Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
xcorpius, On 6/7/21 06:44, xcorpius wrote: Just one more thing. I understand my mistake with the difference between encryption and digest. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 context.xml: ... password="passwordfile=secret.txt;NRFCIWRNFUGUWRMWUOGRXGRHOWRZFGWHFEO" /> ... secret.txt password=tiger This is the level of security JBoss provides. If it's more complicated than that, it just degrades to this solution. I cannot fathom why "configuration files must not contain plaintext credentials" somehow doesn't cover secret.txt. Maybe context.xml counts as a "configuration file" but secret.txt counts as a "password file". I dunno. If you use the Tomcat Vault, you still have to have the vault password somewhere. That's why we say it's "moving the goalposts": it doesn't actually solve the problem: it just moves the problem elsewhere. We have tried to make everything we've said in this thread abundantly clear in the FAQ. If you think something isn't very clear, please let us know how we can improve it. -chris ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Thanks Mark, This answer clears all my doubts. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 13:19, Mark Thomas wrote: > On 07/06/2021 11:44, xcorpius wrote: > > > Just one more thing. > > I understand my mistake with the difference between encryption and digest. > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > > Ok, but the question is: Why can Weblogic encrypt the password and Tomcat > > can't? > > It can't. > > All Weblogic is doing is moving the goalposts. The database password may > be encrypted that just means the decryption key needs to be provided in > plain text instead. No matter how many levels of indirection (or perhaps > that should be misdirection) are applied, ultimately the application > server process needs access to a secret in plain text. > > However complex the window dressing, it will come down to the operating > system limiting access to the plain text secret to one or more users. > This is fundamentally no different to the Tomcat recommendation to use > OS file permissions to limit access to the configuration file where the > secret is stored to the user used by Tomcat and root (or equivalent). > > If you want to allow more general read access to configuration files > then there are simple ways to move the secrets to a separate, more > tightly controlled file. > > Mark > > > https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 > > Thanks, > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Monday, 7 de June de 2021 11:42, Mark Thomas ma...@apache.org wrote: > > > > > On 07/06/2021 09:56, xcorpius wrote: > > > > > > > Hello again! > > > > Checking the documentation ... Tomcat can create an encrypted password > > > > with the "digest.sh" tool for application passwords. > > > > But you cannot create an encrypted password for the DB in the > > > > context.xml file. The only solution without adding anything is to give > > > > restrictive permissions to the context.xml file. > > > > Wouldn't it be the same problem? > > > > > > No. > > > > > > > Why can't I generate an encrypted password for the database with the > > > > "digest.sh" tool instead of having to use a customized "factory"? > > > > > > Digesting != encrypting. > > > Digests are one-way functions. A digested password is no use to a client > > > that needs to authenticate itself to a server. > > > > > > > I think people who develop Tomcat should consider this option. > > > > > > Fortunately, the Tomcat committers have a sufficiently sound > > > understanding of both basic logic and basic cryptography not to waste > > > their time on such an exercise. > > > Mark > > > > > > > Thank you very much to all. > > > > Xcorpius > > > > Sent with ProtonMail Secure Email. > > > > ‐‐‐ Original Message ‐‐‐ > > > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > > > wrote: > > > > > > > > > :-) > > > > > Sent with ProtonMail Secure Email. > > > > > ‐‐‐ Original Message ‐‐‐ > > > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com > > > > > wrote: > > > > > > > > > > > And when that isn't good enough for your senior management, take a > > > > > > look at the Tomcat Vault in GITHUB. :-) > > > > > > Dream * Excel * Explore * Inspire > > > > > > Jon McAlexander > > > > > > Infrastructure Engineer > > > > > > Asst Vice President > > > > > > Middleware Product Engineering > > > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > > > Solutions > > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > > > MAC: F4469-010 > > > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > > jonmcalexan...@wellsfargo.com > > > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, > > > > > > 12/28/2020, 1
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07/06/2021 11:44, xcorpius wrote: Just one more thing. I understand my mistake with the difference between encryption and digest. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? It can't. All Weblogic is doing is moving the goalposts. The database password may be encrypted that just means the decryption key needs to be provided in plain text instead. No matter how many levels of indirection (or perhaps that should be misdirection) are applied, ultimately the application server process needs access to a secret in plain text. However complex the window dressing, it will come down to the operating system limiting access to the plain text secret to one or more users. This is fundamentally no different to the Tomcat recommendation to use OS file permissions to limit access to the configuration file where the secret is stored to the user used by Tomcat and root (or equivalent). If you want to allow more general read access to configuration files then there are simple ways to move the secrets to a separate, more tightly controlled file. Mark https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 Thanks, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Just one more thing. I understand my mistake with the difference between encryption and digest. > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. Ok, but the question is: Why can Weblogic encrypt the password and Tomcat can't? https://docs.oracle.com/middleware/1213/wls/JDBCA/ds_security.htm#JDBCA477 Thanks, Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: > On 07/06/2021 09:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? > > No. > > > Why can't I generate an encrypted password for the database with the > > "digest.sh" tool instead of having to use a customized "factory"? > > Digesting != encrypting. > > Digests are one-way functions. A digested password is no use to a client > that needs to authenticate itself to a server. > > > I think people who develop Tomcat should consider this option. > > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. > > Mark > > > Thank you very much to all. > > Xcorpius > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > wrote: > > > > > :-) > > > Sent with ProtonMail Secure Email. > > > ‐‐‐ Original Message ‐‐‐ > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > > > > > And when that isn't good enough for your senior management, take a look > > > > at the Tomcat Vault in GITHUB. :-) > > > > Dream * Excel * Explore * Inspire > > > > Jon McAlexander > > > > Infrastructure Engineer > > > > Asst Vice President > > > > Middleware Product Engineering > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > MAC: F4469-010 > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, > > > > 12/29/2020, 12/30/2020, 12/31/2020 > > > > This message may contain confidential and/or privileged information. If > > > > you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action based > > > > on this message or any information herein. If you have received this > > > > message in error, please advise the sender immediately by reply e-mail > > > > and delete this message. Thank you for your cooperation. > > > > > > > > > -Original Message- > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > To: users@tomcat.apache.org > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > context.xml file - Tomcat 9 > > > > > Thanks Olaf > > > > > Mensaje original > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > please check this article: > > > > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Thanks Mark for your clarifications. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:42, Mark Thomas wrote: > On 07/06/2021 09:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? > > No. > > > Why can't I generate an encrypted password for the database with the > > "digest.sh" tool instead of having to use a customized "factory"? > > Digesting != encrypting. > > Digests are one-way functions. A digested password is no use to a client > that needs to authenticate itself to a server. > > > I think people who develop Tomcat should consider this option. > > Fortunately, the Tomcat committers have a sufficiently sound > understanding of both basic logic and basic cryptography not to waste > their time on such an exercise. > > Mark > > > Thank you very much to all. > > Xcorpius > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > > On Friday, 30 de April de 2021 11:21, xcorpius xcorp...@protonmail.com > > wrote: > > > > > :-) > > > Sent with ProtonMail Secure Email. > > > ‐‐‐ Original Message ‐‐‐ > > > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > > > > > And when that isn't good enough for your senior management, take a look > > > > at the Tomcat Vault in GITHUB. :-) > > > > Dream * Excel * Explore * Inspire > > > > Jon McAlexander > > > > Infrastructure Engineer > > > > Asst Vice President > > > > Middleware Product Engineering > > > > Enterprise CIO | Platform Services | Middleware | Infrastructure > > > > Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > MAC: F4469-010 > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, > > > > 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, > > > > 12/29/2020, 12/30/2020, 12/31/2020 > > > > This message may contain confidential and/or privileged information. If > > > > you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action based > > > > on this message or any information herein. If you have received this > > > > message in error, please advise the sender immediately by reply e-mail > > > > and delete this message. Thank you for your cooperation. > > > > > > > > > -Original Message- > > > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > > > Sent: Monday, April 26, 2021 8:36 AM > > > > > To: users@tomcat.apache.org > > > > > Subject: Re: Question about encrypting database passwords in the > > > > > context.xml file - Tomcat 9 > > > > > Thanks Olaf > > > > > Mensaje original > > > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > > > > > > > > > Hi, > > > > > > please check this article: > > > > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > > > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07/06/2021 09:56, xcorpius wrote: Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? No. Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? Digesting != encrypting. Digests are one-way functions. A digested password is no use to a client that needs to authenticate itself to a server. I think people who develop Tomcat should consider this option. Fortunately, the Tomcat committers have a sufficiently sound understanding of both basic logic and basic cryptography not to waste their time on such an exercise. Mark Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius wrote: :-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. -Original Message- From: xcorpius xcorp...