tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@gopivotal.com>
Subject Re: Number of logs files and encrypt manager passwd
Date Mon, 15 Jul 2013 15:53:21 GMT
On Jul 15, 2013, at 11:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646 <lamont.r.spencer.ctr@stratcom.mil>
wrote:

> Dan:

Please don't top post.  Reply inline or after to preserve the flow of the conversation.

> 
> 1. 7.0.14

This is really old.  The security risks from running such an old version are undoubtedly greater
than having your manager passwords in plain text in a file that is appropriated secured with
OS level permissions.

  http://tomcat.apache.org/security-7.html

> 2. attachment.

In the future, please inline your config info.  It's easier and quicker to read that way.
 Plus, the list will sometimes strips off attachments.  

> 3. I found these steps online. I am using SHA-1 or SHA-256, trying to.

Most of the realms support the "digest" attribute that you mentioned, but I don't see it listed
for the one that you are using.

  http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#UserDatabase_Realm_-_org.apache.catalina.realm.UserDatabaseRealm

You could try using the MemoryRealm instead.  It's very similar to UserDatabaseRealm, but
it lists support for the "digest" attribute.

  http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html#Memory_Based_Realm_-_org.apache.catalina.realm.MemoryRealm

As a side note, I wouldn't suggest using either of these realms in production.  For production
deployments, you'd be better off using the JDBC or LDAP backed realms.

Dan


> 
> THX.
> 
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com] 
> Sent: Monday, July 15, 2013 9:31 AM
> To: Tomcat Users List
> Subject: Re: Number of logs files and encrypt manager passwd
> 
> On Jul 15, 2013, at 10:04 AM, Spencer Lamont R CONTR USSTRATCOM/J646
> <lamont.r.spencer.ctr@stratcom.mil> wrote:
> 
>> To all: 
>> 
>>  I am looking for the file in which to set the number of logs to keep.  
> 
> You can configure logging in "conf/logging.properties", however the default
> configuration does not offer a way to do what you are asking.  It simply
> creates a new log file every day.  You would need to manually clean them up
> with a cron job or scheduled task.
> 
> Alternatively, you could enable Log4j which automatically cleans up old
> files.
> 
>  https://tomcat.apache.org/tomcat-7.0-doc/logging.html#Using_Log4j
> 
>> Also I tried to encrypt the manager password to the manager web page. I
> did the steps with the realm and users file, but when I went to access the
> page it would not work. When I put the unencrypted passwd back it works.
> 
> You're going to need to provide more information here.  Start by including
> this.
> 
> 1.) What version of Tomcat are you running?  Include the whole number, 6.0.x
> or 7.0.x.
> 
> 2.) How do you have your realm and user's configured?  Please include the
> XML configuration, minus comments and any sensitive information.
> 
> 3.) Are you trying to use encryption or hashing?
> 
> Dan
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> <non-plaintext passwords.docx><server xml.ORIGINAL>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message