I was told by my company we're not supposed to have passwords stored in clear text. I explained to them the architecture of Tomcat, and didn't get a clear answer on whether or not it's ok, though I think it is.
I don't know what kind of DB you're using, Vijay, but the Oracle DBA told me he could open the wallet, I could reference in my server.xml file the OCI driver reference instead of thin driver, and omit using the password, as it would be encrypted in the DB column, then decrypted when called. I have not yet tried this out, but am thinking about going down that road. What DB are you using, and is this an option for you? -----Original Message----- From: Vijay [mailto:amirisetty.vijayaragha...@gmail.com] Sent: Friday, August 27, 2010 7:20 AM To: Tomcat Users List Subject: Re: clear text keystore password in server.xml Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Thanks! Vijay --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
