On 25 Mar 2012, at 06:25, Brian Hand <handbri...@gmail.com> wrote: > Hello all > > I been working with getting JMX working with SSL with client side > authentication working on tomcat. All is working well in this regard. > However, I noticed that if I do a "ps -ef | grep jsvc" on the Cent OS linux > server. I get the below output ( yes the password has been changed ). My > question is simply, is there a way to pass in the keystore password and > truststore password through jsvc in such a manner where it isn't in clear > text on a process list output? Or more to the point, am I being overly > paranoid that the keystore and truststore passwords are in the clear if you > do a process listing on the server? I have taken steps to ensure that only > the tomcat user is able to read from both the keystore and truststore files > and the tomcat user is not allowed direct logins on to the machine. The only > way you can become a tomcat user is via su - tomcat from another user. > > I tried setting the parameters via the CATALINA_OPTS environment variable, > however it seems that the jsvc process doesn't evaluate it unless I include > it as part of my startup command line. However if I do this, I get the > process table output below.
The jsvc wrapper launches Tomcat itself, ignoring the tomcat/bin scripts. > Is there any way to not show these passwords in the clear and support the SSL > configuration capabilities that are setup? Yes. 1. Add all of those properties to the end of catalina.properties. 2. Download the catalina-jmx-remote.jar and configure the listener it contains in server.xml. p > Thanks in advance > Brian > > ps -ef | grep jsvc > > root 14973 1 0 23:51 ? 00:00:00 jsvc.exec -pidfile > /var/run/jsvc.pid -cp > /usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar > -user tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out > -errfile /usr/local/apache/logs/catalina.err > -Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password > > -Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access > -Dcom.sun.management.jmxremote.authenticate=true > -Dcom.sun.management.jmxremote.ssl=true > -Dcom.sun.management.jmxremote.registry.ssl=true > -Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore > -Djavax.net.ssl.keyStorePassword=secret > -Dcom.sun.management.jmxremote.ssl.need.client.auth=true > -Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore > -Djavax.net.ssl.trustStorePassword=secret > org.apache.catalina.startup.Bootstrap > tomcat 14974 14973 42 23:51 ? 00:00:02 jsvc.exec -pidfile > /var/run/jsvc.pid -cp > /usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar > -user tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out > -errfile /usr/local/apache/logs/catalina.err > -Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password > > -Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access > -Dcom.sun.management.jmxremote.authenticate=true > -Dcom.sun.management.jmxremote.ssl=true > -Dcom.sun.management.jmxremote.registry.ssl=true > -Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore > -Djavax.net.ssl.keyStorePassword=secret > -Dcom.sun.management.jmxremote.ssl.need.client.auth=true > -Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore > -Djavax.net.ssl.trustStorePassword=secret > org.apache.catalina.startup.Bootstrap > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
