-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Randy,
On 4/6/12 7:41 AM, Randy Gray wrote: > Hi, > > I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've > noticed that the keystore and truststore passwords are exposed via > JMX in cleartext (in the bean JIoEndpoint). This was not the case > in Tomcat 6, for example JIoEndpoint bean which was exposed had > much fewer attributes. I have specified the passwords as attributes > in the HTTPS connector tag in server.xml. > > Here an example with an otherwise unmodified Tomcat 7: > http://postimage.org/image/400y2pqsr/ > > How can I prevent that data to be exposed (as cleartext), as well > as the keystore and truststore path? I can think of a couple of options: 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml and suppress access to these fields (though they aren't specifically in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem to consult the mbeans-descrioptors.xml files). I've never done this, so I can't say whether or not it will work. 2. Use TLS for JMX connections. Technically speaking, this will not transmit your credentials in "cleartext", though anyone who can connect can read your credentials. See below. 3. Use client certificates and/or username/password authentication to access your JMX connector. Anyone who can connect to those resources will probably be able to connect to other things, so having your trustStore password is probably the least of your worries. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R DCIAoJPEG65KmenExYgGtVpgGG7J880c =9y5M -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
