tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Gray <randy.very.g...@gmail.com>
Subject Re: Prevent cleartext keystore/truststore passwords via JMX
Date Thu, 12 Apr 2012 12:13:23 GMT
Actually, a <mbean> entry with the correct type attribute was needed:

<mbeans-descriptors>

    <mbean name="ThreadPool"
          description="JIoEndpoint"
               domain="Catalina"
                group="Connector"
                 type="org.apache.tomcat.util.net.JIoEndpoint">
  </mbean>

</mbeans-descriptors>


On Thu, Apr 12, 2012 at 2:58 PM, Randy Gray <randy.very.gray@gmail.com> wrote:
> Hi,
>
> I've added mbeans-descriptors.xml to the package
> org.apache.tomcat.util.net (the same package where JIOEndpoint is) in
> the classpath with this (almost) empty content:
>
> <mbeans-descriptors>
> </mbeans-descriptors>
>
> org.apache.tomcat.util.modeler.Registry looks in the current package
> down to the parents package, and if it finds a mbeans-descriptor.xml
> file, it uses the attributes found inside there. If no XML file is
> found, it then reverts to finding out the attributes via reflection.
>
> So that file is enough not to load any MBean for JIoEndpoint.
>
> Thanks
>
>
> On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz
> <chris@christopherschultz.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Randy,
>>
>> On 4/6/12 7:41 AM, Randy Gray wrote:
>>> Hi,
>>>
>>> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
>>> noticed that the keystore and truststore passwords are exposed via
>>> JMX in cleartext (in the bean JIoEndpoint). This was not the case
>>> in Tomcat 6, for example JIoEndpoint bean which was exposed had
>>> much fewer attributes. I have specified the passwords as attributes
>>> in the HTTPS connector tag in server.xml.
>>>
>>> Here an example with an otherwise unmodified Tomcat 7:
>>> http://postimage.org/image/400y2pqsr/
>>>
>>> How can I prevent that data to be exposed (as cleartext), as well
>>> as the keystore and truststore path?
>>
>> I can think of a couple of options:
>>
>> 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
>>   and suppress access to these fields (though they aren't specifically
>>   in there, and MbeansDescriptorsIntrospectionSource.java doesn't seem
>>   to consult the mbeans-descrioptors.xml files). I've never done this,
>>   so I can't say whether or not it will work.
>>
>> 2. Use TLS for JMX connections. Technically speaking, this will not
>>   transmit your credentials in "cleartext", though anyone who can
>>   connect can read your credentials. See below.
>>
>> 3. Use client certificates and/or username/password authentication to
>>   access your JMX connector. Anyone who can connect to those resources
>>   will probably be able to connect to other things, so having your
>>   trustStore password is probably the least of your worries.
>>
>> - -chris
>> -----BEGIN PGP SIGNATURE-----
>> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
>> Comment: GPGTools - http://gpgtools.org
>> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>>
>> iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
>> DCIAoJPEG65KmenExYgGtVpgGG7J880c
>> =9y5M
>> -----END PGP SIGNATURE-----
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message