Hi Jan,
thank you very much for your suggestion: it solves my usecase and works like a
charm!
Regards,
Luca
----- Original Message -----
> From: "Jan Vávra" <va...@602.cz>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Thursday, April 16, 2015 8:29:38 AM
> Subject: Re: RFE: read keystorePass from file
>
> Hello,
> > Hi,
> > I'd like to suggest the addition of an option that would allow reading the
> > keystore password (the password protecting the private key used by secure
> > connectors) from file.
> for such things I use java define for tomcat process:
> -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=MyPropertySource
> MyPropertySource is my class from a jar in tomcat/lib:
>
> public class MyPropertySource implements
> org.apache.tomcat.util.IntrospectionUtils.PropertySource
> {
>
> @Override
> public String getProperty(String key)
> {
> return some_value;
> }
> }
>
> So I'm capable to read eg. database connection string, password from
> /etc/myapp.config and even in this class I decrypt passwords. So
> passwords can be encrypted in my config.
> In context.xml I do write:
>
> <Resource ...
> username="${myapp.db.username}"
> password="${myapp.db.password}"
> ...
> />
>
>
> >
> > My use case:
> >
> > I manage tomcat configuration including server.xml with a Configuration
> > System (Ansible).
> > This allows me to template and store tomcat configuration in a Source
> > Control System (as I do for other services).
> > The problem is that I need a secure tomcat connector and the only way to
> > provide a password to protect private keys seems to be to write it in
> > server.xml.
> > Which means that the password end up being committed to SCM ( defeating the
> > purpose of protecting the keystore with a password).
> > If tomcat could read the password from a file than I could generate it
> > randomly on the target host and store it on a file only tomcat can read.
> >
> >
> > I hope my suggestion could be considered and I'm ready to further discuss
> > my use case if further information are required.
> >
> > Regards,
> > Luca
> >
> > PS: this has nothing to do with obfuscating the password (which has already
> > been discussed on this list)
> >
> Jan.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
