I'd just put some nice password as byte[] into Tomcat's source code and provide a way to have passwords in the configs encrypted with that nice password.
> Use properties replacement so that in the xml config you have ${db.password} > and in conf/catalina.properties you put the password there. So one could have samething like db.pass=3des:<somehexbytes> in catalina.properties Greetings, Juergen Am So., 28. Juni 2020 um 21:19 Uhr schrieb Olaf Kock <tom...@olafkock.de>: > > > On 28.06.20 19:50, Jürgen Weber wrote: > >>>> I would like to know how to encrypt and decrypt the database password in > >>>> context.xml when the application is running which also allow me to change > >>>> the db password for the purpose of security. > >> https://cwiki.apache.org/confluence/display/TOMCAT/Password > > Well, I know a chief open source app server that has the password to > > decrypt all passwords buried in its open source, and I know auditors > > who are good if root cannot read passwords at first sight. The > > reasoning behind that is that running java -jar someappserverlib.jar > > -decrypt is a deliberate act that a god guy root does not do. So a > > hidden password is a step better, even if not in the cryptographic > > sense. > > Hi Jürgen, > > I don't get your point here. Are you arguing that the linked wiki > article is incorrect, insufficient or invalid? > > Because I believe that the article documents how to implement everything > that you describe on your own, and gives arguments for why this is not > implemented out of the box. > > Best, > > Olaf > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org