You could look at how TC Server does this. Their tcserver.jar has an encoder/decoder in it and the class is loaded as a digester in the Catalina.properties. It relies on having a prefix on the encoded value that would subsequently be decoded and the property value replaced with the decoded value. The passwords have to be encoded prior to adding them to your configuration files. It's fairly easy to do.
You might be able to come up with something similar on your own. Thanks, Dream * Excel * Explore * Inspire Jon McAlexander Senior Infrastructure Engineer Asst. Vice President He/His Middleware Product Engineering Enterprise CIO | EAS | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -----Original Message----- > From: Mark Thomas <ma...@apache.org> > Sent: Friday, October 27, 2023 3:45 AM > To: users@tomcat.apache.org > Subject: Re: How to custom java program to decrypt keystore password in > Tomcat 10.1.15 > > On 26/10/2023 11:05, yanyizhong wrote: > > > > > > Hi Tomcat team, > > Version: Tomcat 10.1.15 > > > > > > I am trying to upgrade Tomcat from version 9.0.56 into 10.1.15, and found > that there is no setKeystorePass(String) method in tomcat 10.1.15. > > > > > > As we want to use the custom keystore encryption password in server.xml > like this: > > > > > > <Connector prt="8080" protocol="test.CustomHttp11Nio2Protocol" > chiphhers="TLS_ECDHE_RSA_WITH_AES_123_GCM_SHA256" > > keystoreFile="E:\tes.jks" > > keystorePass="xsdfdfdsfdfxdf(encryption password)" > > keystoreType"JKS" /> > > And this "encrypted" password is "decrypted" how? > https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/ > TOMCAT/Password__;!!F9svGWnIaVPGSwU!sJRkxJv4qdFjO7jusA2u0eRFDEx > Wji3SkfxRWuu9WY0xWKUWAu8p7qwvQkIU9PHtKGKlG4BOPViaYubUO15UL > g$ > (Hint: this is a waste of time from a security perspective.) > > If you can find a way to make this work then you are welcome to use it but I > am sure as I can be that if source code changes are required in Tomcat to > make this work they won't be happening. > > I suspect the way to do this (if you really must) would be via a custom > PropertySource. If you look at the existing implementations then you should > have enough hints to put together an implementation that looks for "enc:...." > and "decrypts" what it finds. > > Note that org.apache.tomcat.util.digester.PROPERTY_SOURCE multiple > values, separated by commas. > > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
