RE: Need to Specify keystorePass on Command Line - Update
> > > > If you had read the Procrun documentation that Mark was kind enough to > point you to above, you might have figured out that you need to modify > your "--JvmOptions=..." syntax. You need to change it to > "++JvmOptions=..." otherwise, you are overwriting all the other options > that that are stored in the registry that the Tomcat service needs to > start up. That includes things like the locations of catalina.base and > catalina.home, and you're never gonna get the service to start without > those. > > And one other thing, in some security circles, configuring windows to > allow the running of remote sc commands is a pretty big no-no. If not > done properly, anyone can stop your services from anywhere. > > Jeff I did try ++JvmOptions, and it did not work either. This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line - Update
> -Original Message-
> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com]
> Sent: Tuesday, February 12, 2013 5:35 PM
> To: Tomcat Users List
> Subject: RE: Need to Specify keystorePass on Command Line - Update
>
>
>
> > -Original Message-
> > From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> > Sent: Tuesday, February 12, 2013 6:00 PM
> > To: Tomcat Users List
> > Subject: Re: Need to Specify keystorePass on Command Line - Update
> >
> > -BEGIN PGP SIGNED MESSAGE-
> > Hash: SHA256
> >
> > Mark,
> >
> > On 2/12/13 4:27 AM, Mark Thomas wrote:
> > > On 12/02/2013 00:53, Harris, Jeffrey E. wrote:
> > >> Current status:
> > >>
> > >> I replaced keystorePass= with
> > >> 'keystorePass="${kspassword}"' in server.xml, and executed the
> > >> command "tomcat7 //TS//Tomcat7 --JvmOptions=-
> Dkspassword="
> > >> and have been able to start the SSL listener as a console
> > >> application.
> > >>
> > >> However, I have not been able to do the same thing with the
> > >> service, using "sc start Tomcat7
> > >> "--JvmOptions=-Dkspassword=", or putting the parameter
> > >> into the properties of the service entry in Windows Services
> Manager.
> > >>
> > >> I know Charles Caldarale said it could not be done with a service,
> > >> but it is possible to pass parameters to a service, both using the
> > >> Windows Services Manager, and via the sc command line utility. I
> > >> am just not sure what syntax Tomcat is expecting for parameters; I
> > would
> > >> think it would match the syntax of the tomcat command above, since
> > >> that is basically what is being called, just with different
> > >> parameters.
> > >
> > > http://commons.apache.org/daemon/procrun.html
> >
> > Since OP is using "sc", there may be a problem there that you can't
> > specify command-line parameters to a service.
> >
> > Obviously, adding the parameter to Windows Services Manager defeats
> > the whole "must be on the command line, can't be in the registry"
> > requirement.
> >
>
> Christopher,
>
> The sc start command does allow command line parameters, but I think
> the syntax of how the parameters are passed to the service executable
> is not compatible with what Tomcat is expecting. On my test server, I
> even used the SC command to create a service to start Tomcat by
> directly executing java and the boot class file, and I could start SSL,
> but only by embedding the password within a JvmOptions parameter before
> the java command, not after it (which the java executable syntax
> requires.
>
> The reason I am focusing on sc is that I CAN store the private key on a
> different system, and set up a scheduled task on that system to check
> the status of the Tomcat service on the target system, and restart the
> service remotely (such as after a reboot). The sc command has a server
> parameter so it can work remotely between servers (with the appropriate
> permissions, of course).
>
> I am also looking at Andre's idea of using Apache as a proxy for Tomcat
> (I presume using AJP13), and avoiding the need for SSL on Tomcat. I
> talked to my developer about it, and he thinks that the Webapp can
> still communicate with the remote service if the Apache server does the
> PKI authentication with the remote system, and handles the SSL.
>
> Finally, I asked my developer to look at your idea of a property
> source.
>
> Jeffrey Harris
>
If you had read the Procrun documentation that Mark was kind enough to point
you to above, you might have figured out that you need to modify your
"--JvmOptions=..." syntax. You need to change it to "++JvmOptions=..."
otherwise, you are overwriting all the other options that that are stored in
the registry that the Tomcat service needs to start up. That includes things
like the locations of catalina.base and catalina.home, and you're never gonna
get the service to start without those.
