tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Randy Gray <>
Subject Re: Prevent cleartext keystore/truststore passwords via JMX
Date Thu, 12 Apr 2012 11:58:35 GMT

I've added mbeans-descriptors.xml to the package (the same package where JIOEndpoint is) in
the classpath with this (almost) empty content:


org.apache.tomcat.util.modeler.Registry looks in the current package
down to the parents package, and if it finds a mbeans-descriptor.xml
file, it uses the attributes found inside there. If no XML file is
found, it then reverts to finding out the attributes via reflection.

So that file is enough not to load any MBean for JIoEndpoint.


On Fri, Apr 6, 2012 at 6:52 PM, Christopher Schultz
<> wrote:
> Hash: SHA1
> Randy,
> On 4/6/12 7:41 AM, Randy Gray wrote:
>> Hi,
>> I've been upgrading from Tomcat 6 to Tomcat 7 (7.27) and I've
>> noticed that the keystore and truststore passwords are exposed via
>> JMX in cleartext (in the bean JIoEndpoint). This was not the case
>> in Tomcat 6, for example JIoEndpoint bean which was exposed had
>> much fewer attributes. I have specified the passwords as attributes
>> in the HTTPS connector tag in server.xml.
>> Here an example with an otherwise unmodified Tomcat 7:
>> How can I prevent that data to be exposed (as cleartext), as well
>> as the keystore and truststore path?
> I can think of a couple of options:
> 1. Modify org/apache/catalina/connector/mbeans-descriptors.xml
>   and suppress access to these fields (though they aren't specifically
>   in there, and doesn't seem
>   to consult the mbeans-descrioptors.xml files). I've never done this,
>   so I can't say whether or not it will work.
> 2. Use TLS for JMX connections. Technically speaking, this will not
>   transmit your credentials in "cleartext", though anyone who can
>   connect can read your credentials. See below.
> 3. Use client certificates and/or username/password authentication to
>   access your JMX connector. Anyone who can connect to those resources
>   will probably be able to connect to other things, so having your
>   trustStore password is probably the least of your worries.
> - -chris
> Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
> Comment: GPGTools -
> Comment: Using GnuPG with Mozilla -
> iEYEARECAAYFAk9/ESgACgkQ9CaO5/Lv0PCnjQCfbUzxll2yk5usNQlQrBkvNh7R
> DCIAoJPEG65KmenExYgGtVpgGG7J880c
> =9y5M
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message