@protonmail.com.INVALID Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Ok, thank you very much Olaf. Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 7 de June de 2021 11:36, Olaf Kock wrote: > On 07.06.21 10:56, xcorpius wrote: > > > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > > file. The only solution without adding anything is to give restrictive > > permissions to the context.xml file. > > Wouldn't it be the same problem? Why can't I generate an encrypted password > > for the database with the "digest.sh" tool instead of having to use a > > customized "factory"? > > I think people who develop Tomcat should consider this option. > > Thank you very much to all. > > Sorry, those are not the same: Digested passwords cannot be undigested, > but any digestion of the same password reveals the same digested result, > so that they can be compared. (read about the difference between hashing > and encryption) > > For a database connection, you'll need to undigest (e.g. unencrypt) the > password and get it in clear text. And that's precisely what the FAQ > answers as impossible to do securely (without requiring manual input of > keys at each startup) > > There's nothing here to consider that hasn't been considered before. > > Olaf > > > > > > > > Hi, > > > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > > > context.xml file in Tomcat 9. > > > > > > > Hi, > > > > > > > please check this article: > > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > > > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > > > > > It covers the topic once and for all... > > > > > > Olaf > > -- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 07.06.21 10:56, xcorpius wrote: > Hello again! > > Checking the documentation ... Tomcat can create an encrypted password with > the "digest.sh" tool for application passwords. > > But you cannot create an encrypted password for the DB in the context.xml > file. The only solution without adding anything is to give restrictive > permissions to the context.xml file. > > Wouldn't it be the same problem? Why can't I generate an encrypted password > for the database with the "digest.sh" tool instead of having to use a > customized "factory"? > > I think people who develop Tomcat should consider this option. > > Thank you very much to all. Sorry, those are not the same: Digested passwords cannot be undigested, but any digestion of the same password reveals the same digested result, so that they can be compared. (read about the difference between hashing and encryption) For a database connection, you'll need to undigest (e.g. unencrypt) the password and get it in clear text. And that's precisely what the FAQ answers as impossible to do securely (without requiring manual input of keys at each startup) There's nothing here to consider that hasn't been considered before. Olaf >> Hi, >> I wanted to ask about how to encrypt database passwords in the >> context.xml file in Tomcat 9. > Hi, > please check this article: https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > It covers the topic once and for all... > Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about encrypting database passwords in the context.xml file - Tomcat 9
Hello again! Checking the documentation ... Tomcat can create an encrypted password with the "digest.sh" tool for application passwords. But you cannot create an encrypted password for the DB in the context.xml file. The only solution without adding anything is to give restrictive permissions to the context.xml file. Wouldn't it be the same problem? Why can't I generate an encrypted password for the database with the "digest.sh" tool instead of having to use a customized "factory"? I think people who develop Tomcat should consider this option. Thank you very much to all. Xcorpius Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Friday, 30 de April de 2021 11:21, xcorpius wrote: > :-) > > Sent with ProtonMail Secure Email. > > ‐‐‐ Original Message ‐‐‐ > On Monday, 26 de April de 2021 19:03, jonmcalexan...@wellsfargo.com wrote: > > > And when that isn't good enough for your senior management, take a look at > > the Tomcat Vault in GITHUB. :-) > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Infrastructure Engineer > > Asst Vice President > > Middleware Product Engineering > > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, > > 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, > > 12/30/2020, 12/31/2020 > > This message may contain confidential and/or privileged information. If you > > are not the addressee or authorized to receive this for the addressee, you > > must not use, copy, disclose, or take any action based on this message or > > any information herein. If you have received this message in error, please > > advise the sender immediately by reply e-mail and delete this message. > > Thank you for your cooperation. > > > > > -Original Message- > > > From: xcorpius xcorp...@protonmail.com.INVALID > > > Sent: Monday, April 26, 2021 8:36 AM > > > To: users@tomcat.apache.org > > > Subject: Re: Question about encrypting database passwords in the > > > context.xml file - Tomcat 9 > > > Thanks Olaf > > > Mensaje original > > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > > > Hi, > > > > > I wanted to ask about how to encrypt database passwords in the > > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > > > > > Hi, > > > > please check this article: > > > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > > > It covers the topic once and for all... > > > > Olaf > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about encrypting database passwords in the context.xml file - Tomcat 9
