Keystore password not masked in server.xml file

[Luca Marchesano <lu...@ericsson.com>]

Hi all,
I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way?

Thanks in advance,
Luca

Re: Keystore password not masked in server.xml file

[Pid * <pi...@pidster.com>]

On 14 Feb 2012, at 14:27, Luca Marchesano <lu...@ericsson.com> wrote:

> Hi all,
> I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL connector. I've generated a keystore and specified it in the server.xml file, but I have to specify the keystore's password in clear in the connector's configuration. Is it possible to avoid that? Is there a way to specify the keystore's password in encrypted way?

If its encrypted, where will you put the decryption key?


p


> Thanks in advance,
> Luca

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Christopher Schultz <ch...@christopherschultz.net>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luca,

On 2/14/12 9:26 AM, Luca Marchesano wrote:
> I'm trying to configure a Tomcat 7.0.21 server in order to use the 
> SSL connector. I've generated a keystore and specified it in the 
> server.xml file, but I have to specify the keystore's password in 
> clear in the connector's configuration. Is it possible to avoid
> that? Is there a way to specify the keystore's password in
> encrypted way?

http://wiki.apache.org/tomcat/FAQ/Password

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk86k5oACgkQ9CaO5/Lv0PAA3ACeIvL8XHnIj9E7+bMfIKYbBuoV
u4EAn0dchmLncs1/eHGmwtO7cr4kRKDD
=c5gM
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Mark Thomas <ma...@apache.org>]

On 19/02/2012 12:17, Pae Choi wrote:
> On 02/19/2012 06:03 AM, Mark Thomas wrote:
>> On 19/02/2012 09:25, Pae Choi wrote:
>>> On 02/14/2012 09:32 AM, Caldarale, Charles R wrote:
>>>>> From: Luca Marchesano [mailto:luca.marchesano@ericsson.com]
>>>>> Subject: Keystore password not masked in server.xml file
>>>>> Is there a way to specify the keystore's password in encrypted way?
>>>> Think about it: where are you going to put the encryption key so
>>>> Tomcat can get at it to decode the encrypted password?  Eventually,
>>>> something must be in plain text, accessible to Tomcat.  Secure your
>>>> Tomcat configuration files so you don't have to worry about random
>>>> users looking at them.
>>>>
>>>>    - Chuck
>>>>
>>> The OP's inquiry was quite reasonable as well as valid in a security
>>> aspect.
>> No it wasn't. It was illogical. Chris has already pointed to the FAQ
>> entry that discusses this in more detail. I don't propose to repeat
>> those arguments here but I will say the proposal below is nonsense.
>>
>> Mark
>>
> 
> Which part of OP's comment illogical? is concerning the clear-text
> password illogical?

Yes.

> Where is the part in the FAQ that describe *in more detail* part? I'll
> be interesting to
> read about it.

Try reading the FAQ link Chris already pointed you to then.

> Nonsense? Is logical and rational simply saying nonsense without any
> logical explanation?

As I previously stated, the FAQ article provides all the explanation
required and I don't intend wasting my time copying and pasting it into
an email message.

> You could point out which part specifically you do not understand.
> Perhaps, security topic is too much for you to digest?

ROTFLMAO. I'll leave folks to check the archives to determine our
relative credibility on that one. I'm confident I know what the result
will be.

> When you do not understand, you simply just don't get it.

Hopefully, but I suspect not, you'll come to the conclusion that it is
in fact the other way around and that it is you that doesn't get it.

> Pae
> 
> P.S.: Also, why I am seeing your post without my original posting? How
> funny!

Yes, it is hilarious that you appear to be unable to configure your
browser to show message threads correctly.

I don't intend feeding this troll any further by replying to whatever
reply this e-mail may generate but I do offer the following food for
thought:

When on an Apache mailing list and someone with an @apache.org address
writes something you think is nonsense, there is a fairly good chance
that they do in fact know what they are talking about. You may want to
do a little more research before you start questioning their
intelligence. I'm not saying that they won't make mistakes (and when
they do, they'll be more than happy to own up to them), but it is
advisable to be very sure of your ground before you start typing unless
- of course - you are happy making yourself look like a complete idiot.

