Re:RE: How to custom java program to decrypt keystore password in Tomcat 10.1.15
It is soloved by implement the PropertySource, thank you very much for all your help. At 2023-10-28 01:06:03, "Mcalexander, Jon J." wrote: >You could look at how TC Server does this. Their tcserver.jar has an >encoder/decoder in it and the class is loaded as a digester in the >Catalina.properties. It relies on having a prefix on the encoded value that >would subsequently be decoded and the property value replaced with the decoded >value. The passwords have to be encoded prior to adding them to your >configuration files. It's fairly easy to do. > >You might be able to come up with something similar on your own. > >Thanks, > >Dream * Excel * Explore * Inspire >Jon McAlexander >Senior Infrastructure Engineer >Asst. Vice President >He/His > >Middleware Product Engineering >Enterprise CIO | EAS | Middleware | Infrastructure Solutions > >8080 Cobblestone Rd | Urbandale, IA 50322 >MAC: F4469-010 >Tel 515-988-2508 | Cell 515-988-2508 > >jonmcalexan...@wellsfargo.com >This message may contain confidential and/or privileged information. If you >are not the addressee or authorized to receive this for the addressee, you >must not use, copy, disclose, or take any action based on this message or any >information herein. If you have received this message in error, please advise >the sender immediately by reply e-mail and delete this message. Thank you for >your cooperation. > >> -Original Message- >> From: Mark Thomas >> Sent: Friday, October 27, 2023 3:45 AM >> To: users@tomcat.apache.org >> Subject: Re: How to custom java program to decrypt keystore password in >> Tomcat 10.1.15 >> >> On 26/10/2023 11:05, yanyizhong wrote: >> > >> > >> > Hi Tomcat team, >> > Version: Tomcat 10.1.15 >> > >> > >> > I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found >> that there is no setKeystorePass(String) method in tomcat 10.1.15. >> > >> > >> > As we want to use the custom keystore encryption password in server.xml >> like this: >> > >> > >> > > chiphhers="TLS_ECDHE_RSA_WITH_AES_123_GCM_SHA256" >> >keystoreFile="E:\tes.jks" >> >keystorePass="xsdfdfdsfdfxdf(encryption password)" >> >keystoreType"JKS" /> >> >> And this "encrypted" password is "decrypted" how? >> https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/ >> TOMCAT/Password__;!!F9svGWnIaVPGSwU!sJRkxJv4qdFjO7jusA2u0eRFDEx >> Wji3SkfxRWuu9WY0xWKUWAu8p7qwvQkIU9PHtKGKlG4BOPViaYubUO15UL >> g$ >> (Hint: this is a waste of time from a security perspective.) >> >> If you can find a way to make this work then you are welcome to use it but I >> am sure as I can be that if source code changes are required in Tomcat to >> make this work they won't be happening. >> >> I suspect the way to do this (if you really must) would be via a custom >> PropertySource. If you look at the existing implementations then you should >> have enough hints to put together an implementation that looks for "enc:" >> and "decrypts" what it finds. >> >> Note that org.apache.tomcat.util.digester.PROPERTY_SOURCE multiple >> values, separated by commas. >> >> Mark >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org >
RE: [External] Re: Java 9+ and custom JCE/JSSE providers
Setting CLASSPATH worked perfectly! Thank you so much Mark! Thanks, Amit -Original Message- From: Mark Thomas Sent: Tuesday, October 31, 2023 2:47 PM To: users@tomcat.apache.org Subject: [External] Re: Java 9+ and custom JCE/JSSE providers CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. On 31/10/2023 14:22, Amit Pande wrote: > Hello, > > I am in the process of updating https://github.com/amitlpande/tomcat-9-fips > page for version later than Java 8. > > Ran into an issue: > > >1. Was looking the configure the additional bouncy castle providers in > the Java install itself by: > * Modifying the java.security file to add providers. > * Place the jars in the Java'e lib/ext directory. >2. However, from Java 9+, the lib/ext directory is no longer present > (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) >3. The alternate I attempted was to place the additional provider jars in > Tomcat's lib directory. >4. Create a java security properties file with: > > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > fips:BCFIPS > security.provider.3=sun.security.provider.Sun > ssl.KeyManagerFactory.algorithm=PKIX > ssl.TrustManagerFactory.algorithm=PKIX > >1. Launch Tomcat with JVM option > -Djava.security.properties=file:/path/to/java_security_properties_file >2. However, I noticed that these BC providers weren't getting loaded. You'll also need to add the JARS containing the providers to the class path so the JRE can load them. You should be able to do that (and set java.security.properties) in setenv.sh|bat Mark > > > > > > > I see a comment from Chris here - > https://www/. > mail-archive.com%2Fusers%40tomcat.apache.org%2Fmsg137824.html=05% > 7C01%7CAmit.Pande%40veritas.com%7C4bcc30de9820433b280308dbda4a443a%7Cf > c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638343784744378375%7CUnknown > %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ > XVCI6Mn0%3D%7C3000%7C%7C%7C=SgG9b6ilBMEGwV5nedIdX9XcXXDGHqbyQmva > 14m8xwI%3D=0 "I don't see any place in Tomcat to specify the > JSSE provider. Perhaps we should expose that to the administrator in some > way." > > Not sure if it's relevant here. > > But wanted to know if there is any way to configure Tomcat for Java 9+ with > custom JSSE/JCE providers (with just config change) ? Maybe I missed > something? > > Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat > 9, by registering a custom listener and adding providers there. Will soon > update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. > > Thanks, > Amit > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: [External] Re: Java 9+ and custom JCE/JSSE providers
Adding the provider jars to CLASSPATH solved the issue. Thank you so much Mark for your quick feedback. Thanks, Amit -Original Message- From: Mark Thomas Sent: Tuesday, October 31, 2023 2:47 PM To: users@tomcat.apache.org Subject: [External] Re: Java 9+ and custom JCE/JSSE providers CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. If you believe this is a phishing email, use the Report to Cybersecurity icon in Outlook. On 31/10/2023 14:22, Amit Pande wrote: > Hello, > > I am in the process of updating https://github.com/amitlpande/tomcat-9-fips > page for version later than Java 8. > > Ran into an issue: > > >1. Was looking the configure the additional bouncy castle providers in > the Java install itself by: > * Modifying the java.security file to add providers. > * Place the jars in the Java'e lib/ext directory. >2. However, from Java 9+, the lib/ext directory is no longer present > (https://docs.oracle.com/javase/9/migrate/toc.htm#JSMIG-GUID-2C896CA8-927C-4381-A737-B1D81D964B7B) >3. The alternate I attempted was to place the additional provider jars in > Tomcat's lib directory. >4. Create a java security properties file with: > > security.provider.1=org.bouncycastle.jcajce.provider.BouncyCastleFipsProvider > > security.provider.2=org.bouncycastle.jsse.provider.BouncyCastleJsseProvider > fips:BCFIPS > security.provider.3=sun.security.provider.Sun > ssl.KeyManagerFactory.algorithm=PKIX > ssl.TrustManagerFactory.algorithm=PKIX > >1. Launch Tomcat with JVM option > -Djava.security.properties=file:/path/to/java_security_properties_file >2. However, I noticed that these BC providers weren't getting loaded. You'll also need to add the JARS containing the providers to the class path so the JRE can load them. You should be able to do that (and set java.security.properties) in setenv.sh|bat Mark > > > > > > > I see a comment from Chris here - > https://www/. > mail-archive.com%2Fusers%40tomcat.apache.org%2Fmsg137824.html=05% > 7C01%7CAmit.Pande%40veritas.com%7C4bcc30de9820433b280308dbda4a443a%7Cf > c8e13c0422c4c55b3eaca318e6cac32%7C0%7C0%7C638343784744378375%7CUnknown > %7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJ > XVCI6Mn0%3D%7C3000%7C%7C%7C=SgG9b6ilBMEGwV5nedIdX9XcXXDGHqbyQmva > 14m8xwI%3D=0 "I don't see any place in Tomcat to specify the > JSSE provider. Perhaps we should expose that to the administrator in some > way." > > Not sure if it's relevant here. > > But wanted to know if there is any way to configure Tomcat for Java 9+ with > custom JSSE/JCE providers (with just config change) ? Maybe I missed > something? > > Also, FWIW, I was able get the FIPS configuration for Java 11, 17 with Tomcat > 9, by registering a custom listener and adding providers there. Will soon > update the https://github.com/amitlpande/tomcat-9-fips for detailed steps. > > Thanks, > Amit > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
