Re: JKS keystore password Encryption

[André Warnier]

Mark Thomas wrote:

On 14/08/2014 15:46, George Sexton wrote:

On 8/14/2014 8:33 AM, Mark Thomas wrote:

On 14/08/2014 15:10, George Sexton wrote:

graph.
Can you help me understand why tomcat doesn't take the approach of
Apache httpd which is to ask the user for the decryption key at startup
time?

Because it is largely a waste of time. Anyone with root on the box can
do a heap dump and retrieve the actual key or the password used to
protect the key. Much simpler just to not bother with a password and
configure the key file so only root and the Tomcat user can read it.
Same ends, simpler means.

The issue with root makes sense. Thanks for explaining it to me.

The case I see it being an improvement is where there's a defect in the
web server that makes the file available to the uid the tomcat process
runs under.

Using tomcat as an example, say there were some directory traversal bug
that would make the file available. Using httpd as an example, say there
were some stack overflow bug in PHP that could be exploited.


With httpd that attack wouldn't work as the worker processes run as a
different user to the main process which runs as root. Only the main
process can read the key file.

In Tomcat I think (but have never tested) that Commons Daemon can do a
similar thing. It starts as root, reads the keystore and then drops to
non-root. The problem with that is that if the connector needs to be
restarted you have to restart the entire process.

A similar issue with restarting the connector exists with the 'enter the
password on the command line' solution.

To look at it another way, I don't think the benefit is worth the effort
necessary to implement it.


I believe Pivotal's (my employer) tc Server product which is based on
Tomcat does offer an enter the password on start-up option of some form.




In which cases, humans being humans, the password probably ends up on a Post-It stuck on 
the console..


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[Mark Thomas]

On 14/08/2014 15:46, George Sexton wrote:
> 
> On 8/14/2014 8:33 AM, Mark Thomas wrote:
>> On 14/08/2014 15:10, George Sexton wrote:
>>> graph.
>>> Can you help me understand why tomcat doesn't take the approach of
>>> Apache httpd which is to ask the user for the decryption key at startup
>>> time?
>> Because it is largely a waste of time. Anyone with root on the box can
>> do a heap dump and retrieve the actual key or the password used to
>> protect the key. Much simpler just to not bother with a password and
>> configure the key file so only root and the Tomcat user can read it.
>> Same ends, simpler means.
> 
> The issue with root makes sense. Thanks for explaining it to me.
> 
> The case I see it being an improvement is where there's a defect in the
> web server that makes the file available to the uid the tomcat process
> runs under.
> 
> Using tomcat as an example, say there were some directory traversal bug
> that would make the file available. Using httpd as an example, say there
> were some stack overflow bug in PHP that could be exploited.

With httpd that attack wouldn't work as the worker processes run as a
different user to the main process which runs as root. Only the main
process can read the key file.

In Tomcat I think (but have never tested) that Commons Daemon can do a
similar thing. It starts as root, reads the keystore and then drops to
non-root. The problem with that is that if the connector needs to be
restarted you have to restart the entire process.

A similar issue with restarting the connector exists with the 'enter the
password on the command line' solution.

To look at it another way, I don't think the benefit is worth the effort
necessary to implement it.


I believe Pivotal's (my employer) tc Server product which is based on
Tomcat does offer an enter the password on start-up option of some form.


Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[George Sexton]

On 8/14/2014 8:33 AM, Mark Thomas wrote:

On 14/08/2014 15:10, George Sexton wrote:

graph.
Can you help me understand why tomcat doesn't take the approach of
Apache httpd which is to ask the user for the decryption key at startup
time?

Because it is largely a waste of time. Anyone with root on the box can
do a heap dump and retrieve the actual key or the password used to
protect the key. Much simpler just to not bother with a password and
configure the key file so only root and the Tomcat user can read it.
Same ends, simpler means.


The issue with root makes sense. Thanks for explaining it to me.

The case I see it being an improvement is where there's a defect in the 
web server that makes the file available to the uid the tomcat process 
runs under.


Using tomcat as an example, say there were some directory traversal bug 
that would make the file available. Using httpd as an example, say there 
were some stack overflow bug in PHP that could be exploited.




