Christopher,
From: Christopher Schultz <ch...@christopherschultz.net>
Sent: Wednesday, January 22, 2025 11:19 AM
To: users@tomcat.apache.org
Subject: Re: Openssl Connector configuration for Dynamic Client Authorization
does not work.
Thomas, On 1/21/25 2: 08 PM, Timothy Resh wrote: > In the old configuration we
were able to hide the password using the > following parameter in the config >
> SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==; > C:
\\Certificate\Keystore\Tomcat
Thomas,
On 1/21/25 2:08 PM, Timothy Resh wrote:
> In the old configuration we were able to hide the password using the
> following parameter in the config
>
> SSLPassword="${KSENC(6qXemkaMkIOCflnMN4pErQ==;
> C:\\Certificate\Keystore\Tomcat SAMM Vessel.p12)}"
>
> We then used this
> org.apache.tomcat.util.digester.PROPERTY_SOURCE=com.emprisecorp.tomcat.propertysource.MyPropertySource
>
> in the catalina.properties. This class would set the following properties
> when it decrypted the KSENC(6qXemkaMkIOCflnMN4pErQ==;
>
> System.setProperty("javax.net.ssl.keyStore", keyStorePath);
> System.setProperty("javax.net.ssl.keyStorePassword", clearText);
> System.setProperty("javax.net.ssl.trustStore", trustStorePath);
> System.setProperty("javax.net.ssl.trustStorePassword", clearText);
As Mark says in his reply, this won't work since Tomcat doesn't use
those system properties. I would argue that using system properties for
this kind of thing is a terrible idea, which is why they were only used
as defaults, overridable with explicit configuration in server.xml.
You should have a look at the ServiceBindingPropertySource[1] which may
be able to move the problem to other files. It certainly will get your
secrets out of server.xml. There is also Vault for Tomcat[2], which I
have never used but is at least partially maintained by some Tomcat
committers (but now an ASF project).
-chris
[Mcalexander, Jon J.]
I have done some work with this Vault a couple of years ago. The Vault is a
great implementation, but it needs to be updated as its’ security is fairly
weak for today’s world.
[1]
https://urldefense.com/v3/__https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!t41YgZwv5gOQpWtsUKUdUW5-us5gHoCB-y4ucBlmJFfhzMksUloq_NWUvSIbFz2zXFoca0kqen85mOBGlwVCSk5fSZkU6ben$<https://urldefense.com/v3/__https:/tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html*Property_replacements__;Iw!!F9svGWnIaVPGSwU!t41YgZwv5gOQpWtsUKUdUW5-us5gHoCB-y4ucBlmJFfhzMksUloq_NWUvSIbFz2zXFoca0kqen85mOBGlwVCSk5fSZkU6ben$>
[2]
https://urldefense.com/v3/__https://github.com/web-servers/tomcat-vault/tree/main__;!!F9svGWnIaVPGSwU!t41YgZwv5gOQpWtsUKUdUW5-us5gHoCB-y4ucBlmJFfhzMksUloq_NWUvSIbFz2zXFoca0kqen85mOBGlwVCSk5fSSIYlJHz$<https://urldefense.com/v3/__https:/github.com/web-servers/tomcat-vault/tree/main__;!!F9svGWnIaVPGSwU!t41YgZwv5gOQpWtsUKUdUW5-us5gHoCB-y4ucBlmJFfhzMksUloq_NWUvSIbFz2zXFoca0kqen85mOBGlwVCSk5fSSIYlJHz$>
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
