On 19/02/2012 12:17, Pae Choi wrote: > On 02/19/2012 06:03 AM, Mark Thomas wrote: >> On 19/02/2012 09:25, Pae Choi wrote: >>> On 02/14/2012 09:32 AM, Caldarale, Charles R wrote: >>>>> From: Luca Marchesano [mailto:luca.marches...@ericsson.com] >>>>> Subject: Keystore password not masked in server.xml file >>>>> Is there a way to specify the keystore's password in encrypted way? >>>> Think about it: where are you going to put the encryption key so >>>> Tomcat can get at it to decode the encrypted password? Eventually, >>>> something must be in plain text, accessible to Tomcat. Secure your >>>> Tomcat configuration files so you don't have to worry about random >>>> users looking at them. >>>> >>>> - Chuck >>>> >>> The OP's inquiry was quite reasonable as well as valid in a security >>> aspect. >> No it wasn't. It was illogical. Chris has already pointed to the FAQ >> entry that discusses this in more detail. I don't propose to repeat >> those arguments here but I will say the proposal below is nonsense. >> >> Mark >> > > Which part of OP's comment illogical? is concerning the clear-text > password illogical?
Yes. > Where is the part in the FAQ that describe *in more detail* part? I'll > be interesting to > read about it. Try reading the FAQ link Chris already pointed you to then. > Nonsense? Is logical and rational simply saying nonsense without any > logical explanation? As I previously stated, the FAQ article provides all the explanation required and I don't intend wasting my time copying and pasting it into an email message. > You could point out which part specifically you do not understand. > Perhaps, security topic is too much for you to digest? ROTFLMAO. I'll leave folks to check the archives to determine our relative credibility on that one. I'm confident I know what the result will be. > When you do not understand, you simply just don't get it. Hopefully, but I suspect not, you'll come to the conclusion that it is in fact the other way around and that it is you that doesn't get it. > Pae > > P.S.: Also, why I am seeing your post without my original posting? How > funny! Yes, it is hilarious that you appear to be unable to configure your browser to show message threads correctly. I don't intend feeding this troll any further by replying to whatever reply this e-mail may generate but I do offer the following food for thought: When on an Apache mailing list and someone with an @apache.org address writes something you think is nonsense, there is a fairly good chance that they do in fact know what they are talking about. You may want to do a little more research before you start questioning their intelligence. I'm not saying that they won't make mistakes (and when they do, they'll be more than happy to own up to them), but it is advisable to be very sure of your ground before you start typing unless - of course - you are happy making yourself look like a complete idiot. Mark >>> The 'password' for >>> the key store falls in the same category. I remember there were more >>> than a few times the same and >>> similar subject addressed, but i guess it's still as it was. >>> >>> To give an idea in terms of where to place and how to access, >>> >>> 1) The clear-text or enciphered-form password in the code. >>> 2) The clear-text password in the connector in the server.xml can be >>> replaced with the API method >>> name that can provide the password. >>> >>> This simple mechanism can be either or both by Tomcat as default and/or >>> custom-class that implements >>> the defined API. >>> >>> Within the implementation, how the API method provided the password can >>> be left to the implementation >>> provider. In that way, each Tomcat will have unique as well as more >>> secure depends how well implemented >>> the password provisioning class implemented which can be left to the >>> implementation provider. >>> >>> Anyhow, this is a basic idea where the password can be placed and how it >>> can be accessed. And it can be >>> easily implemented with reasonably short amount of time and effort. >>> >>> To go further more for multiple certificates for multiple vHosts such as >>> SNI+OpenSSL(or alternatives), >>> it will be a bit more challenging, but not so hard about it. >>> >>> >>> Pae >>> >>> >>> >>> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
