On 04/11/2022 08:06, Bärtschi, Markus-MGB wrote: >> How can I configure TSL for my JMX port without the keystore information >> showing up on the command line ?
> Don't use passwords. Rely on operating system file permissions to limit > access to the file to the Tomcat process (and root). So you recommend to use a passwordless keystore and chmod 600 it to protect it ? > Keep in mind that JMX has various security issues you can do very little > about including: > - extremely coarse grained security (read-only or read/write) > - no protection against brute force attacks > - no logging to identify brute force attacks > Note that Tomcat is implemented from the point of view that *any* JMX access > is equivalent to full administrative access. I'm aware the JMX is not great from a security perspective. But we need a way to monitor what is going on. > Mark Thanks ! Markus --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
