You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jason Pyeron <jp...@pdinc.us> on 2019/09/16 04:20:45 UTC

RE: [tomcat-users] Password encryption in Tomcat 8.5.35

While there is no real value in doing so - you can provide your own datasource factory class.

This class should extend the provided datasource, and would use a "method" to decrypt the password field.

Keep in mind as you have described, the decryption mechanism(s) would be just as available to the attacker as the context.xml. We frequently have to reverse engineer such passwords for our customers.

Now, if the decryption method obtains information from a "password oracle source", you could end up with your implied security goals. We strive to obtain such keys from TPMs, Smart Cards, networked sources, etc.

v/r,

Jason Pyeron

> -----Original Message-----
> From: Mohan T <Mo...@ramco.com>
> Sent: Monday, September 16, 2019 12:05 AM
> To: users@tomcat.apache.org
> Subject: [tomcat-users] Password encryption in Tomcat 8.5.35
> 
> Hi,
> 
> We are using tomcat 8.5.35, on Red Hat Enterprise Linux Server release 7.4.
> 
> Is it possible to encrypt or mask passwords that is being used in the datasource for connecting to
> database. I am mentioning the credentials in server.xml
> 
> Thanks
> 
> Mohan
> DISCLAIMER: This communication contains information which is confidential and the copyright of Ramco
> Systems Ltd, its subsidiaries or a third party ("Ramco"). This email may also contain legally
> privileged information. Confidentiality and legal privilege attached to this communication are not
> waived or lost by reason of mistaken delivery to you.This email is intended to be read or used by the
> addressee only. If you are not the intended recipient, any use, distribution, disclosure or copying of
> this email is strictly prohibited without the express written approval of Ramco. Please delete and
> destroy all copies and email Ramco at Legal@ramco.com immediately. Any views expressed in this
> communication are those of the individual sender, except where the sender specifically states them to
> be the views of Ramco. Except as required by law, Ramco does not represent, warrant and/or guarantee
> that the integrity of this communication has been maintained nor that the communication is free of
> errors, virus, interception or interference. If you do not wish to receive such communications, please
> forward this communication to marketing@ramco.com and express your wish not to receive such
> communications henceforth.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org