Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 435FCE280 for ; Tue, 12 Feb 2013 16:31:08 +0000 (UTC) Received: (qmail 90331 invoked by uid 500); 12 Feb 2013 16:31:04 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 90247 invoked by uid 500); 12 Feb 2013 16:31:04 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 90237 invoked by uid 99); 12 Feb 2013 16:31:04 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2013 16:31:04 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of aw@ice-sa.com designates 212.85.38.228 as permitted sender) Received: from [212.85.38.228] (HELO tor.combios.es) (212.85.38.228) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 12 Feb 2013 16:30:55 +0000 Received: from [192.168.245.152] (p549E1030.dip0.t-ipconnect.de [84.158.16.48]) (Authenticated sender: andre.warnier@ice-sa.com) by tor.combios.es (Postfix) with ESMTPA id 0DA173C158E for ; Tue, 12 Feb 2013 17:32:12 +0100 (CET) Message-ID: <511A6E29.3010008@ice-sa.com> Date: Tue, 12 Feb 2013 17:30:33 +0100 From: =?UTF-8?B?QW5kcsOpIFdhcm5pZXI=?= Reply-To: Tomcat Users List User-Agent: Thunderbird 2.0.0.23 (Windows/20090812) MIME-Version: 1.0 To: Tomcat Users List Subject: Re: Need to Specify keystorePass on Command Line References: <99C8B2929B39C24493377AC7A121E21FC49E7678FB@USEA-EXCH8.na.uis.unisys.com> <99C8B2929B39C24493377AC7A121E21FC49E767C7C@USEA-EXCH8.na.uis.unisys.com> <51157279.4000509@pidster.com> <51164F01.6010701@christopherschultz.net> <511A0175.6050806@ice-sa.com> In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Virus-Checked: Checked by ClamAV on apache.org Harris, Jeffrey E. wrote: > >> -----Original Message----- >> From: André Warnier [mailto:aw@ice-sa.com] >> Sent: Tuesday, February 12, 2013 3:47 AM >> To: Tomcat Users List >> Subject: Re: Need to Specify keystorePass on Command Line >> >> Harris, Jeffrey E. wrote: >>> All, >>> >>> I understand that there is no good, secure solution. However, my >> hands are tied on this matter, and I would appreciate if you would >> focus on providing technical assistance in implementing a solution >> within the constraints I have been given. >> Jeffrey, >> >> We all understand that you have been given rules, and are supposed to >> follow them. >> But if these rules themselves make no logical sense, nothing in this >> Universe is going to help you overcome that. >> >> What is the concern really, about the password remaining somewhere on >> that server when the system is shut down ? >> Is it that the server, in its shut down state, could be subrepticiously >> broken apart, its disk stolen and then inspected by foreign spooks to >> discover that password, which could then be used to further nefarious >> ends, or what /exactly/ ? >> >> What is wrong with the following scenario : >> - a physical Windows server with a console and a keyboard >> - boot Windows and login as a "tomcat" user (created beforehand) >> - open a command window >> - start Tomcat as an application (not a Service) in that command window >> - tomcat will ask for the passphrase of the keystore. Type it in. (*) >> - when Tomcat is running, enter CTRL-ALT-DEL and freeze the console (do >> not logout from >> Windows) >> - walk away >> >> >> (*) having made sure beforehand that there is no trojen on that machine >> which records your >> keystrokes and writes them to the disk >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org >> For additional commands, e-mail: users-help@tomcat.apache.org > > Andre, > > Tomcat will host a web-app that will connect as a proxy to another organization's system to retrieve data that we will use in our applications. It is the other organization that is mandating the "no password" requirement, and there is no other option than to use their data. Our customer requires that the Tomcat server be up 24/7 (with minor outages), hence the need to design a solution that satisfies the requirements of both our customer, and the other organization. Obviously, if we cannot create a way to automate the process, we may have to do something akin to what you do above. > > However, when I run Tomcat from the console, I am never prompted for the password. Instead, Tomcat just fails to start the listener on the specified SSL port. Ah, ok. I must confess that I never tried this with Tomcat. Apache httpd prompts, in similar circumstances. I suppose that this prompt/not prompt is really a feature of the underlying SSL stack, not of Tomcat itself. So depending on whether you use the Java SSL stack or the OpenSSL stack, the behaviour may be different. That, or else I can imagine another way : instead of connecting to the other system directly from your Tomcat webapp, you could set up your own intermediate Apache httpd proxy between Tomcat and that other system. The communication between your webapp and this httpd proxy could be in clear (if the Apache httpd is on the same host). Then it would be that Apache httpd which would run the SSL conversation with the other system, and /it/ would prompt. A bit more complicated, but if that makes it work to everyone's satisfaction.. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org