> -Original Message-
> From: David kerber [mailto:dcker...@verizon.net]
> Sent: Thursday, September 02, 2010 9:37 AM
> To: Tomcat Users List
> Subject: Re: clear text keystore password in server.xml
>
> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
> > --
On 02/09/2010 16:37, David kerber wrote:
> On 9/2/2010 11:28 AM, Christopher Schultz wrote:
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA1
>>
>> Luca,
>>
>> On 8/30/2010 2:42 AM, Luca Gervasi wrote:
>>> I'm working to secure this, but...it's not too easy (and i'm surely not
>>> a skilled progr
On 9/2/2010 11:28 AM, Christopher Schultz wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Luca,
On 8/30/2010 2:42 AM, Luca Gervasi wrote:
I'm working to secure this, but...it's not too easy (and i'm surely not
a skilled programmer...).
But I hope this topic will be kept up!
There is vi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Luca,
On 8/30/2010 2:42 AM, Luca Gervasi wrote:
> I'm working to secure this, but...it's not too easy (and i'm surely not
> a skilled programmer...).
>
> But I hope this topic will be kept up!
There is virtually nothing you can do about this. The onl
On Fri, 2010-08-27 at 17:53 -0400, Christopher Schultz wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> Vijay,
>
> On 8/27/2010 5:41 AM, Vijay wrote:
> > I am looking for a way to use only encrypted passwords.
>
> Cool. How are you going to do that?
>
> > I am looking to write a wra
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Vijay,
On 8/27/2010 5:41 AM, Vijay wrote:
> I am looking for a way to use only encrypted passwords.
Cool. How are you going to do that?
> I am looking to write a wrapper class that decrypts the password passed as
> an environment variable to tomcat,
If the hacker has root privilages I'm pretty sure you have worse problems.
On Fri, Aug 27, 2010 at 7:14 PM, wrote:
> André Warnier wrote on 08/27/2010 12:32:43 PM:
>
>> Ken Bowen wrote:
>> > If you wanted to go down this path, besides the web page for entering
>> > the password, you could add s
André Warnier wrote on 08/27/2010 12:32:43 PM:
> And to complete the circle and make it all more user-friendly, I
> would also add the password to the SMS being sent.
Just put it on Facebook...
To quote from some architecture specs: "Meaningful programming has not been
achieved."
- Chuck
On 8/27/2010 1:14 PM, djohn...@desknetinc.com wrote:
André Warnier wrote on 08/27/2010 12:32:43 PM:
Ken Bowen wrote:
If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability o
André Warnier wrote on 08/27/2010 12:32:43 PM:
> Ken Bowen wrote:
> > If you wanted to go down this path, besides the web page for entering
> > the password, you could add sending alerts to the cells of all your
> > sysadmins to improve the probability of the password being entered in
a
> > time
Ken Bowen wrote:
If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability of the password being entered in a
timely manner. Perhaps Tomcats in clusters could obtain the passwo
n that road.
What DB are you using, and is this an option for you?
-Original Message-
From: Vijay [mailto:amirisetty.vijayaragha...@gmail.com]
Sent: Friday, August 27, 2010 7:20 AM
To: Tomcat Users List
Subject: Re: clear text keystore password in server.xml
Hi Mark,
I guess I
If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability of the password being entered in
a timely manner. Perhaps Tomcats in clusters could obtain the
password from their
On 27/08/2010 14:02, Wesley Acheson wrote:
> I've been giving this whole issue a lot of thought. And not just now
> for months now. I was wondering if the following was possible in
> theory, When tomcat is started up it prompts for the password?
> Wouldn't that help with the whole smoke and mirrors
On 8/27/2010 9:02 AM, Wesley Acheson wrote:
...
I've been giving this whole issue a lot of thought. And not just now
for months now. I was wondering if the following was possible in
theory, When tomcat is started up it prompts for the password?
Wouldn't that help with the whole smoke and mirror
On Fri, Aug 27, 2010 at 2:36 PM, Mark Thomas wrote:
> On 27/08/2010 13:19, Vijay wrote:
>> Hi Mark,
>> I guess I am getting the point you are trying to make .. As long
>> as the password or (the encrypted password and the secret key) are present
>> at some location (file system / datab
On 27/08/2010 13:19, Vijay wrote:
> Hi Mark,
> I guess I am getting the point you are trying to make .. As long
> as the password or (the encrypted password and the secret key) are present
> at some location (file system / database/ etc) .. there is a security gap ..
> I agree with this
Hi Mark,
I guess I am getting the point you are trying to make .. As long
as the password or (the encrypted password and the secret key) are present
at some location (file system / database/ etc) .. there is a security gap ..
I agree with this ..
This said, I am trying to find a way to
On 27/08/2010 11:26, Vijay wrote:
> For prototyping purposes, I am embedding the secret key in the program
> itself.
> If the solution works out, having it in a secure database is an option I am
> considering..
And how do you propose to provide the password Tomcat uses to access
this secure databa
For prototyping purposes, I am embedding the secret key in the program
itself.
If the solution works out, having it in a secure database is an option I am
considering..
On Fri, Aug 27, 2010 at 3:45 PM, Mark Thomas wrote:
> On 27/08/2010 10:41, Vijay wrote:
> > I am looking to write a wrapper cla
On 27/08/2010 10:41, Vijay wrote:
> I am looking to write a wrapper class that decrypts the password passed as
> an environment variable to tomcat, and then sets the system property
> javax.net.ssl.keyStorePassword inside the JVM itself.
And how do you propose to provide the secret key required to
21 matches
Mail list logo
