Return-Path: Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: (qmail 73098 invoked from network); 2 Sep 2010 16:40:44 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 2 Sep 2010 16:40:44 -0000 Received: (qmail 26584 invoked by uid 500); 2 Sep 2010 16:40:40 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 26513 invoked by uid 500); 2 Sep 2010 16:40:39 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 26504 invoked by uid 99); 2 Sep 2010 16:40:39 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Sep 2010 16:40:39 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=10.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of georges@mhsoftware.com designates 209.169.14.178 as permitted sender) Received: from [209.169.14.178] (HELO mail.mhsoftware.com) (209.169.14.178) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 02 Sep 2010 16:40:33 +0000 Received: from EMP00A (c-67-190-16-78.hsd1.co.comcast.net [67.190.16.78]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by mail.mhsoftware.com (Postfix) with ESMTPSA id 4874B2DD42 for ; Thu, 2 Sep 2010 10:40:12 -0600 (MDT) From: "George Sexton" To: "'Tomcat Users List'" References: <4C7833D1.50804@christopherschultz.net> <1283150526.2983.10.camel@localhost.localdomain> <4C7FC2AA.3040009@christopherschultz.net> <4C7FC49D.7080209@verizon.net> In-Reply-To: <4C7FC49D.7080209@verizon.net> Subject: RE: clear text keystore password in server.xml Date: Thu, 2 Sep 2010 10:40:11 -0600 Organization: MH Software, Inc. Message-ID: <00c901cb4abd$8365eac0$8a31c040$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: ActKtNuoAsIWpj15QPeQZP12JNQe5wACIS3w Content-Language: en-us > -----Original Message----- > From: David kerber [mailto:dckerber@verizon.net] > Sent: Thursday, September 02, 2010 9:37 AM > To: Tomcat Users List > Subject: Re: clear text keystore password in server.xml > > On 9/2/2010 11:28 AM, Christopher Schultz wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Luca, > > > > On 8/30/2010 2:42 AM, Luca Gervasi wrote: > >> I'm working to secure this, but...it's not too easy (and i'm surely > not > >> a skilled programmer...). > >> > >> But I hope this topic will be kept up! > > > > There is virtually nothing you can do about this. The only solutions > > here are: > > > > 1. Use a password entered on the console during start-up (the "Apache > > httpd strategy") > > Or a minor variant of this, such as entering the pwd on a secure web > page just after startup, though this has other disadvantages. And how would this page be secured since you wouldn't have SSL capability at that point? > > > > 2. Remove the password from the keystore > > > > Removing the password from the keystore is just about as (in)secure > as > > having the password in server.xml in plain-text. > > > > All other strategies simply move the problem to some other component. > > Protecting one password requires another password which requires > > protecting which ... you get the idea. George Sexton MH Software, Inc. 303 438-9585 www.mhsoftware.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org