tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: clear text keystore password in server.xml
Date Thu, 02 Sep 2010 15:28:42 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Luca,

On 8/30/2010 2:42 AM, Luca Gervasi wrote:
> I'm working to secure this, but...it's not too easy (and i'm surely not
> a skilled programmer...).
>
> But I hope this topic will be kept up!

There is virtually nothing you can do about this. The only solutions
here are:

1. Use a password entered on the console during start-up (the "Apache
   httpd strategy")
2. Remove the password from the keystore

Removing the password from the keystore is just about as (in)secure as
having the password in server.xml in plain-text.

All other strategies simply move the problem to some other component.
Protecting one password requires another password which requires
protecting which ... you get the idea.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkx/wqoACgkQ9CaO5/Lv0PBcrACfUVih9nF6BorLy5KCAQ8Gk2xe
k2IAni9IqXoI4TOTN6AN1qToY3ypyiTK
=DMfB
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message