Re: How to hide the keystorePass at the server.xml

Tue, 30 May 2006 16:46:54 -0700 


Shankar Unni wrote:

Robert Harper wrote:

One thing to think of is that if you have to do that to protect it, then
everything else on that system is suspect. 


Yeah, yeah. I used to use this argument a lot, too. But that's like 
saying: if your harness isn't secure, then why bother with an 
additional safety net below you? You might as well fall and die..



It's not that obfuscating or encrypting the keystorePass is a 
fool-proof answer, but that it adds an additional step of complexity 
in the way of anyone who might crack your system. Stuff happens. Just 
because a burglar got past your front door doesn't mean that you have 
to lay out your valuables in the foyer..



The problem is that if you encrypt the keystore password somewhere (or 
even still embedded in the server.xml file), how do you tell Tomcat how 
to decrypt that?  In the end, you have to enter a password or other 
credential into the system. 

A possible sounding solution would be to have tomcat start in a 
protected mode that requires an admin connect and enter a password 
before TC would allow the webapps to load.  But even this would require 
that TC be configured to do so since most would not want this.  And if 
you can access the filesystem, then you could change that configuration 
so that TC would start and NOT require that.  You can even change the 
java security policy file.  So you'd need to create a forked TC that 
always requires the password to be entered.  But then again, if they can 
access the filesystem, they could just change out the version of TC.



And if they can work on your file system, they can probably insert new 
code into the WEB-INF/lib or WEB-INF/classes or any of the JSPs.


And if they can do all that, you probably have no security to begin with.


In the end, a secure version of Tomcat that always required a password 
or other credential be provided before it starts, with an encrypted JSP 
and configuration file store, etc. would be needed. 


David


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to