tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "George Sexton" <geor...@mhsoftware.com>
Subject RE: clear text keystore password in server.xml
Date Thu, 02 Sep 2010 16:40:11 GMT
> -----Original Message-----
> From: David kerber [mailto:dckerber@verizon.net]
> Sent: Thursday, September 02, 2010 9:37 AM
> To: Tomcat Users List
> Subject: Re: clear text keystore password in server.xml
> 
> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Luca,
> >
> > On 8/30/2010 2:42 AM, Luca Gervasi wrote:
> >> I'm working to secure this, but...it's not too easy (and i'm surely
> not
> >> a skilled programmer...).
> >>
> >> But I hope this topic will be kept up!
> >
> > There is virtually nothing you can do about this. The only solutions
> > here are:
> >
> > 1. Use a password entered on the console during start-up (the "Apache
> >     httpd strategy")
> 
> Or a minor variant of this, such as entering the pwd on a secure web
> page just after startup, though this has other disadvantages.

And how would this page be secured since you wouldn't have SSL capability at
that point?

> 
> 
> > 2. Remove the password from the keystore
> >
> > Removing the password from the keystore is just about as (in)secure
> as
> > having the password in server.xml in plain-text.
> >
> > All other strategies simply move the problem to some other component.
> > Protecting one password requires another password which requires
> > protecting which ... you get the idea.


George Sexton
MH Software, Inc.
303 438-9585
www.mhsoftware.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message