And one other thing, in some security circles, configuring windows to allow the
running of remote sc commands is a pretty big no-no. If not done properly,
anyone can stop your services from anywhere.
Jeff
RE: Need to Specify keystorePass on Command Line - Update
> -Original Message-
> From: Christopher Schultz [mailto:ch...@christopherschultz.net]
> Sent: Tuesday, February 12, 2013 6:00 PM
> To: Tomcat Users List
> Subject: Re: Need to Specify keystorePass on Command Line - Update
>
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Mark,
>
> On 2/12/13 4:27 AM, Mark Thomas wrote:
> > On 12/02/2013 00:53, Harris, Jeffrey E. wrote:
> >> Current status:
> >>
> >> I replaced keystorePass= with
> >> 'keystorePass="${kspassword}"' in server.xml, and executed the
> >> command "tomcat7 //TS//Tomcat7 --JvmOptions=-Dkspassword="
> >> and have been able to start the SSL listener as a console
> >> application.
> >>
> >> However, I have not been able to do the same thing with the service,
> >> using "sc start Tomcat7 "--JvmOptions=-Dkspassword=", or
> >> putting the parameter into the properties of the service entry in
> >> Windows Services Manager.
> >>
> >> I know Charles Caldarale said it could not be done with a service,
> >> but it is possible to pass parameters to a service, both using the
> >> Windows Services Manager, and via the sc command line utility. I am
> >> just not sure what syntax Tomcat is expecting for parameters; I
> would
> >> think it would match the syntax of the tomcat command above, since
> >> that is basically what is being called, just with different
> >> parameters.
> >
> > http://commons.apache.org/daemon/procrun.html
>
> Since OP is using "sc", there may be a problem there that you can't
> specify command-line parameters to a service.
>
> Obviously, adding the parameter to Windows Services Manager defeats the
> whole "must be on the command line, can't be in the registry"
> requirement.
>
Christopher,
The sc start command does allow command line parameters, but I think the syntax
of how the parameters are passed to the service executable is not compatible
with what Tomcat is expecting. On my test server, I even used the SC command
to create a service to start Tomcat by directly executing java and the boot
class file, and I could start SSL, but only by embedding the password within a
JvmOptions parameter before the java command, not after it (which the java
executable syntax requires.
The reason I am focusing on sc is that I CAN store the private key on a
different system, and set up a scheduled task on that system to check the
status of the Tomcat service on the target system, and restart the service
remotely (such as after a reboot). The sc command has a server parameter so it
can work remotely between servers (with the appropriate permissions, of course).
I am also looking at Andre's idea of using Apache as a proxy for Tomcat (I
presume using AJP13), and avoiding the need for SSL on Tomcat. I talked to my
developer about it, and he thinks that the Webapp can still communicate with
the remote service if the Apache server does the PKI authentication with the
remote system, and handles the SSL.
Finally, I asked my developer to look at your idea of a property source.
Jeffrey Harris
This e-mail and any attachments are intended only for the use of the
addressee(s) named herein and may contain proprietary information. If you are
not the intended recipient of this e-mail or believe that you received this
email in error, please take immediate action to notify the sender of the
apparent error by reply e-mail; permanently delete the e-mail and any
attachments from your computer; and do not disseminate, distribute, use, or
copy this message and any attachments.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line - Update
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
Mark,
On 2/12/13 4:27 AM, Mark Thomas wrote:
> On 12/02/2013 00:53, Harris, Jeffrey E. wrote:
>> Current status:
>>
>> I replaced keystorePass= with
>> 'keystorePass="${kspassword}"' in server.xml, and executed the
>> command "tomcat7 //TS//Tomcat7
>> --JvmOptions=-Dkspassword=" and have been able to start
>> the SSL listener as a console application.
>>
>> However, I have not been able to do the same thing with the
>> service, using "sc start Tomcat7
>> "--JvmOptions=-Dkspassword=", or putting the parameter
>> into the properties of the service entry in Windows Services
>> Manager.
