9
>>>>>> Thanks Olaf!!!!
>>>>>> -------- Mensaje original --------
>>>>>> On 26 abr. 2021 14:02, Olaf Kock escribió:
>>>>>>
>>>>>>> On 26.04.21 13:10, xcorpius wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>> I wanted to ask about how to encrypt database passwords in the
>>>>>>>> context.xml file in Tomcat 9.
>>>>>>>
>>>>>>>>
>>>>>>>
>>>>>>> Hi,
>>>>>>> please check this article:
>>>>>>
>>>>>> https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
>>>>>> TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
>>>>>>
>>>>>>> It covers the topic once and for all...
>>>>>>> Olaf
>>>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>> --
>>
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Posted by xcorpius <xc...@protonmail.com.INVALID>.
Just one more thing.
I understand my mistake with the difference between encryption and digest.
> Fortunately, the Tomcat committers have a sufficiently sound
> understanding of both basic logic and basic cryptography not to waste
> their time on such an exercise.
Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't?
https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477
Thanks,
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 7 de June de 2021 11:42, Mark Thomas <ma...@apache.org> wrote:
> On 07/06/2021 09:56, xcorpius wrote:
>
> > Hello again!
> > Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
> > But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
> > Wouldn't it be the same problem?
>
> No.
>
> > Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
>
> Digesting != encrypting.
>
> Digests are one-way functions. A digested password is no use to a client
> that needs to authenticate itself to a server.
>
> > I think people who develop Tomcat should consider this option.
>
> Fortunately, the Tomcat committers have a sufficiently sound
> understanding of both basic logic and basic cryptography not to waste
> their time on such an exercise.
>
> Mark
>
> > Thank you very much to all.
> > Xcorpius
> > Sent with ProtonMail Secure Email.
> > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > On Friday, 30 de April de 2021 11:21, xcorpius xcorpius@protonmail.com wrote:
> >
> > > :-)
> > > Sent with ProtonMail Secure Email.
> > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> > > On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
> > >
> > > > And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
> > > > Dream * Excel * Explore * Inspire
> > > > Jon McAlexander
> > > > Infrastructure Engineer
> > > > Asst Vice President
> > > > Middleware Product Engineering
> > > > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
> > > > 8080 Cobblestone Rd | Urbandale, IA 50322
> > > > MAC: F4469-010
> > > > Tel 515-988-2508 | Cell 515-988-2508
> > > > jonmcalexander@wellsfargo.com
> > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
> > > > This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
> > > >
> > > > > -----Original Message-----
> > > > > From: xcorpius xcorpius@protonmail.com.INVALID
> > > > > Sent: Monday, April 26, 2021 8:36 AM
> > > > > To: users@tomcat.apache.org
> > > > > Subject: Re: Question about encrypting database passwords in the
> > > > > context.xml file - Tomcat 9
> > > > > Thanks Olaf!!!!
> > > > > -------- Mensaje original --------
> > > > > On 26 abr. 2021 14:02, Olaf Kock escribió:
> > > > >
> > > > > > On 26.04.21 13:10, xcorpius wrote:
> > > > > >
> > > > > > > Hi,
> > > > > > > I wanted to ask about how to encrypt database passwords in the
> > > > > > > context.xml file in Tomcat 9.
> > > > > >
> > > > > > >
> > > > > >
> > > > > > Hi,
> > > > > > please check this article:
> > > > >
> > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
> > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> > > > >
> > > > > > It covers the topic once and for all...
> > > > > > Olaf
> > > > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> --
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml
file - Tomcat 9
Posted by Mark Thomas <ma...@apache.org>.
On 07/06/2021 09:56, xcorpius wrote:
> Hello again!
>
> Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
>
> But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
>
> Wouldn't it be the same problem?
No.
> Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
Digesting != encrypting.
Digests are one-way functions. A digested password is no use to a client
that needs to authenticate itself to a server.
> I think people who develop Tomcat should consider this option.
Fortunately, the Tomcat committers have a sufficiently sound
understanding of both basic logic and basic cryptography not to waste
their time on such an exercise.
Mark
>
> Thank you very much to all.
>
>
> Xcorpius
>
>
> Sent with ProtonMail Secure Email.
