Hello,
Hi,
I'd like to suggest the addition of an option that would allow reading the
keystore password (the password protecting the private key used by secure
connectors) from file.
for such things I use java define for tomcat process:
-Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=MyPropertySource
MyPropertySource is my class from a jar in tomcat/lib:
public class MyPropertySource implements
org.apache.tomcat.util.IntrospectionUtils.PropertySource
{
@Override
public String getProperty(String key)
{
return some_value;
}
}
So I'm capable to read eg. database connection string, password from
/etc/myapp.config and even in this class I decrypt passwords. So
passwords can be encrypted in my config.
In context.xml I do write:
<Resource ...
username="${myapp.db.username}"
password="${myapp.db.password}"
...
/>
My use case:
I manage tomcat configuration including server.xml with a Configuration System
(Ansible).
This allows me to template and store tomcat configuration in a Source Control
System (as I do for other services).
The problem is that I need a secure tomcat connector and the only way to
provide a password to protect private keys seems to be to write it in
server.xml.
Which means that the password end up being committed to SCM ( defeating the
purpose of protecting the keystore with a password).
If tomcat could read the password from a file than I could generate it randomly
on the target host and store it on a file only tomcat can read.
I hope my suggestion could be considered and I'm ready to further discuss my
use case if further information are required.
Regards,
Luca
PS: this has nothing to do with obfuscating the password (which has already
been discussed on this list)
Jan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
