Thanks Mark, This answer clears all my doubts.
Sent with ProtonMail Secure Email. ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Monday, 7 de June de 2021 13:19, Mark Thomas <ma...@apache.org> wrote: > On 07/06/2021 11:44, xcorpius wrote: > > > Just one more thing. > > I understand my mistake with the difference between encryption and digest. > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > > Ok, but the question is: Why can Weblogic encrypt the password and Tomcat > > can't? > > It can't. > > All Weblogic is doing is moving the goalposts. The database password may > be encrypted that just means the decryption key needs to be provided in > plain text instead. No matter how many levels of indirection (or perhaps > that should be misdirection) are applied, ultimately the application > server process needs access to a secret in plain text. > > However complex the window dressing, it will come down to the operating > system limiting access to the plain text secret to one or more users. > This is fundamentally no different to the Tomcat recommendation to use > OS file permissions to limit access to the configuration file where the > secret is stored to the user used by Tomcat and root (or equivalent). > > If you want to allow more general read access to configuration files > then there are simple ways to move the secrets to a separate, more > tightly controlled file. > > Mark > > > https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 > > Thanks, > > Sent with ProtonMail Secure Email. > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > On Monday, 7 de June de 2021 11:42, Mark Thomas ma...@apache.org wrote: > > > > > On 07/06/2021 09:56, xcorpius wrote: > > > > > > > Hello again! > > > > Checking the documentation ... Tomcat can create an encrypted password > > > > with the "digest.sh" tool for application passwords. > > > > But you cannot create an encrypted password for the DB in the > > > > context.xml file. The only solution without adding anything is to give > > > > restrictive permissions to the context.xml file. > > > > Wouldn't it be the same problem? > > > > > > No. > > > > > > > Why can't I generate an encrypted password for the database with the > > > > "digest.sh" tool instead of having to use a customized "factory"? > > > > > > Digesting != encrypting. > > > Digests are one-way functions. A digested password is no use to a client > > > that needs to authenticate itself to a server. > > > > > > > I think people who develop Tomcat should consider this option. > > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > Mark > > > > > > > Thank you very much to all. > > > > Xcorpius > > > > Sent with ProtonMail Secure Email. > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > > > wrote: > > > > > > > > > :-) > > > > > Sent with ProtonMail Secure Email. > > > > > ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ > > > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com > > > > > wrote: > > > > > > > > > > > And when that isn't good enough for your senior management, take a > > > > > > look at the Tomcat Vault in GITHUB. :-) > > > > > > Dream * Excel * Explore * Inspire > > > > > > Jon McAlexander > > > > > > Infrastructure Engineer > > > > > > Asst Vice President > > > > > > Middleware Product Engineering > > > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > > > Solutions > > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > > > MAC: F4469-010 > > > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > > jonmcalexan...@wellsfargo.com > > > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, > > > > > > 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 > > > > > > This message may contain confidential and/or privileged > > > > > > information. If you are not the addressee or authorized to receive > > > > > > this for the addressee, you must not use, copy, disclose, or take > > > > > > any action based on this message or any information herein. If you > > > > > > have received this message in error, please advise the sender > > > > > > immediately by reply e-mail and delete this message. Thank you for > > > > > > your cooperation. > > > > > > > > > > > > > -----Original Message----- > > > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > > > To: users@tomcat.apache.org > > > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > > > context.xml file - Tomcat 9 > > > > > > > Thanks Olaf!!!! > > > > > > > -------- Mensaje original -------- > > > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > > > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > > > > > > > > > Hi, > > > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > > > please check this article: > > > > > > > > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > > > > > It covers the topic once and for all... > > > > > > > > Olaf > > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > > -- > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
