> -----Original Message----- > From: David kerber [mailto:dcker...@verizon.net] > Sent: Thursday, September 02, 2010 9:37 AM > To: Tomcat Users List > Subject: Re: clear text keystore password in server.xml > > On 9/2/2010 11:28 AM, Christopher Schultz wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > Luca, > > > > On 8/30/2010 2:42 AM, Luca Gervasi wrote: > >> I'm working to secure this, but...it's not too easy (and i'm surely > not > >> a skilled programmer...). > >> > >> But I hope this topic will be kept up! > > > > There is virtually nothing you can do about this. The only solutions > > here are: > > > > 1. Use a password entered on the console during start-up (the "Apache > > httpd strategy") > > Or a minor variant of this, such as entering the pwd on a secure web > page just after startup, though this has other disadvantages.
And how would this page be secured since you wouldn't have SSL capability at that point? > > > > 2. Remove the password from the keystore > > > > Removing the password from the keystore is just about as (in)secure > as > > having the password in server.xml in plain-text. > > > > All other strategies simply move the problem to some other component. > > Protecting one password requires another password which requires > > protecting which ... you get the idea. George Sexton MH Software, Inc. 303 438-9585 www.mhsoftware.com --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
