Thomas,
On 1/21/25 2:08 PM, Timothy Resh wrote:
In the old configuration we were able to hide the password using the
following parameter in the config
SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
C:\\Certificate\Keystore\Tomcat SAMM Vessel.p12)}"
We then used this
org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.emprisecorp.tomcat.propertysource.MyPropertySource
in the catalina.properties. This class would set the following properties
when it decrypted the KSENC(6qXemkaMkIOCflnMN4pErQ==;
System.setProperty("javax.net.ssl.keyStore", keyStorePath);
System.setProperty("javax.net.ssl.keyStorePassword", clearText);
System.setProperty("javax.net.ssl.trustStore", trustStorePath);
System.setProperty("javax.net.ssl.trustStorePassword", clearText);
As Mark says in his reply, this won't work since Tomcat doesn't use
those system properties. I would argue that using system properties for
this kind of thing is a terrible idea, which is why they were only used
as defaults, overridable with explicit configuration in server.xml.
You should have a look at the ServiceBindingPropertySource[1] which may
be able to move the problem to other files. It certainly will get your
secrets out of server.xml. There is also Vault for Tomcat[2], which I
have never used but is at least partially maintained by some Tomcat
committers (but now an ASF project).
-chris
[1]
https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html#Property_replacements
[2] https://github.com/web-servers/tomcat-vault/tree/main
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
