Re: [OT] clear text keystore password in server.xml
On 02.09.2010 18:55, Pid wrote: On 02/09/2010 17:31, Christopher Schultz wrote: Pid, On 9/2/2010 11:51 AM, Pid wrote: ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. I hadn't considered that, never having used JMX. Are you saying that anyone with local access can snoop a JVM? What are the strategies available to prohibit that? Can you disable local JMX altogether? How about some kind of authentication? Pretty much. I'm not sure how to disable it, I've only just got the hang of enabling it. http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html Also: sun.management.ConnectorAddressLink, but I can't find a javadoc for that. I thought it uses a local file created by the JVM which only allows access, if you are the same user (or root). The marketing terminology for this Java 6 feature was attach on demand. See also http://weblogs.java.net/blog/emcmanus/archive/2005/09/mustang_jdk_now.html with some examples here: http://blogs.sun.com/sundararajan/entry/using_mustang_s_attach_api http://blogs.sun.com/sundararajan/entry/my_experiments_with_attach_on and API Javadoc: http://download-llnw.oracle.com/javase/6/docs/jdk/api/attach/spec/index.html Regards, Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] clear text keystore password in server.xml
On 04/09/2010 11:05, Rainer Jung wrote: On 02.09.2010 18:55, Pid wrote: On 02/09/2010 17:31, Christopher Schultz wrote: Pid, On 9/2/2010 11:51 AM, Pid wrote: ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. I hadn't considered that, never having used JMX. Are you saying that anyone with local access can snoop a JVM? What are the strategies available to prohibit that? Can you disable local JMX altogether? How about some kind of authentication? Pretty much. I'm not sure how to disable it, I've only just got the hang of enabling it. http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html Also: sun.management.ConnectorAddressLink, but I can't find a javadoc for that. I thought it uses a local file created by the JVM which only allows access, if you are the same user (or root). The marketing terminology for this Java 6 feature was attach on demand. OK, that useful to know. I was assuming there was a JVM option to prevent dynamic attachments, but that I just hadn't found it. File perm based restrictions makes sense. See also http://weblogs.java.net/blog/emcmanus/archive/2005/09/mustang_jdk_now.html with some examples here: http://blogs.sun.com/sundararajan/entry/using_mustang_s_attach_api http://blogs.sun.com/sundararajan/entry/my_experiments_with_attach_on and API Javadoc: http://download-llnw.oracle.com/javase/6/docs/jdk/api/attach/spec/index.html Excellent, thanks, I'll have a read. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [OT] clear text keystore password in server.xml
On 04/09/2010 12:41, Pid wrote: On 04/09/2010 11:05, Rainer Jung wrote: On 02.09.2010 18:55, Pid wrote: On 02/09/2010 17:31, Christopher Schultz wrote: Pid, On 9/2/2010 11:51 AM, Pid wrote: ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. I hadn't considered that, never having used JMX. Are you saying that anyone with local access can snoop a JVM? What are the strategies available to prohibit that? Can you disable local JMX altogether? How about some kind of authentication? Pretty much. I'm not sure how to disable it, I've only just got the hang of enabling it. http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html Also: sun.management.ConnectorAddressLink, but I can't find a javadoc for that. I thought it uses a local file created by the JVM which only allows access, if you are the same user (or root). The marketing terminology for this Java 6 feature was attach on demand. OK, that useful to know. I was assuming there was a JVM option to prevent dynamic attachments, but that I just hadn't found it. File perm based restrictions makes sense. It's possible to prevent attachment via the SecurityManager. Obvious really. Doh. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: clear text keystore password in server.xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 8/30/2010 2:42 AM, Luca Gervasi wrote: I'm working to secure this, but...it's not too easy (and i'm surely not a skilled programmer...). But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the Apache httpd strategy) 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx/wqoACgkQ9CaO5/Lv0PBcrACfUVih9nF6BorLy5KCAQ8Gk2xe k2IAni9IqXoI4TOTN6AN1qToY3ypyiTK =DMfB -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 9/2/2010 11:28 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 8/30/2010 2:42 AM, Luca Gervasi wrote: I'm working to secure this, but...it's not too easy (and i'm surely not a skilled programmer...). But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the Apache httpd strategy) Or a minor variant of this, such as entering the pwd on a secure web page just after startup, though this has other disadvantages. 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 02/09/2010 16:37, David kerber wrote: On 9/2/2010 11:28 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 8/30/2010 2:42 AM, Luca Gervasi wrote: I'm working to secure this, but...it's not too easy (and i'm surely not a skilled programmer...). But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the Apache httpd strategy) java.io.Console makes this easy in Java 6, but... Or a minor variant of this, such as entering the pwd on a secure web page just after startup, though this has other disadvantages. 