tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Prevent cleartext keystore/truststore passwords via JMX
Date Fri, 06 Apr 2012 15:52:08 GMT
Hash: SHA1


On 4/6/12 7:41 AM, Randy Gray wrote:
> Hi,
> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
> noticed that the keystore and truststore passwords are exposed via
> JMX in cleartext (in the bean JIoEndpoint). This was not the case
> in Tomcat 6, for example JIoEndpoint bean which was exposed had
> much fewer attributes. I have specified the passwords as attributes
> in the HTTPS connector tag in server.xml.
> Here an example with an otherwise unmodified Tomcat 7: 
> How can I prevent that data to be exposed (as cleartext), as well
> as the keystore and truststore path?

I can think of a couple of options:

1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
   and suppress access to these fields (though they aren't specifically
   in there, and doesn't seem
   to consult the mbeans-descrioptors.xml files). I've never done this,
   so I can't say whether or not it will work.

2. Use TLS for JMX connections. Technically speaking, this will not
   transmit your credentials in "cleartext", though anyone who can
   connect can read your credentials. See below.

3. Use client certificates and/or username/password authentication to
   access your JMX connector. Anyone who can connect to those resources
   will probably be able to connect to other things, so having your
   trustStore password is probably the least of your worries.

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message