Hello Alex, thanks for the clarification. Now I got the topic.
I don't think that you can use a path there. The options I have in mind are: - Use properties: https://stackoverflow.com/questions/11926181/environment-system-variables-in-server-xml - Remove password or set it to the same password. This won't decrease security in my opinion. Greetings, Thomas > -----Ursprüngliche Nachricht----- > Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> > Gesendet: Mittwoch, 18. Januar 2023 20:28 > An: 'Tomcat Users List' <users@tomcat.apache.org> > Betreff: AW: Password in Tomcat 9.x > > Hoi Thomas > > Thanks for your feedback. > > I checked - here I can give you the following. > > I have a webserver certificate (p12) stored on the filesystem. It has the > p12.pwd > also this location. Owner and group are well protected from other technical > users. > > Now, the config file, where the webserver cert is used is in the server.xml. > > Inside there: > > clientAuth="true" sslProtocol="TLS" > keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12" > keystorePass="PASSWORD" > truststore="TRUSTSTORE_CERTIFICATE.jks" > truststorePass="PASSWORD" > sslEnable="True" > protocol="org.apache.coyote.http11.Http11Prococol" > > Now I would like to remove the PASSWORD from the keystorePass and put in > there the path to the pwd of the webserver certificate. Same also for the > truststore. > > - Is that possible? If yes, how is that to be done? > > Thanks for your feedback. > > Regards > Alex > > > > > > -----Ursprüngliche Nachricht----- > Von: Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.INVALID> > Gesendet: Mittwoch, 18. Januar 2023 07:12 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: AW: Password in Tomcat 9.x > > Hello Alex, > I usually remove the password on the p12 file via openssl. > Protecting with password and writing the password in clear text somewhere > doesn't improve security much I think. > Dunno if this is a possible way to go for you. > Greetings, > Thomas > ________________________________ > Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> > Gesendet: Dienstag, 17. Januar 2023 21:01:00 > An: 'Tomcat Users List' > Betreff: AW: Password in Tomcat 9.x > > Hoi Thomas > > Received also from Mark an email where he requested an example of the > web.xml. Will provide you this tomorrow. Below is what I wrote him. > > Regards > Alex > > # > # > # > Hi Mark > > I will provide a config example tomorrow. Let you know the details. > > I have them on the other machine. > > In general it is like that - we have a webserver certificate (p12), which we > use > to have the https protocol. The certificate comes together with a p12.pwd file > and this password of the certificate is stored in the web.xml. > I want now to remove this password by configuring just the path to this file. > > In case someone renew the certificate, the restart of tomcat can be done > anytime as always the correct password is used. > > Regards > Alexander > # > # > # > > -----Ursprüngliche Nachricht----- > Von: Thomas Hoffmann (Speed4Trade GmbH) > <thomas.hoffm...@speed4trade.com.INVALID> > Gesendet: Dienstag, 17. Januar 2023 19:19 > An: Tomcat Users List <users@tomcat.apache.org> > Betreff: AW: Password in Tomcat 9.x > > Hello Alex, > I am not sure what your goal is. > Webserver certificate (with private key) is used for encryption / ssl / tls. > Password is used for user authentication and in web.xml you only specify the > auth method, not any passwords. Or do you plan auth with client certificates? > > Greetings, Thomas > ________________________________ > Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> > Gesendet: Dienstag, 17. Januar 2023 18:34:15 > An: users@tomcat.apache.org > Betreff: Password in Tomcat 9.x > > Hello together > > > > I would like to understand, when implementing passwords into web.xml, then I > would like NOT to implement a password, I want to include the path to a > certificate (p12.pwd). I want to basically avoid, changing all the time the > password, when I renew my webserver certificate in the configuration. > > > > Which version of Tomcat 9.x is able to do this? Will it be for seen, that 9.x > can > do this? > > If no 9.x can do, which other Tomcat can do this? > > > > Thank you > > Alexander Grubner > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
