tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Gray <>
Subject Prevent cleartext keystore/truststore passwords via JMX
Date Fri, 06 Apr 2012 11:41:23 GMT

I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've noticed
that the keystore and truststore passwords are exposed via JMX in
cleartext (in the bean JIoEndpoint).
This was not the case in Tomcat 6, for example JIoEndpoint bean which
was exposed had much fewer attributes.
I have specified the passwords as attributes in the HTTPS connector
tag in server.xml.

Here an example with an otherwise unmodified Tomcat 7:

How can I prevent that data to be exposed (as cleartext), as well as
the keystore and truststore path?


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message