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. Worse, if they're already on your server they've probably got a much bigger surface area to attack, than just Tomcat. And if they get root, it's all over. p 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: [OT] clear text keystore password in server.xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 9/2/2010 11:51 AM, Pid wrote: On 9/2/2010 11:28 AM, Christopher Schultz wrote: 1. Use a password entered on the console during start-up (the Apache httpd strategy) java.io.Console makes this easy in Java 6, but... Right: before Java 6, you'd have to enter the password clear-text on the console. :( All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. I hadn't considered that, never having used JMX. Are you saying that anyone with local access can snoop a JVM? What are the strategies available to prohibit that? Can you disable local JMX altogether? How about some kind of authentication? Worse, if they're already on your server they've probably got a much bigger surface area to attack, than just Tomcat. And if they get root, it's all over. +1 - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx/0UQACgkQ9CaO5/Lv0PAtVgCaA0q97gYTRPrqB9FfiKCFhzPW cFUAnRrKtuYAp7Ee5xTTDc66CEuU8AQM =a7// -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clear text keystore password in server.xml
-Original Message- From: David kerber [mailto:dcker...@verizon.net] Sent: Thursday, September 02, 2010 9:37 AM To: Tomcat Users List Subject: Re: clear text keystore password in server.xml On 9/2/2010 11:28 AM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Luca, On 8/30/2010 2:42 AM, Luca Gervasi wrote: I'm working to secure this, but...it's not too easy (and i'm surely not a skilled programmer...). But I hope this topic will be kept up! There is virtually nothing you can do about this. The only solutions here are: 1. Use a password entered on the console during start-up (the Apache httpd strategy) Or a minor variant of this, such as entering the pwd on a secure web page just after startup, though this has other disadvantages. And how would this page be secured since you wouldn't have SSL capability at that point? 2. Remove the password from the keystore Removing the password from the keystore is just about as (in)secure as having the password in server.xml in plain-text. All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. George Sexton MH Software, Inc. 303 438-9585 www.mhsoftware.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: [OT] clear text keystore password in server.xml
On 02/09/2010 17:31, Christopher Schultz wrote: Pid, On 9/2/2010 11:51 AM, Pid wrote: On 9/2/2010 11:28 AM, Christopher Schultz wrote: 1. Use a password entered on the console during start-up (the Apache httpd strategy) java.io.Console makes this easy in Java 6, but... Right: before Java 6, you'd have to enter the password clear-text on the console. :( All other strategies simply move the problem to some other component. Protecting one password requires another password which requires protecting which ... you get the idea. ..lots of info is available by JMX, once the server is up. In Java 6 you can attach to the process locally, without having to configure the JMX ports because it injects the management agent into the virtual machine. I hadn't considered that, never having used JMX. Are you saying that anyone with local access can snoop a JVM? What are the strategies available to prohibit that? Can you disable local JMX altogether? How about some kind of authentication? Pretty much. I'm not sure how to disable it, I've only just got the hang of enabling it. http://download.oracle.com/javase/6/docs/jdk/api/attach/spec/com/sun/tools/attach/VirtualMachine.html Also: sun.management.ConnectorAddressLink, but I can't find a javadoc for that. p Worse, if they're already on your server they've probably got a much bigger surface area to attack, than just Tomcat. And if they get root, it's all over. +1 -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: clear text keystore password in server.xml
On Fri, 2010-08-27 at 17:53 -0400, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vijay, On 8/27/2010 5:41 AM, Vijay wrote: I am looking for a way to use only encrypted passwords. Cool. How are you going to do that? I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. Something in the lines of : public class WrapperTomcatBootstrap { public static void main(String args[]) { String encryptedKeystorePassword = System.getenv(ENCRYPTED_KEYSTORE_PASSWORD); Uh... the environment isn't safe, either. How will you protect the environment? