Trying to suppress keystore and truststore password in Cent OS process listings.

Sat, 24 Mar 2012 22:25:57 -0700 

Hello all
I been working with getting JMX working with SSL with client side authentication working on tomcat. All is working well in this regard. However, I noticed that if I do a "ps -ef | grep jsvc" on the Cent OS linux server. I get the below output ( yes the password has been changed ). My question is simply, is there a way to pass in the keystore password and truststore password through jsvc in such a manner where it isn't in clear text on a process list output? Or more to the point, am I being overly paranoid that the keystore and truststore passwords are in the clear if you do a process listing on the server? I have taken steps to ensure that only the tomcat user is able to read from both the keystore and truststore files and the tomcat user is not allowed direct logins on to the machine. The only way you can become a tomcat user is via su - tomcat from another user. 


I tried setting the parameters via the CATALINA_OPTS environment 
variable, however it seems that the jsvc process doesn't evaluate it 
unless I include it as part of my startup command line.  However if I do 
this, I get the process table output below.



Is there any way to not show these passwords in the clear and support 
the SSL configuration capabilities that are setup?


Thanks in advance
Brian

ps -ef | grep jsvc


root     14973     1  0 23:51 ?        00:00:00 jsvc.exec -pidfile 
/var/run/jsvc.pid -cp 
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user 
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out 
-errfile /usr/local/apache/logs/catalina.err 
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password 
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access 
-Dcom.sun.management.jmxremote.authenticate=true 
-Dcom.sun.management.jmxremote.ssl=true 
-Dcom.sun.management.jmxremote.registry.ssl=true 
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore 
-Djavax.net.ssl.keyStorePassword=secret 
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore 
-Djavax.net.ssl.trustStorePassword=secret 
org.apache.catalina.startup.Bootstrap
tomcat   14974 14973 42 23:51 ?        00:00:02 jsvc.exec -pidfile 
/var/run/jsvc.pid -cp 
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user 
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out 
-errfile /usr/local/apache/logs/catalina.err 
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password 
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access 
-Dcom.sun.management.jmxremote.authenticate=true 
-Dcom.sun.management.jmxremote.ssl=true 
-Dcom.sun.management.jmxremote.registry.ssl=true 
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore 
-Djavax.net.ssl.keyStorePassword=secret 
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true 
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore 
-Djavax.net.ssl.trustStorePassword=secret 
org.apache.catalina.startup.Bootstrap



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org























					Reply via email to