:-) Sent with ProtonMail Secure Email. ‐‐‐ Original Message ‐‐‐ On Monday, 26 de April de 2021 19:03, wrote: > And when that isn't good enough for your senior management, take a look at > the Tomcat Vault in GITHUB. :-) > > Dream * Excel * Explore * Inspire > Jon McAlexander > Infrastructure Engineer > Asst Vice President > > Middleware Product Engineering > Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > > Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, > 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, > 12/30/2020, 12/31/2020 > This message may contain confidential and/or privileged information. If you > are not the addressee or authorized to receive this for the addressee, you > must not use, copy, disclose, or take any action based on this message or any > information herein. If you have received this message in error, please advise > the sender immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > > -Original Message- > > From: xcorpius xcorp...@protonmail.com.INVALID > > Sent: Monday, April 26, 2021 8:36 AM > > To: users@tomcat.apache.org > > Subject: Re: Question about encrypting database passwords in the > > context.xml file - Tomcat 9 > > Thanks Olaf > > Mensaje original > > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > > > On 26.04.21 13:10, xcorpius wrote: > > > > > > > Hi, > > > > I wanted to ask about how to encrypt database passwords in the > > > > context.xml file in Tomcat 9. > > > > > > > > > > > > > Hi, > > > please check this article: > > > > https://urldefense.com/v3/https://cwiki.apache.org/confluence/display/ > > TOMCAT/Password;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1-FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > > It covers the topic once and for all... > > > Olaf > > > > > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > > For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Jon, On 4/26/21 13:03, jonmcalexan...@wellsfargo.com.INVALID wrote: And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) I'm going to publish a STIG for web applications that includes the need to encrypt the password for the Tomcat Vault. :3 We can move the goalposts, too. :) -chris Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 Might want to update that, Jon. -Original Message- From: xcorpius Sent: Monday, April 26, 2021 8:36 AM To: users@tomcat.apache.org Subject: Re: Question about encrypting database passwords in the context.xml file - Tomcat 9 Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: On 26.04.21 13:10, xcorpius wrote: Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Hi, please check this article: https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/ TOMCAT/Password__;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1- FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ It covers the topic once and for all... Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Question about encrypting database passwords in the context.xml file - Tomcat 9
And when that isn't good enough for your senior management, take a look at the Tomcat Vault in GITHUB. :-) Dream * Excel * Explore * Inspire Jon McAlexander Infrastructure Engineer Asst Vice President Middleware Product Engineering Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions 8080 Cobblestone Rd | Urbandale, IA 50322 MAC: F4469-010 Tel 515-988-2508 | Cell 515-988-2508 jonmcalexan...@wellsfargo.com Upcoming PTO: 10/30/2020, 11/6/2020, 11/13/2020, 11/20/2020, 11/27/2020, 12/2/2020, 12/4/2020, 12/11/2020, 12/18/2020, 12/28/2020, 12/29/2020, 12/30/2020, 12/31/2020 This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose, or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. > -Original Message- > From: xcorpius > Sent: Monday, April 26, 2021 8:36 AM > To: users@tomcat.apache.org > Subject: Re: Question about encrypting database passwords in the > context.xml file - Tomcat 9 > > Thanks Olaf > > Mensaje original > On 26 abr. 2021 14:02, Olaf Kock escribió: > > > On 26.04.21 13:10, xcorpius wrote: > >> Hi, > >> > >> I wanted to ask about how to encrypt database passwords in the > context.xml file in Tomcat 9. > >> > > Hi, > > > > please check this article: > > > https://urldefense.com/v3/__https://cwiki.apache.org/confluence/display/ > TOMCAT/Password__;!!F9svGWnIaVPGSwU!5L0cC3jIaCuRm0q1- > FYoVLDsuldYO4StHmkrZWg_Y0z1bdU7NM3IWFdkUykL7W_YAFGN4bM$ > > > > It covers the topic once and for all... > > > > Olaf > > > > - > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
Thanks Olaf Mensaje original On 26 abr. 2021 14:02, Olaf Kock escribió: > On 26.04.21 13:10, xcorpius wrote: >> Hi, >> >> I wanted to ask about how to encrypt database passwords in the context.xml >> file in Tomcat 9. >> > Hi, > > please check this article: > https://cwiki.apache.org/confluence/display/TOMCAT/Password > > It covers the topic once and for all... > > Olaf > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about encrypting database passwords in the context.xml file - Tomcat 9
On 26.04.21 13:10, xcorpius wrote: > Hi, > > I wanted to ask about how to encrypt database passwords in the context.xml > file in Tomcat 9. > Hi, please check this article: https://cwiki.apache.org/confluence/display/TOMCAT/Password It covers the topic once and for all... Olaf - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Question about encrypting database passwords in the context.xml file - Tomcat 9
Hi, I wanted to ask about how to encrypt database passwords in the context.xml file in Tomcat 9. Thank you very much to all. Xcorpius.