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4M9EACgkQ9CaO5/Lv0PChhACfdQTWJqANWEcmpYIpInNi2bzT 7T8AoJjS1pPfc3oXpMB/AU8coCtKMetE =IVNT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org I've implemented myself something similar. It's far from be secure enough for production enviroments, but... it works. I'm using it just to encrypt the connection pooling password. Actually, i subclassed the org.apache.tomcat.dbcp.dbcp.BasicDataSourceFactory, implementing my own class that simply picks username/password/url and replaces them in memory using a supplied password. ...but... So far, i wasn't able to implement an internal password input, actually i pass it to the class using and external file (shredded after been read), but this is really far from been secure, as the file exists on disk for a split second. Using enviroment or (worst) cmdline parameters is surely avoidable, as them are both available in /proc after the startup. Moreover, the Datasource structure is fully _clear text_ exposed using jmx, allowing anyone has the right permission to get it clear. You should also keep in mind what someone just pointed in the previous messages: startup/restart could not be unattended. I use SMF on solaris to keep tomcat up running in an unattended manner, but this new method forces me to avoid smf, leading to a per-node greater downtime. I'm working to secure this, but...it's not too easy (and i'm surely not a skilled programmer...). But I hope this topic will be kept up! Thanks for sharing. Luca Gervasi - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- A. Vijayaraghavan Senior Software Engineer Mob : +91 98861 70810 Informatica Business Solutions PVT LTD The Data Integration Company (TM)
Re: clear text keystore password in server.xml
On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 27/08/2010 13:19, Vijay wrote: Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. Bingo! This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Can't be done. As a minimum some secret has to be visible to the process running Tomcat. Which also means it is visible to any user with root privileges. By far the simplest solution is to have the tomcat user own server.xml and make that file owner readable only. You can, if you want to make server.xml more widely visible, use property replacement or XML entities to move the password to a separate file and then lock down that file. You also need to lock down any code run by Tomcat to stop a back-door being inserted. This includes web applications. Alternatively (for web applications) you could run under a security manager. Frankly this rapidly gets to the point where it is easier to: a) limit access to the machine to people you trust b) accept that if an attacker compromises the machine through Tomcat then the password is going to be compromised I have seen a lot of other 'solutions' proposed for this problem and I have yet to see one that isn't anything more than smoke mirrors designed to fool people (many of who should know better) into thinking the password is far more secure than it really is. Mark Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On Fri, Aug 27, 2010 at 2:36 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 13:19, Vijay wrote: Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. Bingo! This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Can't be done. As a minimum some secret has to be visible to the process running Tomcat. Which also means it is visible to any user with root privileges. By far the simplest solution is to have the tomcat user own server.xml and make that file owner readable only. You can, if you want to make server.xml more widely visible, use property replacement or XML entities to move the password to a separate file and then lock down that file. You also need to lock down any code run by Tomcat to stop a back-door being inserted. This includes web applications. Alternatively (for web applications) you could run under a security manager. Frankly this rapidly gets to the point where it is easier to: a) limit access to the machine to people you trust b) accept that if an attacker compromises the machine through Tomcat then the password is going to be compromised I have seen a lot of other 'solutions' proposed for this problem and I have yet to see one that isn't anything more than smoke mirrors designed to fool people (many of who should know better) into thinking the password is far more secure than it really is. Mark Thanks! Vijay On Fri, Aug 27, 2010 at 4:07 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 11:26, Vijay wrote: For prototyping purposes, I am embedding the secret key in the program itself. If the solution works out, having it in a secure database is an option I am considering.. And how do you propose to provide the password Tomcat uses to access this secure database? Mark On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas ma...@apache.org wrote: On 27/08/2010 10:41, Vijay wrote: I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. And how do you propose to provide the secret key required to perform the decryption? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? Regards, Wes - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 8/27/2010 9:02 AM, Wesley Acheson wrote: ... I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? If you can always be sure somebody is available when tomcat is restarted, I would think that would work to prevent having any clear-text passwords on disk anywhere. It would be really easy to have a single web page where the administrator could go to enter the password after a restart, and there are some checks you could do to help make that fairly secure (i.e. if the password has already been entered, don't allow anybody to enter it again, etc). Essentially you'd be trading possible downtime for a little more security, but only you can make the decision as to whether that's an appropriate tradeoff for your app. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
