Hi Eric: I am sorry. I am a beginner of Tomcat. How does it work? Have the current Tomcat already been doing that? Is it just put an encrypted keystore password at the server.xml? or don't even mention any keystore password at the server.xml at all?
Regards Dickson -----Original Message----- From: Eric Haszlakiewicz [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 31, 2006 9:46 AM To: Tomcat Users List Cc: David Wall Subject: Re: How to hide the keystorePass at the server.xml On Tue, May 30, 2006 at 04:46:42PM -0700, David Wall wrote: > A possible sounding solution would be to have tomcat start in a > protected mode that requires an admin connect and enter a password > before TC would allow the webapps to load. But even this would require > that TC be configured to do so since most would not want this. And if > you can access the filesystem, then you could change that configuration > so that TC would start and NOT require that. You can even change the > java security policy file. So you'd need to create a forked TC that > always requires the password to be entered. But then again, if they can > access the filesystem, they could just change out the version of TC. No, you just have the keystore encrypted with a password and _don't_ specify it in the config file. Then when tomcat starts up, and can't open the keystore w/o a password, it knows it has to ask for it, but it isn't stored anywhere on the machine. That's what apache httpd does if the cert file is password protected. Tomcat should do the same. It works quite well. eric --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]