On 14/08/2014 15:10, George Sexton wrote: > > On 8/4/2014 8:17 AM, André Warnier wrote: >> Sanaullah wrote: >>> Hi, >>> >>> is there a way i ca replace plain JKS keystore password with encrypted >>> password in tomcat server.xml? >>> >> >> This kind of question comes regularly on this list, I would say 2 or 3 >> times each year. >> Searching the list archives (mentioned in the superb on-line Tomcat >> documentation) would provide a number of discussions on the topic. >> >> The basic answer is no, because then Tomcat would need to be able to >> decrypt it; and to do that, it would need to know a decryption key; >> and to know that, this decryption key would need to be stored >> somewhere; loop to the beginning of this paragraph. > > Can you help me understand why tomcat doesn't take the approach of > Apache httpd which is to ask the user for the decryption key at startup > time?
Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
