I'd just put some nice password as byte[] into Tomcat's source code
and provide a way to have passwords in the configs encrypted with that
nice password.
> Use properties replacement so that in the xml config you have ${db.password}
> and in conf/catalina.properties you put the password there.
So one could have samething like db.pass=3des:<somehexbytes> in
catalina.properties
Greetings, Juergen
Am So., 28. Juni 2020 um 21:19 Uhr schrieb Olaf Kock <tom...@olafkock.de>:
>
>
> On 28.06.20 19:50, Jürgen Weber wrote:
> >>>> I would like to know how to encrypt and decrypt the database password in
> >>>> context.xml when the application is running which also allow me to change
> >>>> the db password for the purpose of security.
> >> https://cwiki.apache.org/confluence/display/TOMCAT/Password
> > Well, I know a chief open source app server that has the password to
> > decrypt all passwords buried in its open source, and I know auditors
> > who are good if root cannot read passwords at first sight. The
> > reasoning behind that is that running java -jar someappserverlib.jar
> > -decrypt is a deliberate act that a god guy root does not do. So a
> > hidden password is a step better, even if not in the cryptographic
> > sense.
>
> Hi Jürgen,
>
> I don't get your point here. Are you arguing that the linked wiki
> article is incorrect, insufficient or invalid?
>
> Because I believe that the article documents how to implement everything
> that you describe on your own, and gives arguments for why this is not
> implemented out of the box.
>
> Best,
>
> Olaf
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
