tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David kerber <dcker...@verizon.net>
Subject Re: clear text keystore password in server.xml
Date Thu, 02 Sep 2010 15:37:01 GMT
On 9/2/2010 11:28 AM, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Luca,
>
> On 8/30/2010 2:42 AM, Luca Gervasi wrote:
>> I'm working to secure this, but...it's not too easy (and i'm surely not
>> a skilled programmer...).
>>
>> But I hope this topic will be kept up!
>
> There is virtually nothing you can do about this. The only solutions
> here are:
>
> 1. Use a password entered on the console during start-up (the "Apache
>     httpd strategy")

Or a minor variant of this, such as entering the pwd on a secure web 
page just after startup, though this has other disadvantages.


> 2. Remove the password from the keystore
>
> Removing the password from the keystore is just about as (in)secure as
> having the password in server.xml in plain-text.
>
> All other strategies simply move the problem to some other component.
> Protecting one password requires another password which requires
> protecting which ... you get the idea.

D


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message