Mark


>>> The 'password' for
>>> the key store falls in the same category. I remember there were more
>>> than a few times the same and
>>> similar subject addressed, but i guess it's still as it was.
>>>
>>> To give an idea in terms of where to place and how to access,
>>>
>>> 1) The clear-text or enciphered-form password in the code.
>>> 2) The clear-text password in the connector in the server.xml can be
>>> replaced with the API method
>>>     name that can provide the password.
>>>
>>> This simple mechanism can be either or both by Tomcat as default and/or
>>> custom-class that implements
>>> the defined API.
>>>
>>> Within the implementation, how the API method provided the password can
>>> be left to the implementation
>>> provider. In that way, each Tomcat will have unique as well as more
>>> secure depends how well implemented
>>> the password provisioning class implemented which can be left to the
>>> implementation provider.
>>>
>>> Anyhow, this is a basic idea where the password can be placed and how it
>>> can be accessed. And it can be
>>> easily implemented with reasonably short amount of time and effort.
>>>
>>> To go further more for multiple certificates for multiple vHosts such as
>>> SNI+OpenSSL(or alternatives),
>>> it will be a bit more challenging, but not so hard about it.
>>>
>>>
>>> Pae
>>>
>>>
>>>
>>>
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Pae Choi <pa...@gmail.com>]

On 02/19/2012 06:03 AM, Mark Thomas wrote:
> On 19/02/2012 09:25, Pae Choi wrote:
>> On 02/14/2012 09:32 AM, Caldarale, Charles R wrote:
>>>> From: Luca Marchesano [mailto:luca.marchesano@ericsson.com]
>>>> Subject: Keystore password not masked in server.xml file
>>>> Is there a way to specify the keystore's password in encrypted way?
>>> Think about it: where are you going to put the encryption key so
>>> Tomcat can get at it to decode the encrypted password?  Eventually,
>>> something must be in plain text, accessible to Tomcat.  Secure your
>>> Tomcat configuration files so you don't have to worry about random
>>> users looking at them.
>>>
>>>    - Chuck
>>>
>> The OP's inquiry was quite reasonable as well as valid in a security
>> aspect.
> No it wasn't. It was illogical. Chris has already pointed to the FAQ
> entry that discusses this in more detail. I don't propose to repeat
> those arguments here but I will say the proposal below is nonsense.
>
> Mark
>

Which part of OP's comment illogical? is concerning the clear-text 
password illogical?

Where is the part in the FAQ that describe *in more detail* part? I'll 
be interesting to
read about it.

Nonsense? Is logical and rational simply saying nonsense without any 
logical explanation?
You could point out which part specifically you do not understand. 
Perhaps, security topic
is too much for you to digest?

When you do not understand, you simply just don't get it.


Pae

P.S.: Also, why I am seeing your post without my original posting? How 
funny!


>> The 'password' for
>> the key store falls in the same category. I remember there were more
>> than a few times the same and
>> similar subject addressed, but i guess it's still as it was.
>>
>> To give an idea in terms of where to place and how to access,
>>
>> 1) The clear-text or enciphered-form password in the code.
>> 2) The clear-text password in the connector in the server.xml can be
>> replaced with the API method
>>     name that can provide the password.
>>
>> This simple mechanism can be either or both by Tomcat as default and/or
>> custom-class that implements
>> the defined API.
>>
>> Within the implementation, how the API method provided the password can
>> be left to the implementation
>> provider. In that way, each Tomcat will have unique as well as more
>> secure depends how well implemented
>> the password provisioning class implemented which can be left to the
>> implementation provider.
>>
>> Anyhow, this is a basic idea where the password can be placed and how it
>> can be accessed. And it can be
>> easily implemented with reasonably short amount of time and effort.
>>
>> To go further more for multiple certificates for multiple vHosts such as
>> SNI+OpenSSL(or alternatives),
>> it will be a bit more challenging, but not so hard about it.
>>
>>
>> Pae
>>
>>
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Mark Thomas <ma...@apache.org>]

On 19/02/2012 09:25, Pae Choi wrote:
> On 02/14/2012 09:32 AM, Caldarale, Charles R wrote:
>>> From: Luca Marchesano [mailto:luca.marchesano@ericsson.com]
>>> Subject: Keystore password not masked in server.xml file
>>> Is there a way to specify the keystore's password in encrypted way?
>> Think about it: where are you going to put the encryption key so
>> Tomcat can get at it to decode the encrypted password?  Eventually,
>> something must be in plain text, accessible to Tomcat.  Secure your
>> Tomcat configuration files so you don't have to worry about random
>> users looking at them.
>>
>>   - Chuck
>>
> 
> The OP's inquiry was quite reasonable as well as valid in a security
> aspect.

