Re: JKS keystore password Encryption
Mark Thomas wrote: On 14/08/2014 15:46, George Sexton wrote: On 8/14/2014 8:33 AM, Mark Thomas wrote: On 14/08/2014 15:10, George Sexton wrote: graph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. The issue with root makes sense. Thanks for explaining it to me. The case I see it being an improvement is where there's a defect in the web server that makes the file available to the uid the tomcat process runs under. Using tomcat as an example, say there were some directory traversal bug that would make the file available. Using httpd as an example, say there were some stack overflow bug in PHP that could be exploited. With httpd that attack wouldn't work as the worker processes run as a different user to the main process which runs as root. Only the main process can read the key file. In Tomcat I think (but have never tested) that Commons Daemon can do a similar thing. It starts as root, reads the keystore and then drops to non-root. The problem with that is that if the connector needs to be restarted you have to restart the entire process. A similar issue with restarting the connector exists with the 'enter the password on the command line' solution. To look at it another way, I don't think the benefit is worth the effort necessary to implement it. advert I believe Pivotal's (my employer) tc Server product which is based on Tomcat does offer an enter the password on start-up option of some form. /advert In which cases, humans being humans, the password probably ends up on a Post-It stuck on the console.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
On 8/4/2014 8:17 AM, André Warnier wrote: Sanaullah wrote: Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? This kind of question comes regularly on this list, I would say 2 or 3 times each year. Searching the list archives (mentioned in the superb on-line Tomcat documentation) would provide a number of discussions on the topic. The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do that, it would need to know a decryption key; and to know that, this decryption key would need to be stored somewhere; loop to the beginning of this paragraph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: JKS keystore password Encryption
On 14/08/2014 15:10, George Sexton wrote: On 8/4/2014 8:17 AM, André Warnier wrote: Sanaullah wrote: Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? This kind of question comes regularly on this list, I would say 2 or 3 times each year. Searching the list archives (mentioned in the superb on-line Tomcat documentation) would provide a number of discussions on the topic. The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do that, it would need to know a decryption key; and to know that, this decryption key would need to be stored somewhere; loop to the beginning of this paragraph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
On 8/14/2014 10:33 AM, Mark Thomas wrote: On 14/08/2014 15:10, George Sexton wrote: On 8/4/2014 8:17 AM, André Warnier wrote: Sanaullah wrote: Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? This kind of question comes regularly on this list, I would say 2 or 3 times each year. Searching the list archives (mentioned in the superb on-line Tomcat documentation) would provide a number of discussions on the topic. The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do that, it would need to know a decryption key; and to know that, this decryption key would need to be stored somewhere; loop to the beginning of this paragraph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to Can this be done remotely? Or does it require local access? protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
On 8/14/2014 8:33 AM, Mark Thomas wrote: On 14/08/2014 15:10, George Sexton wrote: graph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. The issue with root makes sense. Thanks for explaining it to me. The case I see it being an improvement is where there's a defect in the web server that makes the file available to the uid the tomcat process runs under. Using tomcat as an example, say there were some directory traversal bug that would make the file available. Using httpd as an example, say there were some stack overflow bug in PHP that could be exploited. Mark -- George Sexton *MH Software, Inc.* Voice: 303 438 9585 http://www.mhsoftware.com
Re: JKS keystore password Encryption
On 14/08/2014 15:46, George Sexton wrote: On 8/14/2014 8:33 AM, Mark Thomas wrote: On 14/08/2014 15:10, George Sexton wrote: graph. Can you help me understand why tomcat doesn't take the approach of Apache httpd which is to ask the user for the decryption key at startup time? Because it is largely a waste of time. Anyone with root on the box can do a heap dump and retrieve the actual key or the password used to protect the key. Much simpler just to not bother with a password and configure the key file so only root and the Tomcat user can read it. Same ends, simpler means. The issue with root makes sense. Thanks for explaining it to me. The case I see it being an improvement is where there's a defect in the web server that makes the file available to the uid the tomcat process runs under. Using tomcat as an example, say there were some directory traversal bug that would make the file available. Using httpd as an example, say there were some stack overflow bug in PHP that could be exploited. With httpd that attack wouldn't work as the worker processes run as a different user to the main process which runs as root. Only the main process can read the key file. In Tomcat I think (but have never tested) that Commons Daemon can do a similar thing. It starts as root, reads the keystore and then drops to non-root. The problem with that is that if the connector needs to be restarted you have to restart the entire process. A similar issue with restarting the connector exists with the 'enter the password on the command line' solution. To look at it another way, I don't think the benefit is worth the effort necessary to implement it. advert I believe Pivotal's (my employer) tc Server product which is based on Tomcat does offer an enter the password on start-up option of some form. /advert Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
You may find Wiki also useful: http://wiki.apache.org/tomcat/FAQ/Password -Ognjen Write your own datasource implementation which wraps your datasource and obscure your brains out (XOR http://en.wikipedia.org/wiki/XOR_cipher and ROT13 http://en.wikipedia.org/wiki/ROT13 are great candidates for this since their strength matches the protection you'll actually get) Haha. ROT13: Vg pna'g or penpxrq! Hmm, Interesting, ROT13 looks oddly like klingon.
