You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Randy Gray <ra...@gmail.com> on 2012/04/06 13:41:23 UTC
Prevent cleartext keystore/truststore passwords via JMX
Hi,
I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've noticed
that the keystore and truststore passwords are exposed via JMX in
cleartext (in the bean JIoEndpoint).
This was not the case in Tomcat 6, for example JIoEndpoint bean which
was exposed had much fewer attributes.
I have specified the passwords as attributes in the HTTPS connector
tag in server.xml.
Here an example with an otherwise unmodified Tomcat 7:
http://postimage.org/image/400y2pqsr/
How can I prevent that data to be exposed (as cleartext), as well as
the keystore and truststore path?
Thanks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent cleartext keystore/truststore passwords via JMX
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Randy,
On 4/12/12 8:13 AM, Randy Gray wrote:
> Actually, a <mbean> entry with the correct type attribute was
> needed:
Could you file an issue in Bugzilla and reference this email thread?
Thanks,
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk+HASwACgkQ9CaO5/Lv0PD2IwCgi2rDfbIw4hp4Ph/wWqfsO5T3
H4MAnik6VjxFfTgOo/EKcdp5u4035oei
=5/nd
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent cleartext keystore/truststore passwords via JMX
Posted by Randy Gray <ra...@gmail.com>.
Actually, a <mbean> entry with the correct type attribute was needed:
<mbeans-descriptors>
<mbean name="ThreadPool"
description="JIoEndpoint"
domain="Catalina"
group="Connector"
type="org.apache.tomcat.util.net.JIoEndpoint">
</mbean>
</mbeans-descriptors>
On Thu, Apr 12, 2012 at 2:58 PM, Randy Gray <ra...@gmail.com> wrote:
> Hi,
>
> I've added mbeans-descriptors.xml to the package
> org.apache.tomcat.util.net (the same package where JIOEndpoint is) in
> the classpath with this (almost) empty content:
>
> <mbeans-descriptors>
> </mbeans-descriptors>
>
> org.apache.tomcat.util.modeler.Registry looks in the current package
> down to the parents package, and if it finds a mbeans-descriptor.xml
> file, it uses the attributes found inside there. If no XML file is
> found, it then reverts to finding out the attributes via reflection.
>
> So that file is enough not to load any MBean for JIoEndpoint.
>
> Thanks
>
>
> On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Randy,
>>
>> On 4/6/12 7:41 AM, Randy Gray wrote:
>>> Hi,
>>>
>>> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
>>> noticed that the keystore and truststore passwords are exposed via
>>> JMX in cleartext (in the bean JIoEndpoint). This was not the case
>>> in Tomcat 6, for example JIoEndpoint bean which was exposed had
>>> much fewer attributes. I have specified the passwords as attributes
>>> in the HTTPS connector tag in server.xml.
>>>
>>> Here an example with an otherwise unmodified Tomcat 7:
>>> http://postimage.org/image/400y2pqsr/
>>>
>>> How can I prevent that data to be exposed (as cleartext), as well
>>> as the keystore and truststore path?
>>
>> I can think of a couple of options:
>>
>> 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
>> and suppress access to these fields (though they aren't specifically
>> in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
>> to consult the mbeans-descrioptors.xml files). I've never done this,
>> so I can't say whether or not it will work.
>>
>> 2. Use TLS for JMX connections. Technically speaking, this will not
>> transmit your credentials in "cleartext", though anyone who can
>> connect can read your credentials. See below.
>>
>> 3. Use client certificates and/or username/password authentication to
>> access your JMX connector. Anyone who can connect to those resources
>> will probably be able to connect to other things, so having your
>> trustStore password is probably the least of your worries.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
>> DCIAoJPEG65KmenExYgGtVpgGG7J880c
>> =9y5M
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent cleartext keystore/truststore passwords via JMX
Posted by Randy Gray <ra...@gmail.com>.
Hi,
I've added mbeans-descriptors.xml to the package
org.apache.tomcat.util.net (the same package where JIOEndpoint is) in
the classpath with this (almost) empty content:
<mbeans-descriptors>
</mbeans-descriptors>
org.apache.tomcat.util.modeler.Registry looks in the current package
down to the parents package, and if it finds a mbeans-descriptor.xml
file, it uses the attributes found inside there. If no XML file is
found, it then reverts to finding out the attributes via reflection.
So that file is enough not to load any MBean for JIoEndpoint.
Thanks
On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Randy,
>
> On 4/6/12 7:41 AM, Randy Gray wrote:
>> Hi,
>>
>> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
>> noticed that the keystore and truststore passwords are exposed via
>> JMX in cleartext (in the bean JIoEndpoint). This was not the case
>> in Tomcat 6, for example JIoEndpoint bean which was exposed had
>> much fewer attributes. I have specified the passwords as attributes
>> in the HTTPS connector tag in server.xml.
>>
>> Here an example with an otherwise unmodified Tomcat 7:
>> http://postimage.org/image/400y2pqsr/
>>
>> How can I prevent that data to be exposed (as cleartext), as well
>> as the keystore and truststore path?
>
> I can think of a couple of options:
>
> 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
> and suppress access to these fields (though they aren't specifically
> in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
> to consult the mbeans-descrioptors.xml files). I've never done this,
> so I can't say whether or not it will work.
>
> 2. Use TLS for JMX connections. Technically speaking, this will not
> transmit your credentials in "cleartext", though anyone who can
> connect can read your credentials. See below.
>
> 3. Use client certificates and/or username/password authentication to
> access your JMX connector. Anyone who can connect to those resources
> will probably be able to connect to other things, so having your
> trustStore password is probably the least of your worries.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
> DCIAoJPEG65KmenExYgGtVpgGG7J880c
> =9y5M
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Prevent cleartext keystore/truststore passwords via JMX
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Randy,
On 4/6/12 7:41 AM, Randy Gray wrote:
> Hi,
>
> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
> noticed that the keystore and truststore passwords are exposed via
> JMX in cleartext (in the bean JIoEndpoint). This was not the case
> in Tomcat 6, for example JIoEndpoint bean which was exposed had
> much fewer attributes. I have specified the passwords as attributes
> in the HTTPS connector tag in server.xml.
>
> Here an example with an otherwise unmodified Tomcat 7:
> http://postimage.org/image/400y2pqsr/
>
> How can I prevent that data to be exposed (as cleartext), as well
> as the keystore and truststore path?
I can think of a couple of options:
1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
and suppress access to these fields (though they aren't specifically
in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
to consult the mbeans-descrioptors.xml files). I've never done this,
so I can't say whether or not it will work.
2. Use TLS for JMX connections. Technically speaking, this will not
transmit your credentials in "cleartext", though anyone who can
connect can read your credentials. See below.
3. Use client certificates and/or username/password authentication to
access your JMX connector. Anyone who can connect to those resources
will probably be able to connect to other things, so having your
trustStore password is probably the least of your worries.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
DCIAoJPEG65KmenExYgGtVpgGG7J880c
=9y5M
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org