Thomas and Alex,
On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote:
Hello Alex,
thanks for the clarification. Now I got the topic.
I don't think that you can use a path there.
The options I have in mind are:
- Use properties:
https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml
- Remove password or set it to the same password.
This won't decrease security in my opinion.
+1 the easiest way to do this IMO is to simply remove the password from
the key store.
Yet another option is to use the
org.apache.tomcat.util.digester.ServiceBindingPropertySource "property
source". Check out
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and
read about "property replacements". I think you can achieve your goals
using that plus your files on the disk as-is.
Hope that helps,
-chris
-----Ursprüngliche Nachricht-----
Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch>
Gesendet: Mittwoch, 18. Januar 2023 20:28
An: 'Tomcat Users List' <users@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hoi Thomas
Thanks for your feedback.
I checked - here I can give you the following.
I have a webserver certificate (p12) stored on the filesystem. It has the
p12.pwd
also this location. Owner and group are well protected from other technical
users.
Now, the config file, where the webserver cert is used is in the server.xml.
Inside there:
clientAuth="true" sslProtocol="TLS"
keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12"
keystorePass="PASSWORD"
truststore="TRUSTSTORE_CERTIFICATE.jks"
truststorePass="PASSWORD"
sslEnable="True"
protocol="org.apache.coyote.http11.Http11Prococol"
Now I would like to remove the PASSWORD from the keystorePass and put in
there the path to the pwd of the webserver certificate. Same also for the
truststore.
- Is that possible? If yes, how is that to be done?
Thanks for your feedback.
Regards
Alex
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.INVALID>
Gesendet: Mittwoch, 18. Januar 2023 07:12
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I usually remove the password on the p12 file via openssl.
Protecting with password and writing the password in clear text somewhere
doesn't improve security much I think.
Dunno if this is a possible way to go for you.
Greetings,
Thomas
________________________________
Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 21:01:00
An: 'Tomcat Users List'
Betreff: AW: Password in Tomcat 9.x
Hoi Thomas
Received also from Mark an email where he requested an example of the
web.xml. Will provide you this tomorrow. Below is what I wrote him.
Regards
Alex
#
#
#
Hi Mark
I will provide a config example tomorrow. Let you know the details.
I have them on the other machine.
In general it is like that - we have a webserver certificate (p12), which we use
to have the https protocol. The certificate comes together with a p12.pwd file
and this password of the certificate is stored in the web.xml.
I want now to remove this password by configuring just the path to this file.
In case someone renew the certificate, the restart of tomcat can be done
anytime as always the correct password is used.
Regards
Alexander
#
#
#
-----Ursprüngliche Nachricht-----
Von: Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.INVALID>
Gesendet: Dienstag, 17. Januar 2023 19:19
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: AW: Password in Tomcat 9.x
Hello Alex,
I am not sure what your goal is.
Webserver certificate (with private key) is used for encryption / ssl / tls.
Password is used for user authentication and in web.xml you only specify the
auth method, not any passwords. Or do you plan auth with client certificates?
Greetings, Thomas
________________________________
Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch>
Gesendet: Dienstag, 17. Januar 2023 18:34:15
An: users@tomcat.apache.org
Betreff: Password in Tomcat 9.x
Hello together
I would like to understand, when implementing passwords into web.xml, then I
would like NOT to implement a password, I want to include the path to a
certificate (p12.pwd). I want to basically avoid, changing all the time the
password, when I renew my webserver certificate in the configuration.
Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x
can
do this?
If no 9.x can do, which other Tomcat can do this?
Thank you
Alexander Grubner
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
