Excellent point. I should have considered httpd's solution. That's pretty clean provided you are okay with it not being able to restart fully on its own such as a power failure.No, you just have the keystore encrypted with a password and _don't_ specify it in the config file. Then when tomcat starts up, and can't open the keystore w/o a password, it knows it has to ask for it, but it isn't stored anywhere on the machine. That's what apache httpd does if the cert file is password protected. Tomcat should do the same. It works quite well.eric
But it suffers from the fact that if I have access to the filesystem, I can install a new keystore with a self cert and boot the system, though it should be detected at some point because web browsers will pop up the cert warning (that some users will click through because they never read anything).
And it suffers from the fact that I can probably find the db password somewhere in your web app so I can get to your data. And it suffers from the fact that I can then install a new login page that steals passwords and perhaps can install other forms of nastyware.
In the end, if you can't secure your filesystem, you probably cannot secure much else on the web site. What's the downside if someone who has access to your filesystem has access to the SSL cert keystore? They can remove and install certs, but I could do that anyway by putting in a new keystore. Somehow they'd need to take your keystore, put it on a rogue system and then spoil DNS to trick users into that system? Why bother since I already have access to your web server's file system?
David --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
