> On Aug 3, 2024, at 06:28, MOHAMMED Bahauddin N > <bahauddin.moham...@hexagon.com.INVALID> wrote: > > I have a request related to the Keystore password in Apache Tomcat's > 'server.xml' file. Currently, the password under the Connector port is > displayed in plain text,
Displayed to whom? > which is a security concern. No, it’s not - as long as you have properly secured the Tomcat configuration files. They should be accessible only by the userid Tomcat runs with and the Tomcat administrator (if using a different userid). No other users should have any access. > I am looking to encrypt it through configuration (not through any code).I > have reviewed the information provided in the link below, which mentions > configuration tips, but I don't understand some of these (apart from the XML > encoding). > > https://cwiki.apache.org/confluence/display/TOMCAT/Password The point of the article is that attempting to encrypt the Tomcat configuration entries is … pointless. There will have to be a decryption key saved somewhere that Tomcat has access to; if any other users have access to that key, you’ve just wasted a lot of time and effort for no gain. Much more efficient to expend that effort in securing the Tomcat files. - Chuck
