You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Moritz <mo...@gmail.com> on 2007/06/13 17:55:31 UTC
Key store password via console
Hi,
I have defined a TLS connector, but I don't want to write the password
for my key store in plain text into the server.xml file. Is it possible
to enter the password via the console during startup? Or is there any
other workaround?
Thanks!
Moritz
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Key store password via console
Posted by Bill Barker <wb...@wilshire.com>.
"Moritz" <mo...@gmail.com> wrote in message
news:46701373.3080601@gmail.com...
> Hi,
>
> I have defined a TLS connector, but I don't want to write the password for
> my key store in plain text into the server.xml file. Is it possible to
> enter the password via the console during startup? Or is there any other
> workaround?
>
Yes, all you have to do is use TC 3.3 ;-).
Nobody ever showed an interest in porting this feature of 3.3 to later
versions of Tomcat, so no you can't.
> Thanks!
> Moritz
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Key store password via console
Posted by David Wall <d....@computer.org>.
Moritz wrote:
> But still I think it's never a good idea to write a password in plain
> text in any file. If the password is stored in plain text and
> something goes wrong an attacker could be able to steal my private key
> and use it. And this would be really bad.
Obviously, this depends on your web site's "hacker desirability), but if
they can read your server.xml, they can likely hijack your entire web
app and install their exploit into your existing pages since the SSL
encryption is in the clear for the webapp itself and thus they can see
whatever data was entered by users. So, if you cannot secure your
server.xml, then your entire web app is vulnerable to attacks EVEN IF
they couldn't get the password to your private key.
Stealing your SSL cert private key is probably worth less and harder to
exploit than simply changing your login page or the like to capture user
credentials (of course, such changes can be discovered using tools like
snort). A stolen set of SSL cert keys is harder to exploit and hide.
>
> Therefore I'm looking for a possibility to pass the password via the
> console.
This has been discussed many times before. I'm sure if you write code
that allows this to work, some will want to use it, too. It's open
source after all... And you can always put httpd in front since it's
openssl implementation allows for cert password prompts.
David
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Key store password via console
Posted by Moritz <mo...@gmail.com>.
I agree with you that only those userids that actually need to access
the server.xml file should be able to read it.
But still I think it's never a good idea to write a password in plain
text in any file. If the password is stored in plain text and something
goes wrong an attacker could be able to steal my private key and use it.
And this would be really bad.
Therefore I'm looking for a possibility to pass the password via the
console.
Moritz
Caldarale, Charles R wrote:
>> From: Moritz [mailto:mooooooritz@gmail.com]
>> Subject: Key store password via console
>>
>> I have defined a TLS connector, but I don't want to
>> write the password for my key store in plain text into
>> the server.xml file.
>
> Are you saying that your server.xml file is open to anyone? If so,
> you've got bigger problems than hiding your keystore password. Just
> insure that server.xml is accessible only to those userids that actually
> need to access it.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Key store password via console
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Moritz [mailto:mooooooritz@gmail.com]
> Subject: Key store password via console
>
> I have defined a TLS connector, but I don't want to
> write the password for my key store in plain text into
> the server.xml file.
Are you saying that your server.xml file is open to anyone? If so,
you've got bigger problems than hiding your keystore password. Just
insure that server.xml is accessible only to those userids that actually
need to access it.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org