2018-01-23 16:14 GMT+03:00 Peter Kreuser <l...@kreuser.name>: > BTW: > > >> Am 23.01.2018 um 13:56 schrieb Peter Kreuser <l...@kreuser.name>: >> >> Algirdas, >> >> >> >>> Am 23.01.2018 um 13:27 schrieb Algirdas Veitas <apvei...@gmail.com>: >>> >>> Andre, my apologies for bringing up a topic that has been repeated ad >>> nauseum. >>> >>> We were thinking of a process like the following, which would eliminate >>> "the information has to available somewhere in a file" on the actual server >>> where Tomcat is running. >>> >>>> cd $TOMCAT_HOME/bin >>>> set +o history >>>> export DB_USERNAME=xyz >>>> ./startup.sh >>> ..... once the process has started >>>> unset DB_USERNAME >>>> set -o history >>> >>> This process does not eliminate the need to store the values of sensitive >>> information. But by supporting environment variables, one could eliminate >>> using catalina.properties or -DDB_USERNAME, which exposes the information >>> on the server. In our case, operations would get the data from a secure >>> vault and then run the above scripts. I suppose we could get the same >>> effect by modifying catalina.properties, starting the server and then >>> clearing catalina.properties, until the next restart... >> >> Where would you put that script with the text? >> Well if you use a secure vault, then that script would have to know the >> password to the full secure vault... >> >> You get a feel for the problem? >> >> Run Tomcat in a dedicated service user, make the conf only readable for him >> and restrict the access to the user’s home/tomcat dirs... >> >> The admins of the server will have access to all the information anyhow. But >> any other users around will not be able to read the conf, even the java opts >> of the process will be invisible. >> >> Just my 2cts. >> >> Peter > > the commandline parameters (-D) are also in the tomcat logs, thus probably in > your backups and archives. >
VersionLoggerListener can also be configured to log the environment variables with logEnv="true". It is not the default setting though. > ad nauseum. The FAQ page: https://wiki.apache.org/tomcat/FAQ/Password Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
