Hoi Christoph Also to you, thank you for your feedback.
I asked Thomas as well, if he knows if this could be solved with placing the path to the file - in my opinion, this is a easy, safe possiblitiy to allocate any certs. That would be very helpful to have such tomcat. Thank you Alex -----Ursprüngliche Nachricht----- Von: Christopher Schultz <ch...@christopherschultz.net> Gesendet: Mittwoch, 18. Januar 2023 23:30 An: users@tomcat.apache.org Betreff: Re: AW: Password in Tomcat 9.x Thomas and Alex, On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote: > Hello Alex, > > thanks for the clarification. Now I got the topic. > > I don't think that you can use a path there. > > The options I have in mind are: > - Use properties: > https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml > - Remove password or set it to the same password. > This won't decrease security in my opinion. +1 the easiest way to do this IMO is to simply remove the password from the key store. Yet another option is to use the org.apache.tomcat.util.digester.ServiceBindingPropertySource "property source". Check out https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and read about "property replacements". I think you can achieve your goals using that plus your files on the disk as-is. Hope that helps, -chris >> -----Ursprüngliche Nachricht----- >> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >> Gesendet: Mittwoch, 18. Januar 2023 20:28 >> An: 'Tomcat Users List' <users@tomcat.apache.org> >> Betreff: AW: Password in Tomcat 9.x >> >> Hoi Thomas >> >> Thanks for your feedback. >> >> I checked - here I can give you the following. >> >> I have a webserver certificate (p12) stored on the filesystem. It has the >> p12.pwd >> also this location. Owner and group are well protected from other technical >> users. >> >> Now, the config file, where the webserver cert is used is in the server.xml. >> >> Inside there: >> >> clientAuth="true" sslProtocol="TLS" >> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12" >> keystorePass="PASSWORD" >> truststore="TRUSTSTORE_CERTIFICATE.jks" >> truststorePass="PASSWORD" >> sslEnable="True" >> protocol="org.apache.coyote.http11.Http11Prococol" >> >> Now I would like to remove the PASSWORD from the keystorePass and put in >> there the path to the pwd of the webserver certificate. Same also for the >> truststore. >> >> - Is that possible? If yes, how is that to be done? >> >> Thanks for your feedback. >> >> Regards >> Alex >> >> >> >> >> >> -----Ursprüngliche Nachricht----- >> Von: Thomas Hoffmann (Speed4Trade GmbH) >> <thomas.hoffm...@speed4trade.com.INVALID> >> Gesendet: Mittwoch, 18. Januar 2023 07:12 >> An: Tomcat Users List <users@tomcat.apache.org> >> Betreff: AW: Password in Tomcat 9.x >> >> Hello Alex, >> I usually remove the password on the p12 file via openssl. >> Protecting with password and writing the password in clear text somewhere >> doesn't improve security much I think. >> Dunno if this is a possible way to go for you. >> Greetings, >> Thomas >> ________________________________ >> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >> Gesendet: Dienstag, 17. Januar 2023 21:01:00 >> An: 'Tomcat Users List' >> Betreff: AW: Password in Tomcat 9.x >> >> Hoi Thomas >> >> Received also from Mark an email where he requested an example of the >> web.xml. Will provide you this tomorrow. Below is what I wrote him. >> >> Regards >> Alex >> >> # >> # >> # >> Hi Mark >> >> I will provide a config example tomorrow. Let you know the details. >> >> I have them on the other machine. >> >> In general it is like that - we have a webserver certificate (p12), which we >> use >> to have the https protocol. The certificate comes together with a p12.pwd >> file >> and this password of the certificate is stored in the web.xml. >> I want now to remove this password by configuring just the path to this file. >> >> In case someone renew the certificate, the restart of tomcat can be done >> anytime as always the correct password is used. >> >> Regards >> Alexander >> # >> # >> # >> >> -----Ursprüngliche Nachricht----- >> Von: Thomas Hoffmann (Speed4Trade GmbH) >> <thomas.hoffm...@speed4trade.com.INVALID> >> Gesendet: Dienstag, 17. Januar 2023 19:19 >> An: Tomcat Users List <users@tomcat.apache.org> >> Betreff: AW: Password in Tomcat 9.x >> >> Hello Alex, >> I am not sure what your goal is. >> Webserver certificate (with private key) is used for encryption / ssl / tls. >> Password is used for user authentication and in web.xml you only specify the >> auth method, not any passwords. Or do you plan auth with client certificates? >> >> Greetings, Thomas >> ________________________________ >> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >> Gesendet: Dienstag, 17. Januar 2023 18:34:15 >> An: users@tomcat.apache.org >> Betreff: Password in Tomcat 9.x >> >> Hello together >> >> >> >> I would like to understand, when implementing passwords into web.xml, then I >> would like NOT to implement a password, I want to include the path to a >> certificate (p12.pwd). I want to basically avoid, changing all the time the >> password, when I renew my webserver certificate in the configuration. >> >> >> >> Which version of Tomcat 9.x is able to do this? Will it be for seen, that >> 9.x can >> do this? >> >> If no 9.x can do, which other Tomcat can do this? >> >> >> >> Thank you >> >> Alexander Grubner >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
