tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Prevent cleartext keystore/truststore passwords via JMX
Date Fri, 06 Apr 2012 15:52:08 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Randy,

On 4/6/12 7:41 AM, Randy Gray wrote:
> Hi,
> 
> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
> noticed that the keystore and truststore passwords are exposed via
> JMX in cleartext (in the bean JIoEndpoint). This was not the case
> in Tomcat 6, for example JIoEndpoint bean which was exposed had
> much fewer attributes. I have specified the passwords as attributes
> in the HTTPS connector tag in server.xml.
> 
> Here an example with an otherwise unmodified Tomcat 7: 
> http://postimage.org/image/400y2pqsr/
> 
> How can I prevent that data to be exposed (as cleartext), as well
> as the keystore and truststore path?

I can think of a couple of options:

1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
   and suppress access to these fields (though they aren't specifically
   in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
   to consult the mbeans-descrioptors.xml files). I've never done this,
   so I can't say whether or not it will work.

2. Use TLS for JMX connections. Technically speaking, this will not
   transmit your credentials in "cleartext", though anyone who can
   connect can read your credentials. See below.

3. Use client certificates and/or username/password authentication to
   access your JMX connector. Anyone who can connect to those resources
   will probably be able to connect to other things, so having your
   trustStore password is probably the least of your worries.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
DCIAoJPEG65KmenExYgGtVpgGG7J880c
=9y5M
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message