Hello all
I been working with getting JMX working with SSL with client side
authentication working on tomcat. All is working well in this regard.
However, I noticed that if I do a "ps -ef | grep jsvc" on the Cent OS
linux server. I get the below output ( yes the password has been
changed ). My question is simply, is there a way to pass in the
keystore password and truststore password through jsvc in such a manner
where it isn't in clear text on a process list output? Or more to the
point, am I being overly paranoid that the keystore and truststore
passwords are in the clear if you do a process listing on the server? I
have taken steps to ensure that only the tomcat user is able to read
from both the keystore and truststore files and the tomcat user is not
allowed direct logins on to the machine. The only way you can become a
tomcat user is via su - tomcat from another user.
I tried setting the parameters via the CATALINA_OPTS environment
variable, however it seems that the jsvc process doesn't evaluate it
unless I include it as part of my startup command line. However if I do
this, I get the process table output below.
Is there any way to not show these passwords in the clear and support
the SSL configuration capabilities that are setup?
Thanks in advance
Brian
ps -ef | grep jsvc
root 14973 1 0 23:51 ? 00:00:00 jsvc.exec -pidfile
/var/run/jsvc.pid -cp
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out
-errfile /usr/local/apache/logs/catalina.err
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore
-Djavax.net.ssl.keyStorePassword=secret
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore
-Djavax.net.ssl.trustStorePassword=secret
org.apache.catalina.startup.Bootstrap
tomcat 14974 14973 42 23:51 ? 00:00:02 jsvc.exec -pidfile
/var/run/jsvc.pid -cp
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out
-errfile /usr/local/apache/logs/catalina.err
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore
-Djavax.net.ssl.keyStorePassword=secret
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore
-Djavax.net.ssl.trustStorePassword=secret
org.apache.catalina.startup.Bootstrap
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org