Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A237510EA9 for ; Thu, 30 Jan 2014 10:11:42 +0000 (UTC) Received: (qmail 44889 invoked by uid 500); 30 Jan 2014 10:11:38 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 44372 invoked by uid 500); 30 Jan 2014 10:11:37 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 44362 invoked by uid 99); 30 Jan 2014 10:11:35 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jan 2014 10:11:35 +0000 X-ASF-Spam-Status: No, hits=1.7 required=5.0 tests=FREEMAIL_ENVFROM_END_DIGIT,HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of setevoy4@gmail.com designates 209.85.214.169 as permitted sender) Received: from [209.85.214.169] (HELO mail-ob0-f169.google.com) (209.85.214.169) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 30 Jan 2014 10:11:28 +0000 Received: by mail-ob0-f169.google.com with SMTP id wo20so3300897obc.0 for ; Thu, 30 Jan 2014 02:11:08 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type; bh=wHSD6rb0aCCEblM68zDNQnktwlrCGRdLf72JR0hrDaA=; b=c99icsmQfX6TgH6FlSmEjiDbhTsqBlvMf43fb9fmr3tjSKmg+Vhcb1O+urEmEwFqms r9PO+aGpr+h8uK08j/mXdzXk+7i+ysPaC+AS9FrHsiI4gJ2oea4vp0p5PsYQqkDWKXp3 uWY6Ilo+X8j5/uOQOXXcdJkxkXXBvhG5/94ss7hPeWQYKbMbv0wHF3anU0uLNcEFurej 5I1BiXL4KBn0jPmuo2VteCqpFyFVU/PUG2GYrJvTZYusBxnr6tfSpC0/YIKwyGKCsS1F KwDqscuzNd2A+NsVudSiDKJki5rfYnR8sIciVzdWz03DlFY891L3DKi0Kwp6rnyQE3fG 8Q+w== MIME-Version: 1.0 X-Received: by 10.60.51.230 with SMTP id n6mr10814911oeo.35.1391076667908; Thu, 30 Jan 2014 02:11:07 -0800 (PST) Received: by 10.182.1.102 with HTTP; Thu, 30 Jan 2014 02:11:07 -0800 (PST) In-Reply-To: <52EA2216.4080606@apache.org> References: <52EA2216.4080606@apache.org> Date: Thu, 30 Jan 2014 12:11:07 +0200 Message-ID: Subject: Re: ssl without keystorePass in open text in server.xml From: =?UTF-8?B?0JDRgNGB0LXQvdC40Lkg0JfQuNC90YfQtdC90LrQvg==?= To: Tomcat Users List Content-Type: multipart/alternative; boundary=001a11c30c7ca5668704f12d46f2 X-Virus-Checked: Checked by ClamAV on apache.org --001a11c30c7ca5668704f12d46f2 Content-Type: text/plain; charset=UTF-8 Why are plain text passwords in the config files? Because there is no good way to "secure" them. When Tomcat needs to connect to a database, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected. http://wiki.apache.org/tomcat/FAQ/Password 2014/1/30 Mark Thomas > On 30/01/2014 09:46, Ja kub wrote: > > is it possible not to write keystorePass in open text server.xml, and > make > > tomcat to ask for it at startup ? > > or specify only some hash of it (rather not possible) ? > > http://wiki.apache.org/tomcat/FAQ/Password > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org > > --001a11c30c7ca5668704f12d46f2--