You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Emerson Cargnin <em...@tre-sc.gov.br> on 2004/04/02 18:35:45 UTC
any standart way to keep passwords encripted???
Is there any standart way to keep the passwords of databases encripted
when creating a pool through tomcat?
--
Emerson Cargnin
Analista de Sistemas
Setor de Desenvolvimento de Sistemas - TRE-SC
tel : (048) - 251-3700 - Ramal 3181
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by David Smith <dn...@cornell.edu>.
Hi. I've had some time to think about this subject especially since
others have brought it up before.
The real honest to goodness problem is that eventually you'll need to
deal with a password. That's just unavoidable. You could encrypt the
password, but that would just need another password to decrypt it before
making it useful. Even SSL has a server.key file (the server's private
key) that needs to be guarded with the highest security available.
The only really secure way to deal with it and not have a plain text
password hanging around somewhere is to possibly have the admin enter
the password on startup. I don't know about you, but I'm not crazy
about babysitting a server or having the site down until I can sit at a
console and put in a password :-(.
Just properly secure the server.xml (or context.xml) file with read only
access and only for the user tomcat is launched as. Also make sure it's
in a place guaranteed not to be served out by any means. I have mine in
/etc/tomcat5 and symlinked the conf directory in tomcat to /etc/tomcat5.
Lastly, look at ways to limit the impact of a compromised password
(firewalls, ACL's, change passwords on a routine basis, minimum
privilege, etc, ...).
Just my three cents on the matter. It's Friday -- time for happy hour.
--David Smith, CISSP
Emerson Cargnin wrote:
> How can I mantain databases passwords without :
>
> - Being put in the code (arghhhh)
> - Being in plain text in server.xml (as configured for tomcat)
>
> I use another approache than the pool from tomcat, that consist in a
> separate servlet and a PoolManager, which is accessed in a static way.
> (so other apps can reference the same instance...). In the servlet I
> read the init properties from web-xml that follows a pattern
> (poolname1,dbuser1,dbpass1, and so on for all pools). In the
> application I just as for the pool by the name of it. It works and I
> can change the pool implementation without impacting in any code of
> the application. We are thinking in not let the password in plain text
> in the web.xml. I though of 2 approaches:
>
> - Read the web.xml by a standalone app and encript the password, in my
> connection servlet I read it and decritp it.
>
> - Have a separate file for each pool, this file,encripted, would
> contain info about each pool.
>
> BTW, is there any way to use the same pool for more than one app,
> using tomcat pool configuration ???
>
> thanks in advance
> Emerson
>
>
> Emerson Cargnin wrote:
>
>> Is there any standart way to keep the passwords of databases
>> encripted when creating a pool through tomcat?
>>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by Paul Mansfield <pa...@psineteurope.com>.
On Sat, 2004-04-03 at 02:10, Parsons Technical Services wrote:
> And if I am in control of the server, then I have access to that certificate
> as well.
>
> The point is simply that with proper permissions your password is as safe as
> it needs to be. If someone gets to it, you have way bigger problems on your
> hands.
you could always use a smartcard or usb crypto dongle, such that the
private key never gets out... however, you still need to establish a
session with the key and that needs a password.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by Parsons Technical Services <pa...@earthlink.net>.
> > If I can read the server.xml then I can read your .class file the
decrypts
> > it and thus can still get your password.
> I still can use certificate to encript decript...
And if I am in control of the server, then I have access to that certificate
as well.
The point is simply that with proper permissions your password is as safe as
it needs to be. If someone gets to it, you have way bigger problems on your
hands.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
tuning
Posted by Randy Paries <pa...@knology.net>.
Hello
I am looking for docs/howto on tuning
I am setting up some new boxes with rh9, tomcat 4 and apache 2
Any heads up from experience would help as well
I am move the code from a rh7, tomcat 4 and apache 1.3
Thanks
Randy
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by Emerson Cargnin <em...@tre-sc.gov.br>.
Parsons Technical Services wrote:
> Emerson,
>
>
>>- Being in plain text in server.xml (as configured for tomcat)
>
> Protect the file with permissions.
>
>
>
>>- Read the web.xml by a standalone app and encript the password, in my
>>connection servlet I read it and decritp it.
>>
>>- Have a separate file for each pool, this file,encripted, would contain
>>info about each pool.
>
> If I can read the server.xml then I can read your .class file the decrypts
> it and thus can still get your password.
I still can use certificate to encript decript...
>
>
>
>>BTW, is there any way to use the same pool for more than one app, using
>>tomcat pool configuration ???
>
> GlobalNamingResources
>
>
> Search the archives for both of these subjects as they have been discussed
> often.
>
> Doug
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
--
Emerson Cargnin
Analista de Sistemas
Setor de Desenvolvimento de Sistemas - TRE-SC
tel : (048) - 251-3700 - Ramal 3181
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by Parsons Technical Services <pa...@earthlink.net>.
Emerson,
> - Being in plain text in server.xml (as configured for tomcat)
Protect the file with permissions.
> - Read the web.xml by a standalone app and encript the password, in my
> connection servlet I read it and decritp it.
>
> - Have a separate file for each pool, this file,encripted, would contain
> info about each pool.
If I can read the server.xml then I can read your .class file the decrypts
it and thus can still get your password.
>
> BTW, is there any way to use the same pool for more than one app, using
> tomcat pool configuration ???
GlobalNamingResources
Search the archives for both of these subjects as they have been discussed
often.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: any standart way to keep passwords encripted???
Posted by Emerson Cargnin <em...@tre-sc.gov.br>.
How can I mantain databases passwords without :
- Being put in the code (arghhhh)
- Being in plain text in server.xml (as configured for tomcat)
I use another approache than the pool from tomcat, that consist in a
separate servlet and a PoolManager, which is accessed in a static way.
(so other apps can reference the same instance...). In the servlet I
read the init properties from web-xml that follows a pattern
(poolname1,dbuser1,dbpass1, and so on for all pools). In the application
I just as for the pool by the name of it. It works and I can change the
pool implementation without impacting in any code of the application. We
are thinking in not let the password in plain text in the web.xml. I
though of 2 approaches:
- Read the web.xml by a standalone app and encript the password, in my
connection servlet I read it and decritp it.
- Have a separate file for each pool, this file,encripted, would contain
info about each pool.
BTW, is there any way to use the same pool for more than one app, using
tomcat pool configuration ???
thanks in advance
Emerson
Emerson Cargnin wrote:
> Is there any standart way to keep the passwords of databases encripted
> when creating a pool through tomcat?
>
--
Emerson Cargnin
Analista de Sistemas
Setor de Desenvolvimento de Sistemas - TRE-SC
tel : (048) - 251-3700 - Ramal 3181
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org