Mark




--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: JKS keystore password Encryption

[David kerber]

On 8/14/2014 10:33 AM, Mark Thomas wrote:

On 14/08/2014 15:10, George Sexton wrote:


On 8/4/2014 8:17 AM, André Warnier wrote:

Sanaullah wrote:

Hi,

is there a way i ca replace plain JKS keystore password with encrypted
password in tomcat server.xml?



This kind of question comes regularly on this list, I would say 2 or 3
times each year.
Searching the list archives (mentioned in the superb on-line Tomcat
documentation) would provide a number of discussions on the topic.

The basic answer is no, because then Tomcat would need to be able to
decrypt it; and to do that, it would need to know a decryption key;
and to know that, this decryption key would need to be stored
somewhere; loop to the beginning of this paragraph.


Can you help me understand why tomcat doesn't take the approach of
Apache httpd which is to ask the user for the decryption key at startup
time?


Because it is largely a waste of time. Anyone with root on the box can
do a heap dump and retrieve the actual key or the password used to


Can this be done remotely?  Or does it require local access?



protect the key. Much simpler just to not bother with a password and
configure the key file so only root and the Tomcat user can read it.
Same ends, simpler means.

Mark



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[Mark Thomas]

On 14/08/2014 15:10, George Sexton wrote:
> 
> On 8/4/2014 8:17 AM, André Warnier wrote:
>> Sanaullah wrote:
>>> Hi,
>>>
>>> is there a way i ca replace plain JKS keystore password with encrypted
>>> password in tomcat server.xml?
>>>
>>
>> This kind of question comes regularly on this list, I would say 2 or 3
>> times each year.
>> Searching the list archives (mentioned in the superb on-line Tomcat
>> documentation) would provide a number of discussions on the topic.
>>
>> The basic answer is no, because then Tomcat would need to be able to
>> decrypt it; and to do that, it would need to know a decryption key;
>> and to know that, this decryption key would need to be stored
>> somewhere; loop to the beginning of this paragraph.
> 
> Can you help me understand why tomcat doesn't take the approach of
> Apache httpd which is to ask the user for the decryption key at startup
> time?

Because it is largely a waste of time. Anyone with root on the box can
do a heap dump and retrieve the actual key or the password used to
protect the key. Much simpler just to not bother with a password and
configure the key file so only root and the Tomcat user can read it.
Same ends, simpler means.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[George Sexton]

On 8/4/2014 8:17 AM, André Warnier wrote:

Sanaullah wrote:

Hi,

is there a way i ca replace plain JKS keystore password with encrypted
password in tomcat server.xml?



This kind of question comes regularly on this list, I would say 2 or 3 
times each year.
Searching the list archives (mentioned in the superb on-line Tomcat 
documentation) would provide a number of discussions on the topic.


The basic answer is no, because then Tomcat would need to be able to 
decrypt it; and to do that, it would need to know a decryption key; 
and to know that, this decryption key would need to be stored 
somewhere; loop to the beginning of this paragraph.


Can you help me understand why tomcat doesn't take the approach of 
Apache httpd which is to ask the user for the decryption key at startup 
time?




--
George Sexton
*MH Software, Inc.*
Voice: 303 438 9585
http://www.mhsoftware.com

Re: JKS keystore password Encryption

[Sanaullah]

Hi Chris,

I don't want to pass the audit. I am just curious why Jboss implemented
that ? and whats the purpose of SRP protocol implementation just to pass
the audit?

[1]
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/6.2/html-single/Development_Guide/#sect-Secure_Remote_Password_Protocol


Regards,
Sanaullah


On Wed, Aug 6, 2014 at 5:34 AM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sanaullah,
>
> On 8/4/14, 9:19 PM, Sanaullah wrote:
> > Thanks to all.
> >
> > I was looking something similar to this [1] which is implemented in
> > JBoss.
> >
> > [1]
> >
> https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html
>
> Congratulations:
> >
> you'll pass a security audit that flags this as a
> problem.
>
> Fail: you have moved your password to another file, and not gained a
> single thing.
>
> You may now celebrate the incompetence of both your auditors and
> engineering staff for sidestepping an issue rather than soberly
> dealing with it head-on.
>
> This is why formal risk analyses are much better than crappy
> script-based security audits. First of all, they force you to be much
> more creative than a script you paid someone a huge sum of money to
> run that only tells you obvious things that a light reading of any
> OWASP documentation would already tell you, *and* it gives you the
> opportunity to say "this thing doesn't matter at all, and even if we
> *did* do something about it, it wouldn't make any damn bit of difference."
>
> It's time engineering teams started teaching management about security.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi
> Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s
> jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r
> 04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM
> QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC
> KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8
> oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5
> qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN
> j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft
> cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45
> xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW
> jlzixmv5BOQjMFUJActT
> =yOJq
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JKS keystore password Encryption