No it wasn't. It was illogical. Chris has already pointed to the FAQ
entry that discusses this in more detail. I don't propose to repeat
those arguments here but I will say the proposal below is nonsense.

Mark

> The 'password' for
> the key store falls in the same category. I remember there were more
> than a few times the same and
> similar subject addressed, but i guess it's still as it was.
> 
> To give an idea in terms of where to place and how to access,
> 
> 1) The clear-text or enciphered-form password in the code.
> 2) The clear-text password in the connector in the server.xml can be
> replaced with the API method
>    name that can provide the password.
> 
> This simple mechanism can be either or both by Tomcat as default and/or
> custom-class that implements
> the defined API.
> 
> Within the implementation, how the API method provided the password can
> be left to the implementation
> provider. In that way, each Tomcat will have unique as well as more
> secure depends how well implemented
> the password provisioning class implemented which can be left to the
> implementation provider.
> 
> Anyhow, this is a basic idea where the password can be placed and how it
> can be accessed. And it can be
> easily implemented with reasonably short amount of time and effort.
> 
> To go further more for multiple certificates for multiple vHosts such as
> SNI+OpenSSL(or alternatives),
> it will be a bit more challenging, but not so hard about it.
> 
> 
> Pae
> 
> 
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Pae Choi <pa...@gmail.com>]

On 02/14/2012 09:32 AM, Caldarale, Charles R wrote:
>> From: Luca Marchesano [mailto:luca.marchesano@ericsson.com]
>> Subject: Keystore password not masked in server.xml file
>> Is there a way to specify the keystore's password in encrypted way?
> Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password?  Eventually, something must be in plain text, accessible to Tomcat.  Secure your Tomcat configuration files so you don't have to worry about random users looking at them.
>
>   - Chuck
>

The OP's inquiry was quite reasonable as well as valid in a security 
aspect. The 'password' for
the key store falls in the same category. I remember there were more 
than a few times the same and
similar subject addressed, but i guess it's still as it was.

To give an idea in terms of where to place and how to access,

1) The clear-text or enciphered-form password in the code.
2) The clear-text password in the connector in the server.xml can be 
replaced with the API method
    name that can provide the password.

This simple mechanism can be either or both by Tomcat as default and/or 
custom-class that implements
the defined API.

Within the implementation, how the API method provided the password can 
be left to the implementation
provider. In that way, each Tomcat will have unique as well as more 
secure depends how well implemented
the password provisioning class implemented which can be left to the 
implementation provider.

Anyhow, this is a basic idea where the password can be placed and how it 
can be accessed. And it can be
easily implemented with reasonably short amount of time and effort.

To go further more for multiple certificates for multiple vHosts such as 
SNI+OpenSSL(or alternatives),
it will be a bit more challenging, but not so hard about it.


Pae

RE: Keystore password not masked in server.xml file

["Caldarale, Charles R" <Ch...@unisys.com>]

> From: Luca Marchesano [mailto:luca.marchesano@ericsson.com] 
> Subject: Keystore password not masked in server.xml file

> Is there a way to specify the keystore's password in encrypted way?

Think about it: where are you going to put the encryption key so Tomcat can get at it to decode the encrypted password?  Eventually, something must be in plain text, accessible to Tomcat.  Secure your Tomcat configuration files so you don't have to worry about random users looking at them.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Keystore password not masked in server.xml file

[Savitha Akella <sa...@gmail.com>]

If you want to encrypt the password, you have to override the DBCP
implementation to decrypt the encrypted password so that the real pwd is
accessible or available to tomcat.

On Tue, Feb 14, 2012 at 7:56 PM, Luca Marchesano <
luca.marchesano@ericsson.com> wrote:

> Hi all,
> I'm trying to configure a Tomcat 7.0.21 server in order to use the SSL
> connector. I've generated a keystore and specified it in the server.xml
> file, but I have to specify the keystore's password in clear in the
> connector's configuration. Is it possible to avoid that? Is there a way to
> specify the keystore's password in encrypted way?
>
> Thanks in advance,
> Luca
>