You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Kevin Nash <ke...@rockalltech.com> on 2008/11/13 17:35:54 UTC
Encrypting database resouce password
Hello,
I'm using apache-tomcat-5.5.26, Oracle 10.2.0.3, java version "1.5.0_14"
I have a data resource defined in the server.xml and I wish to create a digest of the database
password.
<Resource name="jdbc/oracle" auth="Container" type="javax.sql.DataSource"
username="username"
password="plaintxt"
driverClassName="oracle.jdbc.driver.OracleDriver"
url="jdbc:oracle:thin:@hostname:1522:databasename"
maxActive="20" maxIdle="10">
</Resource>
I was wondering is it possible to do this in a similar fashion to creating
a digest of the passwords in the tomcat-users.xml file
1. Create password digest using SHA
$ ./digest.sh -a SHA password
password:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
2. Update the password in tomcat-users.xml
<user username="tomcat" password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" roles="tomcat,manager"/>
3. Update the server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="SHA" />
I've searched for a solution for encrypting the data resource password and I've come across
the following solutions.
1. Manage the connection pool in the application not the application server.
2. Authenticate using the application, i.e. set auth="Application"
3. Or extends BasicDataSourceFactory to accept an encrypted password.
These solutions are described in this interesting article http://java.sys-con.com/node/393364/print
I was wondering is there a fourth solution as simple as creating digests of passwords
for users in the tomcat-users.xml file?
Thanks for your help,
Kevin Nash
Re: Encrypting database resouce password
Posted by Robert Koberg <ro...@koberg.com>.
We use:
http://www.jasypt.org/
best,
-Rob
On Nov 13, 2008, at 11:35 AM, Kevin Nash wrote:
> Hello,
>
> I'm using apache-tomcat-5.5.26, Oracle 10.2.0.3, java version
> "1.5.0_14"
>
>
> I have a data resource defined in the server.xml and I wish to
> create a digest of the database
> password.
>
> <Resource name="jdbc/oracle" auth="Container"
> type="javax.sql.DataSource"
> username="username"
> password="plaintxt"
> driverClassName="oracle.jdbc.driver.OracleDriver"
> url="jdbc:oracle:thin:@hostname:1522:databasename"
> maxActive="20" maxIdle="10">
> </Resource>
>
> I was wondering is it possible to do this in a similar fashion to
> creating
> a digest of the passwords in the tomcat-users.xml file
>
> 1. Create password digest using SHA
> $ ./digest.sh -a SHA password
> password:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
>
> 2. Update the password in tomcat-users.xml
> <user username="tomcat"
> password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8"
> roles="tomcat,manager"/>
>
> 3. Update the server.xml
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="SHA" />
>
>
> I've searched for a solution for encrypting the data resource
> password and I've come across
> the following solutions.
>
> 1. Manage the connection pool in the application not the application
> server.
>
> 2. Authenticate using the application, i.e. set auth="Application"
>
> 3. Or extends BasicDataSourceFactory to accept an encrypted password.
>
> These solutions are described in this interesting article http://java.sys-con.com/node/393364/print
>
> I was wondering is there a fourth solution as simple as creating
> digests of passwords
> for users in the tomcat-users.xml file?
>
> Thanks for your help,
>
> Kevin Nash
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypting database resouce password
Posted by Robert Koberg <ro...@koberg.com>.
On Nov 13, 2008, at 12:31 PM, Christopher Schultz wrote:
> Kevin Nash wrote:
>> I have a data resource defined in the server.xml and I wish to
>> [encrypt the] database
>> password.
>
> This question comes up occasionally. Things to consider:
>
> 1. If you encrypt the password in context.xml, where will you store
> the
> password for your encryption key to decrypt it?
>
> 2. If you encrypt your decryption key for step 1, where will you put
> the
> password for your encryption key to decrypt it?
>
> 3. See step 2.
>
> The only way to break this cycle is to provide a password manually
> (say,
> from the console) during application or app-server startup. That
> precludes unattended restarts, which is basically a deal-breaker for a
> production system.
>
> Have I convinced you yet? ;)
And you tell this all to your client and they still want it :)
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypting database resouce password
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Kevin,
Kevin Nash wrote:
> I have a data resource defined in the server.xml and I wish to [encrypt the] database
> password.
This question comes up occasionally. Things to consider:
1. If you encrypt the password in context.xml, where will you store the
password for your encryption key to decrypt it?
2. If you encrypt your decryption key for step 1, where will you put the
password for your encryption key to decrypt it?
3. See step 2.
The only way to break this cycle is to provide a password manually (say,
from the console) during application or app-server startup. That
precludes unattended restarts, which is basically a deal-breaker for a
production system.
Have I convinced you yet? ;)
Hope that helps,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkkcZHYACgkQ9CaO5/Lv0PB1ewCgtR+U61tuj6A32OIpSobDmuaI
rtgAnRgFIyrZZvttFuqjxLFIAYS4oYm6
=Ms7O
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Encrypting database resouce password
Posted by Filip Hanik - Dev Lists <de...@hanik.com>.
if you digest the password to the database, how is tomcat supposed to
pass it to the database?
Filip
Kevin Nash wrote:
> Hello,
>
> I'm using apache-tomcat-5.5.26, Oracle 10.2.0.3, java version "1.5.0_14"
>
>
> I have a data resource defined in the server.xml and I wish to create a digest of the database
> password.
>
> <Resource name="jdbc/oracle" auth="Container" type="javax.sql.DataSource"
> username="username"
> password="plaintxt"
> driverClassName="oracle.jdbc.driver.OracleDriver"
> url="jdbc:oracle:thin:@hostname:1522:databasename"
> maxActive="20" maxIdle="10">
> </Resource>
>
> I was wondering is it possible to do this in a similar fashion to creating
> a digest of the passwords in the tomcat-users.xml file
>
> 1. Create password digest using SHA
> $ ./digest.sh -a SHA password
> password:5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8
>
> 2. Update the password in tomcat-users.xml
> <user username="tomcat" password="5baa61e4c9b93f3f0682250b6cf8331b7ee68fd8" roles="tomcat,manager"/>
>
> 3. Update the server.xml
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase" digest="SHA" />
>
>
> I've searched for a solution for encrypting the data resource password and I've come across
> the following solutions.
>
> 1. Manage the connection pool in the application not the application server.
>
> 2. Authenticate using the application, i.e. set auth="Application"
>
> 3. Or extends BasicDataSourceFactory to accept an encrypted password.
>
> These solutions are described in this interesting article http://java.sys-con.com/node/393364/print
>
> I was wondering is there a fourth solution as simple as creating digests of passwords
> for users in the tomcat-users.xml file?
>
> Thanks for your help,
>
> Kevin Nash
>
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org