Re: JKS keystore password Encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 8/4/14, 9:19 PM, Sanaullah wrote: Thanks to all. I was looking something similar to this [1] which is implemented in JBoss. [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html Congratulations: you'll pass a security audit that flags this as a problem. Fail: you have moved your password to another file, and not gained a single thing. You may now celebrate the incompetence of both your auditors and engineering staff for sidestepping an issue rather than soberly dealing with it head-on. This is why formal risk analyses are much better than crappy script-based security audits. First of all, they force you to be much more creative than a script you paid someone a huge sum of money to run that only tells you obvious things that a light reading of any OWASP documentation would already tell you, *and* it gives you the opportunity to say this thing doesn't matter at all, and even if we *did* do something about it, it wouldn't make any damn bit of difference. It's time engineering teams started teaching management about security. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8 oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5 qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45 xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW jlzixmv5BOQjMFUJActT =yOJq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Hi Chris, I don't want to pass the audit. I am just curious why Jboss implemented that ? and whats the purpose of SRP protocol implementation just to pass the audit? [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol Regards, Sanaullah On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 8/4/14, 9:19 PM, Sanaullah wrote: Thanks to all. I was looking something similar to this [1] which is implemented in JBoss. [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html Congratulations: you'll pass a security audit that flags this as a problem. Fail: you have moved your password to another file, and not gained a single thing. You may now celebrate the incompetence of both your auditors and engineering staff for sidestepping an issue rather than soberly dealing with it head-on. This is why formal risk analyses are much better than crappy script-based security audits. First of all, they force you to be much more creative than a script you paid someone a huge sum of money to run that only tells you obvious things that a light reading of any OWASP documentation would already tell you, *and* it gives you the opportunity to say this thing doesn't matter at all, and even if we *did* do something about it, it wouldn't make any damn bit of difference. It's time engineering teams started teaching management about security. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8 oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5 qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45 xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW jlzixmv5BOQjMFUJActT =yOJq -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
JKS keystore password Encryption
Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? Regards, Sanaullah
Re: JKS keystore password Encryption
Sanaullah wrote: Hi, is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? This kind of question comes regularly on this list, I would say 2 or 3 times each year. Searching the list archives (mentioned in the superb on-line Tomcat documentation) would provide a number of discussions on the topic. The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do that, it would need to know a decryption key; and to know that, this decryption key would need to be stored somewhere; loop to the beginning of this paragraph. And if someone non-authorized has access to Tomcat's server.xml, then you have bigger problems than a non-encrypted password. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
On Mon 04 Aug 2014 09:17:47 André Warnier escribió: And if someone non-authorized has access to Tomcat's server.xml, then you have bigger problems than a non-encrypted password. Maybe the best solution could be put the right permission to sever.xml and do not give the root password to other users Salu2, Ulinx En un problema con n ecuaciones siempre habrá al menos n+1 incógnitas Linux user 366775 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Thanks Andre and Ulises. I will also search the archive as well. Regards, Sanaullah On Mon, Aug 4, 2014 at 8:07 PM, Ulises González Horta ul...@ulinxonline.net wrote: On Mon 04 Aug 2014 09:17:47 André Warnier escribió: And if someone non-authorized has access to Tomcat's server.xml, then you have bigger problems than a non-encrypted password. Maybe the best solution could be put the right permission to sever.xml and do not give the root password to other users Salu2, Ulinx En un problema con n ecuaciones siempre habrá al menos n+1 incógnitas Linux user 366775 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Sanaullah, On 8/4/14, 9:43 AM, Sanaullah wrote: is there a way i ca replace plain JKS keystore password with encrypted password in tomcat server.xml? http://wiki.apache.org/tomcat/FAQ/Password - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJT3/D6AAoJEBzwKT+lPKRYU04QAKOwS6KVM3QUwM3lGrQd3+8a uCxZBhG+J0ymlEIX3xKCFLIf7+9W9DW8jIC5a2OgVUM3v7ovYi2oNvx1hkHplkos GGXg5305yCSNd3LF9PCxyryP61pMQ9kyJ8kvZquOVz3FR27HAs744GYpG7PaPdK2 YBl2TQV1gR5I3ADhIbY010cJiYpsenyQK5d6t1zlVqFu8AKqQsV/ziELwuQQHj7Q mBZuFOf2FhX0kTxUzGi9sfApevzzj8EwJ7qN4j5zgU1ab8va/DpnlsOrgF62B+je 2rvmpqpwULCPIFBTCPk39JtWoSqhMhZDuTWOSiVcmrzn9yOP93W56+QE9GfriPlz 53TDe3gyy0wXuHF17LLNCcMVj5FwlGP4yWyz0t9EJhh25laOofDvxfbdZF6756nF HXcM2DiFmaibUD6bUOvh3qxkRfsf5xKVl3ObVYJbs14kBSK7hRY+Lm6YQm7KGzcy tOiTF8SpdkBRO8GXiVfITSlpTpJH7IDqIjs6X91WdSXACDxUxiuqw7YqKahfSr7B cp68yrBVZYq809DxT1tJ6fnbsUjcAilkryw7u66BDIDcQnb2P26QeVe9yXgr5rAb t+VyUo6IaSNYk2Zvf2GJSfkbp1ofNbmtD8aMEGTb4aAmkNUfO1i9Vhn1xQh8gh+z esRSq2aJrXcrelRNJsv6 =n1LC -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Sanaullah, On 4.8.2014 17:26, Sanaullah wrote: I will also search the archive as well. You may find Wiki also useful: http://wiki.apache.org/tomcat/FAQ/Password -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: JKS keystore password Encryption
Thanks to all. I was looking something similar to this [1] which is implemented in JBoss. [1] https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html On Tue, Aug 5, 2014 at 3:43 AM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Sanaullah, On 4.8.2014 17:26, Sanaullah wrote: I will also search the archive as well. You may find Wiki also useful: http://wiki.apache.org/tomcat/FAQ/Password -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org