>>
>> I know Charles Caldarale said it could not be done with a
>> service, but it is possible to pass parameters to a service, both
>> using the Windows Services Manager, and via the sc command line
>> utility. I am just not sure what syntax Tomcat is expecting for
>> parameters; I would think it would match the syntax of the tomcat
>> command above, since that is basically what is being called, just
>> with different parameters.
>
> http://commons.apache.org/daemon/procrun.html
Since OP is using "sc", there may be a problem there that you can't
specify command-line parameters to a service.
Obviously, adding the parameter to Windows Services Manager defeats
the whole "must be on the command line, can't be in the registry"
requirement.
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEayWEACgkQ9CaO5/Lv0PAgAgCfWQdahPsvAhLEbphOD6um/36v
KOAAnjcY70hqZ2hA9vqo0fO1N59RjnHX
=439/
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 2/12/13 9:40 AM, Harris, Jeffrey E. wrote: > Tomcat will host a web-app that will connect as a proxy to another > organization's system to retrieve data that we will use in our > applications. It is the other organization that is mandating the > "no password" requirement, and there is no other option than to use > their data. Our customer requires that the Tomcat server be up > 24/7 (with minor outages), hence the need to design a solution that > satisfies the requirements of both our customer, and the other > organization. Obviously, if we cannot create a way to automate the > process, we may have to do something akin to what you do above. > > However, when I run Tomcat from the console, I am never prompted > for the password. Instead, Tomcat just fails to start the listener > on the specified SSL port. What you describe is simply not possible: the password must be available in order to unlock the keystore. If you need unattended restarts, you'll need to have the password stored somewhere. If you had read the FAQ entry Chuck posted, you would know that you can specify passwords in an "obfuscated" format -- that is, the actual password does not appear in clear-text in server.xml. If you need to specify it on the command-line, then someone needs to be there to type-in the command. If you want it on the command-line, but you are going to put the command-line into the registry (as part of the service-start definition), then you have violated your own requirements (mentioned earlier that you can't store anything in the registry). If the command-line strategy will really work for you (and I really think it won't, unless you are doing remote-scripted-restarts of your services, which I didn't actually know you could do on Windows), then reading the FAQ will present an answer to you (hint: it's the last option that talks about using a PropertySource). If you still can't figure it out, then please hire a consultant to do it for you. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEax9cACgkQ9CaO5/Lv0PBwMgCfQXgupsz7Fmy/9WK4eTZB+9bM O2AAn3/2R1xj7wWbdUheBFu9x3qgdcS9 =01vv -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line
Harris, Jeffrey E. wrote: -Original Message- From: André Warnier [mailto:a...@ice-sa.com] Sent: Tuesday, February 12, 2013 3:47 AM To: Tomcat Users List Subject: Re: Need to Specify keystorePass on Command Line Harris, Jeffrey E. wrote: All, I understand that there is no good, secure solution. However, my hands are tied on this matter, and I would appreciate if you would focus on providing technical assistance in implementing a solution within the constraints I have been given. Jeffrey, We all understand that you have been given rules, and are supposed to follow them. But if these rules themselves make no logical sense, nothing in this Universe is going to help you overcome that. What is the concern really, about the password remaining somewhere on that server when the system is shut down ? Is it that the server, in its shut down state, could be subrepticiously broken apart, its disk stolen and then inspected by foreign spooks to discover that password, which could then be used to further nefarious ends, or what /exactly/ ? What is wrong with the following scenario : - a physical Windows server with a console and a keyboard - boot Windows and login as a "tomcat" user (created beforehand) - open a command window - start Tomcat as an application (not a Service) in that command window - tomcat will ask for the passphrase of the keystore. Type it in. (*) - when Tomcat is running, enter CTRL-ALT-DEL and freeze the console (do not logout from Windows) - walk away (*) having made sure beforehand that there is no trojen on that machine which records your keystrokes and writes them to the disk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Andre, Tomcat will host a web-app that will connect as a proxy to another organization's system to retrieve data that we will use in our applications. It is the other