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sanaullah,

On 8/4/14, 9:19 PM, Sanaullah wrote:
> Thanks to all.
> 
> I was looking something similar to this [1] which is implemented in
> JBoss.
> 
> [1] 
> https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html

Congratulations:
> 
you'll pass a security audit that flags this as a
problem.

Fail: you have moved your password to another file, and not gained a
single thing.

You may now celebrate the incompetence of both your auditors and
engineering staff for sidestepping an issue rather than soberly
dealing with it head-on.

This is why formal risk analyses are much better than crappy
script-based security audits. First of all, they force you to be much
more creative than a script you paid someone a huge sum of money to
run that only tells you obvious things that a light reading of any
OWASP documentation would already tell you, *and* it gives you the
opportunity to say "this thing doesn't matter at all, and even if we
*did* do something about it, it wouldn't make any damn bit of difference."

It's time engineering teams started teaching management about security.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT4XgpAAoJEBzwKT+lPKRYE+MP/1uza2WXqwKMW1QwsoANQgGi
Y+rzWmnMJJipG3E/gq2DhtorhARov2NadoHW0GGo+xoSU3ldnn0+ljJllX5hfs9s
jMsO1aqtOYXmFHQYr9qo0js03DIE8IE1PsPZA+JGLgzw8h8/5NlfcIrjFpCWHf2r
04MXGTGLDryIgLPc5uO2RS0Tyl8XDky9do7GZ9B4Ykn/zgP/KqIHi1zQhwYv1BJM
QF2GIEcFwc599+cH1ZlGJWJogAP7QsgxMFWIFH7Y4PmJcXHaJ3PyIAK7VG2vowcC
KiERaVFd/RPtOqdaBf7xpqeKa3GUSF1c02AGz01xJuIB0U7tqA+ta4rdyUVvHGV8
oyCRT48o6HuymO7/lXumTWBvBkPnuh+co7bN7Z4axVroeXBUCG5ldGY60VZlCYs5
qfeSVbdwJzhZxvujnxigfJr9X41ZDKMs2aJ+bFkp28mLyKUYxCRA8RWbf0zqL3uN
j8dnODehFnmpsEAxIa/zaq70MElKJLJ0QTUVKnnunTaOmZbopr25h9DL0XtA1Gft
cS+0M++ic3zCJ57Md8VAYum8BksxcKiPmlQFu5shITYVmtntSimgCNU5nEooiJ45
xvd03vioJJ7RCSVmciBM/wsFKhfgUFmgOc5bNG8KSFqhjh0A09t9JnEpB8CGVRGW
jlzixmv5BOQjMFUJActT
=yOJq
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[John Smith]

>
> You may find Wiki also useful:
>
>   http://wiki.apache.org/tomcat/FAQ/Password
>
> -Ognjen


"Write your own datasource implementation which wraps your datasource and
obscure your brains out (XOR  and
ROT13  are great candidates for this
since their strength matches the protection you'll actually get)"

Haha. ROT13: Vg pna'g or penpxrq!

Hmm, Interesting, ROT13 looks oddly like klingon.

Re: JKS keystore password Encryption

[Sanaullah]

Thanks to all.

I was looking something similar to this [1] which is implemented in JBoss.

[1]
https://access.redhat.com/documentation/en-US/JBoss_Enterprise_Application_Platform/5/html/Security_Guide/Encrypting_The_Keystore_Password_In_Tomcat.html



On Tue, Aug 5, 2014 at 3:43 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sanaullah,
>
>
> On 4.8.2014 17:26, Sanaullah wrote:
>
>> I will also search the archive as well.
>>
>
> You may find Wiki also useful:
>
>   http://wiki.apache.org/tomcat/FAQ/Password
>
> -Ognjen
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JKS keystore password Encryption

[Ognjen Blagojevic]

Sanaullah,

On 4.8.2014 17:26, Sanaullah wrote:

I will also search the archive as well.


