AW: Tomcat 9.0.x securing db credentials in server.xml

Wed, 21 Jan 2026 05:09:38 -0800 

Hello,

> -----Ursprüngliche Nachricht-----
> Von: Mark Thomas <[email protected]>
> Gesendet: Mittwoch, 21. Januar 2026 11:34
> An: [email protected]
> Betreff: Re: Tomcat 9.0.x securing db credentials in server.xml
> 
> On 21/01/2026 09:36, dineshk via users wrote:
> > Hi Team ,
> > Would like to know the recommended approach to secure the db
> credentials in Tomcat , defined in server.xml file . The application could be
> deployed on AKS or as normal on premises deployment.
> > Is there any recommended common solution? If not , what recommended
> approach in each case .
> > Please let me know . It would be really helpful.
> 
> Don't waste your time trying to achieve the logically impossible.
> 
> https://cwiki.apache.org/confluence/display/TOMCAT/Password
> 
> Mark
> 
> 
> ---------------------------------------------------------------------

As Mark mentioned, there is no 100% solution.
The password must be stored somewhere, and if encrypted, some program must 
decrypt it with a key which is stored somewhere.

I used some (newer) systemd features to protect credentials against some (few) 
possible leaks and hide the plaintext at least.
1) Using LoadCredentialEncrypted in the systemd file to mount an encrypted 
file, containing the credentials
2) Load the mounted file and set the values as env variables before starting 
Tomcat:
  ExecStart=/bin/sh -c 'set -a && . "$CREDENTIALS_DIRECTORY/creds" && set +a && 
exec /opt/apache-tomcat/bin/startup.sh '
3) Set a wrapper to inject env variables as java properties
   
-Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.EnvironmentPropertySource
4) Replace the passwords in server.xml with variable references like 
"${PASSWORD}"
5) Encrypt the file for usage in 1) with "systemd-creds encrypt"
    You can also encrypt with TPM 2.0 if available.

Note that any root user can decrypt the credential file!
As root user you can also read the environment variables from the process.
Etc.
It only protects for a few scenarios, like a lost, unencrypted backup of the 
server.xml etc.

Greetings.
Thomas

Reply via email to