https://bz.apache.org/bugzilla/show_bug.cgi?id=69951
Bug ID: 69951
Summary: Potential solution for on-disk KEK-encrypted TLS key
and certificate
Product: Tomcat 9
Version: unspecified
Hardware: PC
OS: Linux
Status: NEW
Severity: enhancement
Priority: P2
Component: Connectors
Assignee: [email protected]
Reporter: [email protected]
Target Milestone: -----
Created attachment 40152
--> https://bz.apache.org/bugzilla/attachment.cgi?id=40152&action=edit
Main class to extend JSSEImplementation and JSSEUtil to provide
getKeyManagers()
--- Concept ---
We want to store our TLS private key and certificate on disk in encrypted form.
At startup, we want tomcat to grab the encrypted data, decrypt it by calling
our HSM’s decrypt service, and store it memory for run-time.
We are aware of the potential to terminate TLS directly on the HSM, but we are
concerned about the bottleneck imposed by such a configuration and would like
to have the option to decrypt requests on our server.
--- Background ---
Another user seemed to have a similar thought and came up with his own
extension of tomcat’s JSSEImplementation class that provides overridden
ServerSocketFactory and SSLUtil methods.
https://stackoverflow.com/questions/40620939/hsm-usage-with-apache-tomcat-for-https
Atlassian provides a utility for a similar use case: storing passwords
encrypted on disk and specifying an encryption key to be used to decrypt them
at run time. They also extend tomcat, but in this case they extend the Http
protocols themselves rather than the JSSEImplementation.
https://confluence.atlassian.com/crowd051/encrypting-tomcat-passwords-in-the-server-xml-file-1295681222.html
This user was also interested in storing encrypted passwords on disk and having
them decrypted at runtime, which they achieved in a similar fashion to
Atlassian. They extended the Http protocol and overrode the setKeyStorePass
method.
https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
--- Proposed Solution (CustomJSSEImplementation.java) ---
Our proposed solution extends the JSSEImplementation and overrides the
getSSLUtil method, which returns an instance of our custom MyJSSEUtil class to
be put in server.xml in “sslImplementationName” (in essence following the
40620939/hsm-usage-with-apache-tomcat-for-https approach). This class extends
the JSSEUtil class to provide an overridden getKeyManagers method which fetches
the encrypted key and certificate, decrypts them using some decrypt API, parses
them to KeyStore compatible format, and returns an in-memory keyManager. If
interested, we are happy to contribute this code to tomcat.
--- Questions ---
>From what we understand, tomcat only calls the JSSEUtil.getKeyManagers() method
at startup and not for each TLS handshake. We tested this locally and found it
to be true. If this isn’t the case, can someone please let us know?
Does anybody have any hints on the quality of this contribution?
Or even production experience on performance and robustness of this approach?
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