You may find Wiki also useful:

  http://wiki.apache.org/tomcat/FAQ/Password

-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sanaullah,

On 8/4/14, 9:43 AM, Sanaullah wrote:
> is there a way i ca replace plain JKS keystore password with
> encrypted password in tomcat server.xml?

http://wiki.apache.org/tomcat/FAQ/Password

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJT3/D6AAoJEBzwKT+lPKRYU04QAKOwS6KVM3QUwM3lGrQd3+8a
uCxZBhG+J0ymlEIX3xKCFLIf7+9W9DW8jIC5a2OgVUM3v7ovYi2oNvx1hkHplkos
GGXg5305yCSNd3LF9PCxyryP61pMQ9kyJ8kvZquOVz3FR27HAs744GYpG7PaPdK2
YBl2TQV1gR5I3ADhIbY010cJiYpsenyQK5d6t1zlVqFu8AKqQsV/ziELwuQQHj7Q
mBZuFOf2FhX0kTxUzGi9sfApevzzj8EwJ7qN4j5zgU1ab8va/DpnlsOrgF62B+je
2rvmpqpwULCPIFBTCPk39JtWoSqhMhZDuTWOSiVcmrzn9yOP93W56+QE9GfriPlz
53TDe3gyy0wXuHF17LLNCcMVj5FwlGP4yWyz0t9EJhh25laOofDvxfbdZF6756nF
HXcM2DiFmaibUD6bUOvh3qxkRfsf5xKVl3ObVYJbs14kBSK7hRY+Lm6YQm7KGzcy
tOiTF8SpdkBRO8GXiVfITSlpTpJH7IDqIjs6X91WdSXACDxUxiuqw7YqKahfSr7B
cp68yrBVZYq809DxT1tJ6fnbsUjcAilkryw7u66BDIDcQnb2P26QeVe9yXgr5rAb
t+VyUo6IaSNYk2Zvf2GJSfkbp1ofNbmtD8aMEGTb4aAmkNUfO1i9Vhn1xQh8gh+z
esRSq2aJrXcrelRNJsv6
=n1LC
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[Sanaullah]

Thanks Andre and Ulises.

I will also search the archive as well.

Regards,
Sanaullah


On Mon, Aug 4, 2014 at 8:07 PM, Ulises González Horta  wrote:

> On Mon 04 Aug 2014 09:17:47 André Warnier escribió:
> > And if someone non-authorized has access to Tomcat's server.xml, then you
> > have bigger  problems than a non-encrypted password.
>
> Maybe the best solution could be put the right permission to sever.xml and
>  do
> not give the root password to other users
>
> 
> Salu2, Ulinx
> "En un problema con n ecuaciones
> siempre habrá al menos n+1 incógnitas"
> Linux user 366775
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: JKS keystore password Encryption

[Ulises González Horta]

On Mon 04 Aug 2014 09:17:47 André Warnier escribió:
> And if someone non-authorized has access to Tomcat's server.xml, then you
> have bigger  problems than a non-encrypted password.

Maybe the best solution could be put the right permission to sever.xml and  do 
not give the root password to other users

 
Salu2, Ulinx
"En un problema con n ecuaciones
siempre habrá al menos n+1 incógnitas"
Linux user 366775

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: JKS keystore password Encryption

[André Warnier]

Sanaullah wrote:

Hi,

is there a way i ca replace plain JKS keystore password with encrypted
password in tomcat server.xml?



This kind of question comes regularly on this list, I would say 2 or 3 times 
each year.
Searching the list archives (mentioned in the superb on-line Tomcat documentation) would 
provide a number of discussions on the topic.


The basic answer is no, because then Tomcat would need to be able to decrypt it; and to do 
that, it would need to know a decryption key; and to know that, this decryption key would 
need to be stored somewhere; loop to the beginning of this paragraph.


And if someone non-authorized has access to Tomcat's server.xml, then you have bigger 
problems than a non-encrypted password.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

JKS keystore password Encryption

[Sanaullah]

Hi,

is there a way i ca replace plain JKS keystore password with encrypted
password in tomcat server.xml?

Regards,
Sanaullah