Hello, I am looking to secure the keystore password that is stored as clear text in server.xml. Looking at the various online forums, here are the suggested options I came across:
1. Restrict the access permissions of server.xml so that only the administrator is able to access server.xml 2. Do not save the keystore password in server.xml. Instead use the system property -Djavax.net.ssl.keyStorePassword="clear text keystore password" to pass the password to tomcat. [this is available in Tomcat 5.5.29 onwards <https://issues.apache.org/bugzilla/show_bug.cgi?id=38774> ] Problem with both the approaches is that the password is in clear text and we deem it as a potential security risk. I am looking for a way to use only encrypted passwords. I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. Something in the lines of : public class WrapperTomcatBootstrap { public static void main(String args[]) { String encryptedKeystorePassword = System.getenv("ENCRYPTED_KEYSTORE_PASSWORD"); if(encryptedKeystorePassword != null) { String decryptedPassword = PcsfCryptographer.decryptData(encryptedKeystorePassword); System.setProperty("javax.net.ssl.keyStorePassword", decryptedPassword); } Bootstrap.main(args); } } For some reason this doesnt seem to work. Tomcat is listening on both http/https mode, requests to http port are getting redirected to the https port.. but no web pages are being served. Nothing in the logs too :( - Are there an problems with the approach above ? - Is there a better way to work with encrypted passwords? The tomcat version I am using is 5.5.30 Thanks in advance for any pointers/ suggestions in this direction! Vijay