organization that is mandating the "no password" requirement, and there is no other option than to use their data. Our customer requires that the Tomcat server be up 24/7 (with minor outages), hence the need to design a solution that satisfies the requirements of both our customer, and the other organization. Obviously, if we cannot create a way to automate the process, we may have to do something akin to what you do above. However, when I run Tomcat from the console, I am never prompted for the password. Instead, Tomcat just fails to start the listener on the specified SSL port. Ah, ok. I must confess that I never tried this with Tomcat. Apache httpd prompts, in similar circumstances. I suppose that this prompt/not prompt is really a feature of the underlying SSL stack, not of Tomcat itself. So depending on whether you use the Java SSL stack or the OpenSSL stack, the behaviour may be different. That, or else I can imagine another way : instead of connecting to the other system directly from your Tomcat webapp, you could set up your own intermediate Apache httpd proxy between Tomcat and that other system. The communication between your webapp and this httpd proxy could be in clear (if the Apache httpd is on the same host). Then it would be that Apache httpd which would run the SSL conversation with the other system, and /it/ would prompt. A bit more complicated, but if that makes it work to everyone's satisfaction.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Tuesday, February 12, 2013 3:47 AM > To: Tomcat Users List > Subject: Re: Need to Specify keystorePass on Command Line > > Harris, Jeffrey E. wrote: > > > > All, > > > > I understand that there is no good, secure solution. However, my > hands are tied on this matter, and I would appreciate if you would > focus on providing technical assistance in implementing a solution > within the constraints I have been given. > > > Jeffrey, > > We all understand that you have been given rules, and are supposed to > follow them. > But if these rules themselves make no logical sense, nothing in this > Universe is going to help you overcome that. > > What is the concern really, about the password remaining somewhere on > that server when the system is shut down ? > Is it that the server, in its shut down state, could be subrepticiously > broken apart, its disk stolen and then inspected by foreign spooks to > discover that password, which could then be used to further nefarious > ends, or what /exactly/ ? > > What is wrong with the following scenario : > - a physical Windows server with a console and a keyboard > - boot Windows and login as a "tomcat" user (created beforehand) > - open a command window > - start Tomcat as an application (not a Service) in that command window > - tomcat will ask for the passphrase of the keystore. Type it in. (*) > - when Tomcat is running, enter CTRL-ALT-DEL and freeze the console (do > not logout from > Windows) > - walk away > > > (*) having made sure beforehand that there is no trojen on that machine > which records your > keystrokes and writes them to the disk > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Andre, Tomcat will host a web-app that will connect as a proxy to another organization's system to retrieve data that we will use in our applications. It is the other organization that is mandating the "no password" requirement, and there is no other option than to use their data. Our customer requires that the Tomcat server be up 24/7 (with minor outages), hence the need to design a solution that satisfies the requirements of both our customer, and the other organization. Obviously, if we cannot create a way to automate the process, we may have to do something akin to what you do above. However, when I run Tomcat from the console, I am never prompted for the password. Instead, Tomcat just fails to start the listener on the specified SSL port. This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line - Update
On 12/02/2013 00:53, Harris, Jeffrey E. wrote:
> Current status:
>
> I replaced keystorePass= with
> 'keystorePass="${kspassword}"' in server.xml, and executed the
> command "tomcat7 //TS//Tomcat7 --JvmOptions=-Dkspassword="
> and have been able to start the SSL listener as a console
> application.
>
> However, I have not been able to do the same thing with the service,
> using "sc start Tomcat7 "--JvmOptions=-Dkspassword=", or
> putting the parameter into the properties of the service entry in
> Windows Services Manager.
>
> I know Charles Caldarale said it could not be done with a service,
> but it is possible to pass parameters to a service, both using the
> Windows Services Manager, and via the sc command line utility. I am
> just not sure what syntax Tomcat is expecting for parameters; I would
> think it would match the syntax of the tomcat command above, since
> that is basically what is being called, just with different
> parameters.
