Thank you Chris, I will read that. Best Alex
-----Ursprüngliche Nachricht----- Von: Christopher Schultz <ch...@christopherschultz.net> Gesendet: Samstag, 21. Januar 2023 16:11 An: users@tomcat.apache.org Betreff: Re: AW: AW: Password in Tomcat 9.x Alex, On 1/19/23 13:33, a.grub...@bluewin.ch wrote: > I asked Thomas as well, if he knows if this could be solved with > placing the path to the file - in my opinion, this is a easy, safe > possibility to allocate any certs. That would be very helpful to have > such tomcat. You could use an XML entity for this purpose. Tomcat specifically enables XML entity expansion to allow for such things. Also, one of the solutions I presented allows you to use files on the disk. Please read about the service binding property source. I think it's *precisely what you are requesting*. -chris > -----Ursprüngliche Nachricht----- > Von: Christopher Schultz <ch...@christopherschultz.net> > Gesendet: Mittwoch, 18. Januar 2023 23:30 > An: users@tomcat.apache.org > Betreff: Re: AW: Password in Tomcat 9.x > > Thomas and Alex, > > On 1/18/23 16:03, Thomas Hoffmann (Speed4Trade GmbH) wrote: >> Hello Alex, >> >> thanks for the clarification. Now I got the topic. >> >> I don't think that you can use a path there. >> >> The options I have in mind are: >> - Use properties: >> https://stackoverflow.com/questions/11926181/environment-system-varia >> bles-in-server-xml >> - Remove password or set it to the same password. >> This won't decrease security in my opinion. > > +1 the easiest way to do this IMO is to simply remove the password > +from > the key store. > > Yet another option is to use the > org.apache.tomcat.util.digester.ServiceBindingPropertySource "property > source". Check out > https://tomcat.apache.org/tomcat-9.0-doc/config/systemprops.html and > read about "property replacements". I think you can achieve your goals > using that plus your files on the disk as-is. > > Hope that helps, > -chris > >>> -----Ursprüngliche Nachricht----- >>> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >>> Gesendet: Mittwoch, 18. Januar 2023 20:28 >>> An: 'Tomcat Users List' <users@tomcat.apache.org> >>> Betreff: AW: Password in Tomcat 9.x >>> >>> Hoi Thomas >>> >>> Thanks for your feedback. >>> >>> I checked - here I can give you the following. >>> >>> I have a webserver certificate (p12) stored on the filesystem. It >>> has the p12.pwd also this location. Owner and group are well >>> protected from other technical users. >>> >>> Now, the config file, where the webserver cert is used is in the server.xml. >>> >>> Inside there: >>> >>> clientAuth="true" sslProtocol="TLS" >>> keystorefile="PATH_TO_THE_CERTIFICATE/CERT.p12" >>> keystorePass="PASSWORD" >>> truststore="TRUSTSTORE_CERTIFICATE.jks" >>> truststorePass="PASSWORD" >>> sslEnable="True" >>> protocol="org.apache.coyote.http11.Http11Prococol" >>> >>> Now I would like to remove the PASSWORD from the keystorePass and >>> put in there the path to the pwd of the webserver certificate. Same >>> also for the truststore. >>> >>> - Is that possible? If yes, how is that to be done? >>> >>> Thanks for your feedback. >>> >>> Regards >>> Alex >>> >>> >>> >>> >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Thomas Hoffmann (Speed4Trade GmbH) >>> <thomas.hoffm...@speed4trade.com.INVALID> >>> Gesendet: Mittwoch, 18. Januar 2023 07:12 >>> An: Tomcat Users List <users@tomcat.apache.org> >>> Betreff: AW: Password in Tomcat 9.x >>> >>> Hello Alex, >>> I usually remove the password on the p12 file via openssl. >>> Protecting with password and writing the password in clear text >>> somewhere doesn't improve security much I think. >>> Dunno if this is a possible way to go for you. >>> Greetings, >>> Thomas >>> ________________________________ >>> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >>> Gesendet: Dienstag, 17. Januar 2023 21:01:00 >>> An: 'Tomcat Users List' >>> Betreff: AW: Password in Tomcat 9.x >>> >>> Hoi Thomas >>> >>> Received also from Mark an email where he requested an example of >>> the web.xml. Will provide you this tomorrow. Below is what I wrote him. >>> >>> Regards >>> Alex >>> >>> # >>> # >>> # >>> Hi Mark >>> >>> I will provide a config example tomorrow. Let you know the details. >>> >>> I have them on the other machine. >>> >>> In general it is like that - we have a webserver certificate (p12), >>> which we use to have the https protocol. The certificate comes >>> together with a p12.pwd file and this password of the certificate is stored >>> in the web.xml. >>> I want now to remove this password by configuring just the path to this >>> file. >>> >>> In case someone renew the certificate, the restart of tomcat can be >>> done anytime as always the correct password is used. >>> >>> Regards >>> Alexander >>> # >>> # >>> # >>> >>> -----Ursprüngliche Nachricht----- >>> Von: Thomas Hoffmann (Speed4Trade GmbH) >>> <thomas.hoffm...@speed4trade.com.INVALID> >>> Gesendet: Dienstag, 17. Januar 2023 19:19 >>> An: Tomcat Users List <users@tomcat.apache.org> >>> Betreff: AW: Password in Tomcat 9.x >>> >>> Hello Alex, >>> I am not sure what your goal is. >>> Webserver certificate (with private key) is used for encryption / ssl / tls. >>> Password is used for user authentication and in web.xml you only >>> specify the auth method, not any passwords. Or do you plan auth with client >>> certificates? >>> >>> Greetings, Thomas >>> ________________________________ >>> Von: a.grub...@bluewin.ch <a.grub...@bluewin.ch> >>> Gesendet: Dienstag, 17. Januar 2023 18:34:15 >>> An: users@tomcat.apache.org >>> Betreff: Password in Tomcat 9.x >>> >>> Hello together >>> >>> >>> >>> I would like to understand, when implementing passwords into >>> web.xml, then I would like NOT to implement a password, I want to >>> include the path to a certificate (p12.pwd). I want to basically >>> avoid, changing all the time the password, when I renew my webserver >>> certificate in the configuration. >>> >>> >>> >>> Which version of Tomcat 9.x is able to do this? Will it be for seen, >>> that 9.x can do this? >>> >>> If no 9.x can do, which other Tomcat can do this? >>> >>> >>> >>> Thank you >>> >>> Alexander Grubner >>> >>> >>> >>> -------------------------------------------------------------------- >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >>> -------------------------------------------------------------------- >>> - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