On 27/08/2010 14:02, Wesley Acheson wrote: I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? Not really. Nothing stops an attacker replacing a standard Tomcat jar with a modified one that just spits the password straight back out on the next restart. And if the attacker can trigger a heap dump or read the process memory some other way they don't even need that. You still end up relying on operating system security which in the end is no different to just setting the permissions on the server.xml Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. On Aug 27, 2010, at 9:22 AM, David kerber wrote: On 8/27/2010 9:02 AM, Wesley Acheson wrote: ... I've been giving this whole issue a lot of thought. And not just now for months now. I was wondering if the following was possible in theory, When tomcat is started up it prompts for the password? Wouldn't that help with the whole smoke and mirrors situation? If you can always be sure somebody is available when tomcat is restarted, I would think that would work to prevent having any clear- text passwords on disk anywhere. It would be really easy to have a single web page where the administrator could go to enter the password after a restart, and there are some checks you could do to help make that fairly secure (i.e. if the password has already been entered, don't allow anybody to enter it again, etc). Essentially you'd be trading possible downtime for a little more security, but only you can make the decision as to whether that's an appropriate tradeoff for your app. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clear text keystore password in server.xml
I was told by my company we're not supposed to have passwords stored in clear text. I explained to them the architecture of Tomcat, and didn't get a clear answer on whether or not it's ok, though I think it is. I don't know what kind of DB you're using, Vijay, but the Oracle DBA told me he could open the wallet, I could reference in my server.xml file the OCI driver reference instead of thin driver, and omit using the password, as it would be encrypted in the DB column, then decrypted when called. I have not yet tried this out, but am thinking about going down that road. What DB are you using, and is this an option for you? -Original Message- From: Vijay [mailto:amirisetty.vijayaragha...@gmail.com] Sent: Friday, August 27, 2010 7:20 AM To: Tomcat Users List Subject: Re: clear text keystore password in server.xml Hi Mark, I guess I am getting the point you are trying to make .. As long as the password or (the encrypted password and the secret key) are present at some location (file system / database/ etc) .. there is a security gap .. I agree with this .. This said, I am trying to find a way to get tomcat work with an encrypted password. [given the fact there is no way anyone can get to the secret key for decrypting the password] Thanks! Vijay - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post-It on their screens. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business...
Re: clear text keystore password in server.xml
On 8/27/2010 1:14 PM, djohn...@desknetinc.com wrote: André Warniera...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business... For a DOS attach, yes. She also needs to know the password to get anything to work. D - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: clear text keystore password in server.xml
André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. Just put it on Facebook... To quote from some architecture specs: Meaningful programming has not been achieved. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
If the hacker has root privilages I'm pretty sure you have worse problems. On Fri, Aug 27, 2010 at 7:14 PM, djohn...@desknetinc.com wrote: André Warnier a...@ice-sa.com wrote on 08/27/2010 12:32:43 PM: Ken Bowen wrote: If you wanted to go down this path, besides the web page for entering the password, you could add sending alerts to the cells of all your sysadmins to improve the probability of the password being entered in a timely manner. Perhaps Tomcats in clusters could obtain the password from their brethren. And to complete the circle and make it all more user-friendly, I would also add the password to the SMS being sent. At least it would avoid having the sysadmins sticking it on a Post- It on their screens. So all the hacker with root privileges has to do is temporarily replace the sysadmins list with a single a phone number, and then restart Tomcat, and (s)he is in business... - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: clear text keystore password in server.xml
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Vijay, On 8/27/2010 5:41 AM, Vijay wrote: I am looking for a way to use only encrypted passwords. Cool. How are you going to do that? I am looking to write a wrapper class that decrypts the password passed as an environment variable to tomcat, and then sets the system property javax.net.ssl.keyStorePassword inside the JVM itself. Something in the lines of : public class WrapperTomcatBootstrap { public static void main(String args[]) { String encryptedKeystorePassword = System.getenv(ENCRYPTED_KEYSTORE_PASSWORD); Uh... the environment isn't safe, either. How will you protect the environment? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx4M9EACgkQ9CaO5/Lv0PChhACfdQTWJqANWEcmpYIpInNi2bzT 7T8AoJjS1pPfc3oXpMB/AU8coCtKMetE =IVNT -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org