http://commons.apache.org/daemon/procrun.html
Mark
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line
Harris, Jeffrey E. wrote: All, I understand that there is no good, secure solution. However, my hands are tied on this matter, and I would appreciate if you would focus on providing technical assistance in implementing a solution within the constraints I have been given. Jeffrey, We all understand that you have been given rules, and are supposed to follow them. But if these rules themselves make no logical sense, nothing in this Universe is going to help you overcome that. What is the concern really, about the password remaining somewhere on that server when the system is shut down ? Is it that the server, in its shut down state, could be subrepticiously broken apart, its disk stolen and then inspected by foreign spooks to discover that password, which could then be used to further nefarious ends, or what /exactly/ ? What is wrong with the following scenario : - a physical Windows server with a console and a keyboard - boot Windows and login as a "tomcat" user (created beforehand) - open a command window - start Tomcat as an application (not a Service) in that command window - tomcat will ask for the passphrase of the keystore. Type it in. (*) - when Tomcat is running, enter CTRL-ALT-DEL and freeze the console (do not logout from Windows) - walk away (*) having made sure beforehand that there is no trojen on that machine which records your keystrokes and writes them to the disk - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line - Update
Current status:
I replaced keystorePass= with 'keystorePass="${kspassword}"' in
server.xml, and executed the command "tomcat7 //TS//Tomcat7
--JvmOptions=-Dkspassword=" and have been able to start the SSL
listener as a console application.
However, I have not been able to do the same thing with the service, using "sc
start Tomcat7 "--JvmOptions=-Dkspassword=", or putting the parameter
into the properties of the service entry in Windows Services Manager.
I know Charles Caldarale said it could not be done with a service, but it is
possible to pass parameters to a service, both using the Windows Services
Manager, and via the sc command line utility. I am just not sure what syntax
Tomcat is expecting for parameters; I would think it would match the syntax of
the tomcat command above, since that is basically what is being called, just
with different parameters.
Thank you,
Jeffrey Harris
This e-mail and any attachments are intended only for the use of the
addressee(s) named herein and may contain proprietary information. If you are
not the intended recipient of this e-mail or believe that you received this
email in error, please take immediate action to notify the sender of the
apparent error by reply e-mail; permanently delete the e-mail and any
attachments from your computer; and do not disseminate, distribute, use, or
copy this message and any attachments.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Saturday, February 09, 2013 8:29 AM > To: Tomcat Users List > Subject: Re: Need to Specify keystorePass on Command Line > > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Jeffrey, > > On 2/8/13 5:03 PM, Harris, Jeffrey E. wrote: > > For our implementation, it does not matter whether another process > can > > read the startup parameters - as long as the password is not stored > in > > a file and disappears when the Tomcat's host server is shutdown. > > What about virtual memory? The OS can page anything any time it wants? > Are you using whole-disk encryption? If you don't you are surely > wasting your time. > > - -chris > -BEGIN PGP SIGNATURE- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ > > iEYEAREIAAYFAlEWTwEACgkQ9CaO5/Lv0PDYXgCfd/vOLTfTWdMw9aIpACJPZe4U > nlQAnR8BKHvTYtXWcjqx3F3ZYHAjXLOr > =K3YE > -END PGP SIGNATURE- > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org All, I understand that there is no good, secure solution. However, my hands are tied on this matter, and I would appreciate if you would focus on providing technical assistance in implementing a solution within the constraints I have been given. I will post my current status shortly. Thank you, Jeffrey Harris This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments.
