-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Luca,
On 4/16/15 4:16 PM, Luca Menegus wrote:
> Hi Chris,
>
> let me describe what I'm trying to do in more details.
>
> Goals: * Completely automate tomcat deployment, and make sure
> deployment is reproducible and testable in different environment
> (hence we use ansible+git to manage installation and _configuration
> for tomcat) * Do not make stupid thing (like storing passwords or
> keys in SCM) just because we want to automate * Be as secure as
> possible
I completely understand.
> (Working) implementation:
>
> I install and configure tomcat with ansible (server.xml is an
> ansible template, on every run ansible re-generates the template
> and compare it to the deployed version, so it needs to be able to
> read the deployed server.xml) Then I generate a random pin file,
> the keystore and the private keys (and relates cert requests) with
> ansible on the target host. (Thanks to Jan suggestion) I can now
> instruct tomcat to read the pin from the pin file. I do not need to
> store pin/keys in SCM....
So what have you bought yourself?
If Ansible can templatize server.xml, why not simply have it enter the
auto-generated pin into the server.xml as it's deployed? I really
don't understand why it must be a separate file.
Does anyone have access to the Tomcat server who should never see the
pin for the keystore? If so, don't give them file-permission-access to
the server.xml file.
Are you worried about Tomcat being compromised and revealing the
contents of server.xml? The Tomcat process needs access to the
external pin file, so you haven't protected against this attack, either.
> I'm running on linux so I can install the following audit rule:
>
> auditctl -w [pin file] -p warx -F auid!=tomcat -F auid!=4294967295
>
> so *at least* I'm sure that access to the pin file made by anybody
> but the tomcat user would be logged (so I know when I was
> compromised and need to rekey the cert)
So why not simply use that rule with server.xml?
> This rule doesn't trigger when I am comparing the deployed
> server.xml with the expected version or the deployed keystore (as
> to check the presence of the key I do not need the key pin).
So you trust Ansible to build-out and deploy the server, but not to
read the pin file? Ansible is the *source* of the pin file, so you'd
better trust it.
> It only trigger when I generate the initial pin, somebody
> compromise my box, I need to renew certs (which are all events I
> like to be informed about)
How do you detect compromise?
> Now back to the tomcat relevant suff:
>
> (at least) in my setup I find it valuable to be able to read
> secrets from files I can protect with specific audit rules.
Again, why not simply protect server.xml with such audit rules?
> Jan suggested me a viable (and easily implemented) way to do it
> [1], so I'm ok.
I'm glad he was able to help. Konstantin's suggestion 2 days prior had
the same solution (you just had to follow the link he posted).
> Now the question is, given how easy is to implement Jan solution
> do you think my use case deserves an RFE (something like adding
> keyPassFile attribute to the Connector )?
I don't yet see a justifiable position of how it improves security in
any way. I'm happy to implement the feature myself if you can explain
how it improves security in any meaningful way.
> I do not know tomcat enough to answer, but if you say so I'll post
> a BUG.
It's definitely an "enhancement" if anything.
> Regards and thanks for your help, Luca
>
> [1] - Add
> -Dorg.apache.tomcat.util.digester.PROPERTY_SOURCE=FilePropertySource
> to CATALINA_OPTS - deploy a jar in tomcat lib with the following
> class: public class FilePropertySource implements
> org.apache.tomcat.util.IntrospectionUtils.PropertySource {
> @Override public String getProperty(String name) { if
> (name.startsWith("file://")) { try { return
> readFile(name.substring(7)); } catch (IOException e) { throw new
> RuntimeException("Unable to derefercence property " + name, e); }
> } return null; }
>
> String readFile(String fileName) throws IOException { FileReader br
> = new FileReader(fileName); try { StringBuilder sb = new
> StringBuilder(); char[] buff = new char[4096]; int read = -1; while
> ((read = br.read(buff)) != -1) { sb.append(buff, 0, read); } return
> sb.toString(); } finally { br.close();
This finally block can throw an NPE.
Also note that an IOException thrown from br.close() can cause any
in-flight exception to be lost.
> } } }
>
> - in server.xml use it like ${file:///bla/bla/bla}
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVMKDMAAoJEBzwKT+lPKRYkEAP+gNOF42ZJdVZh5Ut++fS7kJt
8/yaZxO9D1xgyRbjolUDsTH/ERVL8NGd6Y4DnWOJ5N0cbuC1WtSVQTffGJx4CQu3
F6ljizu1yyyzWUFedFunqWB4zBZB4UwOifwOQZXS/sEtLk23eeazuKf/xpBLM3yK
Xq6GjwJDr+y/zmDMMqu2eXV74WnHU1OEkzhKlr14419lCOr/ij1TEK0o6UabfISx
J4KR414pT7ry9yYQVtLR/FLh6MDeExuCnO2XHN+U7jQs8K1lRlqCi72cnHU3a3xs
ojv7d89sNTAQef5iQ6OywQzo3yntebvEsGYRRDlEBIzrz7WPubv3FLY8fvh6cKUV
Gk3mCJSeTTTbqpmgyaT1nsmBCzMLFPOmOmkIwi4VfHIqYWnXrlYswt9m8CN2rFlt
cHQrmp+e/vwY9AtLlZGG46GgktThcMoJej+m2iR4MtxJE/ixEa4FPnyQrvp0KLMa
xnZDx0VzV5fI/ZR4j9WMVBXK1LnrjbZs8RQb0uRskXGjq45lzcvvteYNBHyeCmN0
4hfzpR4pQCeND1e3Z2ID2mX7I19JsYmy01dMjC6tH27KARhPlaMlwzQmb+kUzjIj
N7FxaIXtIUfVRN1vtAZ8e+ek8NKT/JUBYnZPzB3ZYjXQex1G12jTxhg24V3KMJdK
2OjsAlZmAc/lxkZvdYWe
=UPJf
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
