Hello,
I am looking to secure the keystore password that is stored as
clear text in server.xml.
Looking at the various online forums, here are the suggested options I came
across:
1. Restrict the access permissions of server.xml so that only the
administrator is able to access server.xml
2. Do not save the keystore password in server.xml. Instead use the
system property -Djavax.net.ssl.keyStorePassword="clear text keystore
password" to pass the password to tomcat. [this is available in Tomcat
5.5.29 onwards <https://issues.apache.org/bugzilla/show_bug.cgi?id=38774>
]
Problem with both the approaches is that the password is in clear text and
we deem it as a potential security risk.
I am looking for a way to use only encrypted passwords.
I am looking to write a wrapper class that decrypts the password passed as
an environment variable to tomcat, and then sets the system property
javax.net.ssl.keyStorePassword inside the JVM itself.
Something in the lines of :
public class WrapperTomcatBootstrap {
public static void main(String args[]) {
String encryptedKeystorePassword =
System.getenv("ENCRYPTED_KEYSTORE_PASSWORD");
if(encryptedKeystorePassword != null) {
String decryptedPassword =
PcsfCryptographer.decryptData(encryptedKeystorePassword);
System.setProperty("javax.net.ssl.keyStorePassword",
decryptedPassword);
}
Bootstrap.main(args);
}
}
For some reason this doesnt seem to work. Tomcat is listening on both
http/https mode, requests to http port are getting redirected to the https
port.. but no web pages are being served. Nothing in the logs too :(
- Are there an problems with the approach above ?
- Is there a better way to work with encrypted passwords?
The tomcat version I am using is 5.5.30
Thanks in advance for any pointers/ suggestions in this direction!
Vijay
