-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Luca,
On 4/14/15 1:07 PM, Luca Menegus wrote: > Hi, I'd like to suggest the addition of an option that would allow > reading the keystore password (the password protecting the private > key used by secure connectors) from file. > > My use case: > > I manage tomcat configuration including server.xml with a > Configuration System (Ansible). This allows me to template and > store tomcat configuration in a Source Control System (as I do for > other services). The problem is that I need a secure tomcat > connector and the only way to provide a password to protect private > keys seems to be to write it in server.xml. Which means that the > password end up being committed to SCM ( defeating the purpose of > protecting the keystore with a password). If tomcat could read the > password from a file than I could generate it randomly on the > target host and store it on a file only tomcat can read. > > > I hope my suggestion could be considered and I'm ready to further > discuss my use case if further information are required. > > Regards, Luca > > PS: this has nothing to do with obfuscating the password (which > has already been discussed on this list) This seems reasonable, but you do have another option: a parameterized server.xml that pulls the password value in from another place. Examples include an ant-based build with filtering or external XML entities. If you'd still like this feature, please open a Bugzilla enhancement request. https://bz.apache.org/bugzilla/enter_bug.cgi?product=Tomcat%209 - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVLUrRAAoJEBzwKT+lPKRYojIP/3IiPp9yeixqM+TJSuq25umH sdnLalXOtJYDrM78zoA8Q+E8YtseCf8CcZII6QFgWVUVTRTZYD//tJEuhKwbhhA5 I894oqL1G6k3z4yfExX7TsE5+RE6mBEfoMKCpF4nIXbcfaSlqXoZ1ZcNhmPjS0Jz 4yJK9GWayNmRN7211vLSXd6DrvZ5WsubqNxlq/E5td/kR7cIALNx8mTylD6GvgF8 7TCSPY2ZiUPJQu27rrutwnYU/p9ea9GPNr6lFcF6yt2NDt0TMWkhFAe8UXveIzVT HdIuhCyENGhTjy7tE6kpyvgB9E85SXN1nkx4mkyzoOqhjeJFfo+1OLujcNnCmtOH yrcmVUG2zzboiSh7xy1ehegC54jc3P8J3jTglem1JtWs5c3Yr64EORu7CotbsPxs FRAN/8+loo0b/mZzuxJdDt3h0eQsYsF00h7zOT0Pn2rU/dEo79TBSwglnESIivFx +6DxHyKF4kuoppcSD9HjJRwOGLrA5x5Ck1aEgAOCjdLdJaQDkhZ7X8FkFgTyuwzz 5slSYAHq0JJsoglXBaVSv/gBLuaCxzMomsjIsD+kJ4X7e/bVxvbA6BjtaywTMx7L VwBv8EygkZV7/ap9k15n/4+nk80/wyVTgZD0ig3ceQX/kVs1zTLtIYOxdzjOj6cs OuvJXECVb1iUjTaipAjf =1teY -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