Re: Need to Specify keystorePass on Command Line
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Jeffrey, On 2/8/13 5:03 PM, Harris, Jeffrey E. wrote: > For our implementation, it does not matter whether another process > can read the startup parameters - as long as the password is not > stored in a file and disappears when the Tomcat's host server is > shutdown. What about virtual memory? The OS can page anything any time it wants? Are you using whole-disk encryption? If you don't you are surely wasting your time. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEAREIAAYFAlEWTwEACgkQ9CaO5/Lv0PDYXgCfd/vOLTfTWdMw9aIpACJPZe4U nlQAnR8BKHvTYtXWcjqx3F3ZYHAjXLOr =K3YE -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message- > From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] > Sent: Friday, February 08, 2013 7:56 PM > To: Tomcat Users List > Subject: RE: Need to Specify keystorePass on Command Line > > > From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > > Subject: RE: Need to Specify keystorePass on Command Line > > > > I have a suggestion then : the password should be typed and stored > > > in a file mapped into RAM. As long as the system is on, Tomcat can > > > read it, and you can stop and start Tomcat at will. If the system > is > > > shut down, the file disappears. > > > Is there a way to do that without installing a device such as Dataram > > RAMDisk? > > Dataram is a driver, not a hardware device. Since Windows no longer > includes ramdrive.sys, you would need some 3rd-party driver to enable > the capability; there are numerous free ones available. > > This is sounding a lot like arbitrary rules invented to give the > impression of security, not ones based on reality. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE > PROPRIETARY MATERIAL and is thus for use only by the intended > recipient. If you received this in error, please contact the sender and > delete the e-mail and its attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Yes, it is actually a driver, not a physical device, but it appears as a device to the system. I agree that the rules may not make sense, but they are the rules that I have to abide by. This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > Subject: RE: Need to Specify keystorePass on Command Line > > I have a suggestion then : the password should be typed and stored in a > > file mapped into RAM. As long as the system is on, Tomcat can read it, > > and you can stop and start Tomcat at will. If the system is shut down, > > the file disappears. > Is there a way to do that without installing a device such as Dataram > RAMDisk? Dataram is a driver, not a hardware device. Since Windows no longer includes ramdrive.sys, you would need some 3rd-party driver to enable the capability; there are numerous free ones available. This is sounding a lot like arbitrary rules invented to give the impression of security, not ones based on reality. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message- > From: André Warnier [mailto:a...@ice-sa.com] > Sent: Friday, February 08, 2013 5:43 PM > To: Tomcat Users List > Subject: Re: Need to Specify keystorePass on Command Line > > Harris, Jeffrey E. wrote: > > > > > > For our implementation, it does not matter whether another process > can read the startup parameters - as long as the password is not stored > in a file and disappears when the Tomcat's host server is shutdown. > > > I have a suggestion then : the password should be typed and stored in a > file mapped into RAM. As long as the system is on, Tomcat can read it, > and you can stop and start Tomcat at will. If the system is shut down, > the file disappears. > > Ze little grey cells.. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org Is there a way to do that without installing a device such as Dataram RAMDisk? If not, while it is a good thought, we will not be allowed to do it. This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line
Harris, Jeffrey E. wrote: For our implementation, it does not matter whether another process can read the startup parameters - as long as the password is not stored in a file and disappears when the Tomcat's host server is shutdown. I have a suggestion then : the password should be typed and stored in a file mapped into RAM. As long as the system is on, Tomcat can read it, and you can stop and start Tomcat at will. If the system is shut down, the file disappears. Ze little grey cells.. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message- > From: Pid [mailto:p...@pidster.com] > Sent: Friday, February 08, 2013 4:48 PM > To: Tomcat Users List > Subject: Re: Need to Specify keystorePass on Command Line > > On 08/02/2013 16:11, Caldarale, Charles R wrote: > >> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > >> Subject: RE: Need to Specify keystorePass on Command Line > > > >> First, I cannot store the password ANYWHERE on the system, which is > >> why it needs to be entered on the command line. > > > > Then you can't run Tomcat as a service - there is no command line. > It's my understanding that all parameters for a service must be > available in the registry or elsewhere in the file system prior to > starting the service. > > > > Consider running Tomcat from the .bat scripts instead, in which case > you can pass arbitrary parameters, but you will need to do this from a > logged-in account. > > But bear in mind that setting the password as -Dblah=password may still > expose the password to other processes able to read the startup > parameters of that process. > > Which IMHO is less secure than putting the password in a file with > permissions such that only the Tomcat user can read it... > > > p > > > - Chuck > > > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE > PROPRIETARY MATERIAL and is thus for use only by the intended > recipient. If you received this in error, please contact the sender and > delete the e-mail and its attachments from all computers. > > > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > > -- > > [key:62590808] > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org For our implementation, it does not matter whether another process can read the startup parameters - as long as the password is not stored in a file and disappears when the Tomcat's host server is shutdown. This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need to Specify keystorePass on Command Line
On 08/02/2013 16:11, Caldarale, Charles R wrote: >> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] >> Subject: RE: Need to Specify keystorePass on Command Line > >> First, I cannot store the password ANYWHERE on the system, which is why >> it needs to be entered on the command line. > > Then you can't run Tomcat as a service - there is no command line. It's my > understanding that all parameters for a service must be available in the > registry or elsewhere in the file system prior to starting the service. > > Consider running Tomcat from the .bat scripts instead, in which case you can > pass arbitrary parameters, but you will need to do this from a logged-in > account. But bear in mind that setting the password as -Dblah=password may still expose the password to other processes able to read the startup parameters of that process. Which IMHO is less secure than putting the password in a file with permissions such that only the Tomcat user can read it... p > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > Subject: RE: Need to Specify keystorePass on Command Line > First, I cannot store the password ANYWHERE on the system, which is why > it needs to be entered on the command line. Then you can't run Tomcat as a service - there is no command line. It's my understanding that all parameters for a service must be available in the registry or elsewhere in the file system prior to starting the service. Consider running Tomcat from the .bat scripts instead, in which case you can pass arbitrary parameters, but you will need to do this from a logged-in account. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> -Original Message-
> From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com]
> Sent: Friday, February 08, 2013 9:24 AM
> To: Tomcat Users List
> Subject: RE: Need to Specify keystorePass on Command Line
>
> > From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com]
> > Subject: Need to Specify keystorePass on Command Line
>
> > However, for security reasons, I must specify the keystore password
> on
> > the command line.
