If you wanted to go down this path, besides the web page for entering
the password, you could add sending alerts to the cells of all your
sysadmins to improve the probability of the password being entered in
a timely manner. Perhaps Tomcats in clusters could obtain the
password from their brethren.
On Aug 27, 2010, at 9:22 AM, David kerber wrote:
On 8/27/2010 9:02 AM, Wesley Acheson wrote:
...
I've been giving this whole issue a lot of thought. And not just now
for months now. I was wondering if the following was possible in
theory, When tomcat is started up it prompts for the password?
Wouldn't that help with the whole smoke and mirrors situation?
If you can always be sure somebody is available when tomcat is
restarted, I would think that would work to prevent having any clear-
text passwords on disk anywhere. It would be really easy to have a
single web page where the administrator could go to enter the
password after a restart, and there are some checks you could do to
help make that fairly secure (i.e. if the password has already been
entered, don't allow anybody to enter it again, etc).
Essentially you'd be trading possible downtime for a little more
security, but only you can make the decision as to whether that's an
appropriate tradeoff for your app.
D
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