>
> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
> On Friday, 30 de April de 2021 11:21, xcorpius <xc...@protonmail.com> wrote:
>
>> :-)
>>
>> Sent with ProtonMail Secure Email.
>>
>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
>> On Monday, 26 de April de 2021 19:03, jonmcalexander@wellsfargo.com wrote:
>>
>>> And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-)
>>> Dream * Excel * Explore * Inspire
>>> Jon McAlexander
>>> Infrastructure Engineer
>>> Asst Vice President
>>> Middleware Product Engineering
>>> Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions
>>> 8080 Cobblestone Rd | Urbandale, IA 50322
>>> MAC: F4469-010
>>> Tel 515-988-2508 | Cell 515-988-2508
>>> jonmcalexander@wellsfargo.com
>>> Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020
>>> This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation.
>>>
>>>> -----Original Message-----
>>>> From: xcorpius xcorpius@protonmail.com.INVALID
>>>> Sent: Monday, April 26, 2021 8:36 AM
>>>> To: users@tomcat.apache.org
>>>> Subject: Re: Question about encrypting database passwords in the
>>>> context.xml file - Tomcat 9
>>>> Thanks Olaf!!!!
>>>> -------- Mensaje original --------
>>>> On 26 abr. 2021 14:02, Olaf Kock escribió:
>>>>
>>>>> On 26.04.21 13:10, xcorpius wrote:
>>>>>
>>>>>> Hi,
>>>>>> I wanted to ask about how to encrypt database passwords in the
>>>>>> context.xml file in Tomcat 9.
>>>>>
>>>>>>
>>>>>
>>>>> Hi,
>>>>> please check this article:
>>>>
>>>> https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
>>>> TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
>>>>
>>>>> It covers the topic once and for all...
>>>>> Olaf
>>>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>>>> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Posted by xcorpius <xc...@protonmail.com.INVALID>.
Ok, thank you very much Olaf.
Sent with ProtonMail Secure Email.
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Monday, 7 de June de 2021 11:36, Olaf Kock <to...@olafkock.de> wrote:
> On 07.06.21 10:56, xcorpius wrote:
>
> > Hello again!
> > Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
> > But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
> > Wouldn't it be the same problem? Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
> > I think people who develop Tomcat should consider this option.
> > Thank you very much to all.
>
> Sorry, those are not the same: Digested passwords cannot be undigested,
> but any digestion of the same password reveals the same digested result,
> so that they can be compared. (read about the difference between hashing
> and encryption)
>
> For a database connection, you'll need to undigest (e.g. unencrypt) the
> password and get it in clear text. And that's precisely what the FAQ
> answers as impossible to do securely (without requiring manual input of
> keys at each startup)
>
> There's nothing here to consider that hasn't been considered before.
>
> Olaf
>
> > > > > > > Hi,
> > > > > > > I wanted to ask about how to encrypt database passwords in the
> > > > > > > context.xml file in Tomcat 9.
> > > > > > > Hi,
> > > > > > > please check this article:
> > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
> > > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
> > > > >
> > > > > > It covers the topic once and for all...
> > > > > > Olaf
>
> --
>
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml
file - Tomcat 9
Posted by Olaf Kock <to...@olafkock.de>.
On 07.06.21 10:56, xcorpius wrote:
> Hello again!
>
> Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords.
>
> But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file.
>
> Wouldn't it be the same problem? Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"?
>
> I think people who develop Tomcat should consider this option.
>
> Thank you very much to all.
Sorry, those are not the same: Digested passwords cannot be undigested,
but any digestion of the same password reveals the same digested result,
so that they can be compared. (read about the difference between hashing
and encryption)
For a database connection, you'll need to undigest (e.g. unencrypt) the
password and get it in clear text. And that's precisely what the FAQ
answers as impossible to do securely (without requiring manual input of
keys at each startup)
There's nothing here to consider that hasn't been considered before.
Olaf
>>>>>> Hi,
>>>>>> I wanted to ask about how to encrypt database passwords in the
>>>>>> context.xml file in Tomcat 9.
>>>>> Hi,
>>>>> please check this article:
>>>> https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/
>>>> TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$
>>>>
>>>>> It covers the topic once and for all...
>>>>> Olaf
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org