>
> Before making your own life unnecessarily complicated, read this:
>
> http://wiki.apache.org/tomcat/FAQ/Password
>
> There's no additional security to be gained by placing the password in
> the Windows registry over having it in server.xml.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY MATERIAL and is thus for use only by the intended
> recipient. If you received this in error, please contact the sender and
> delete the e-mail and its attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
Chuck,
First, I cannot store the password ANYWHERE on the system, which is why it
needs to be entered on the command line. The ultimate goal is to pass the
password from a remote system using psexec to start the Tomcat service
(preferably with the sc utility). But if I cannot pass the password locally, I
obviously will not be successful remotely.
>From the FAQ, I modified the server.xml file to add the keystorePass as a
>variable: keystorePass="${ks.password}", and then tried to use an environment
>variable to store the keystore password, either using the set command or the
--ENVIRONMENT directive. I thought the set command worked once, but I was not
able to reproduce the behavior.
So my original question remains - is there a way to specify the keystore
password on the command line, and not in the registry or a configuration file
on the server hosting Tomcat?
Jeffrey Harris
This e-mail and any attachments are intended only for the use of the
addressee(s) named herein and may contain proprietary information. If you are
not the intended recipient of this e-mail or believe that you received this
email in error, please take immediate action to notify the sender of the
apparent error by reply e-mail; permanently delete the e-mail and any
attachments from your computer; and do not disseminate, distribute, use, or
copy this message and any attachments.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Need to Specify keystorePass on Command Line
> From: Harris, Jeffrey E. [mailto:jeffrey.har...@mantech.com] > Subject: Need to Specify keystorePass on Command Line > However, for security reasons, I must specify the keystore password on > the command line. Before making your own life unnecessarily complicated, read this: http://wiki.apache.org/tomcat/FAQ/Password There's no additional security to be gained by placing the password in the Windows registry over having it in server.xml. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Need to Specify keystorePass on Command Line
I am running Tomcat 7.0.35 on Windows Server 2003 SP2, x32. I have SSL configured, and if add the keystorePass parameter to server.xml, SSL starts correctly. However, for security reasons, I must specify the keystore password on the command line. I have searched and the only possible way to I have found to do this is via the -Djavax.net.ssl.keyStorePassword= directive. However, as other before me have found, this does not seem to work. My command line: tomcat7 //TS//Tomcat7 --JvmOptions=-Djavax.net.ssl.keyStorePassword= My SSL connector from server.xml: Do I have the right syntax for the command line? I have tried single and double quotes around the password, and it does not fix the issue. I noted in the log file that the quotation marks are always removed when the tomcat executable (or Java) reads the directive. Is there another way to do this from the command line? Can I somehow pass the keystorePass parameter directly? Thank you, Jeffrey Harris This e-mail and any attachments are intended only for the use of the addressee(s) named herein and may contain proprietary information. If you are not the intended recipient of this e-mail or believe that you received this email in error, please take immediate action to notify the sender of the apparent error by reply e-mail; permanently delete the e-mail and any attachments from your computer; and do not disseminate, distribute, use, or copy this message and any attachments. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
