Pid
Worked like a champ. Thank you once again.
Brian
On 3/25/2012 2:40 AM, Pid * wrote:
On 25 Mar 2012, at 06:25, Brian Hand<handbri...@gmail.com> wrote:
Hello all
I been working with getting JMX working with SSL with client side authentication working
on tomcat. All is working well in this regard. However, I noticed that if I do a
"ps -ef | grep jsvc" on the Cent OS linux server. I get the below output ( yes
the password has been changed ). My question is simply, is there a way to pass in the
keystore password and truststore password through jsvc in such a manner where it isn't in
clear text on a process list output? Or more to the point, am I being overly paranoid
that the keystore and truststore passwords are in the clear if you do a process listing
on the server? I have taken steps to ensure that only the tomcat user is able to read
from both the keystore and truststore files and the tomcat user is not allowed direct
logins on to the machine. The only way you can become a tomcat user is via su - tomcat
from another user.
I tried setting the parameters via the CATALINA_OPTS environment variable,
however it seems that the jsvc process doesn't evaluate it unless I include it
as part of my startup command line. However if I do this, I get the process
table output below.
The jsvc wrapper launches Tomcat itself, ignoring the tomcat/bin scripts.
Is there any way to not show these passwords in the clear and support the SSL
configuration capabilities that are setup?
Yes.
1. Add all of those properties to the end of catalina.properties.
2. Download the catalina-jmx-remote.jar and configure the listener it
contains in server.xml.
p
Thanks in advance
Brian
ps -ef | grep jsvc
root 14973 1 0 23:51 ? 00:00:00 jsvc.exec -pidfile
/var/run/jsvc.pid -cp
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out -errfile
/usr/local/apache/logs/catalina.err
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore
-Djavax.net.ssl.keyStorePassword=secret
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore
-Djavax.net.ssl.trustStorePassword=secret org.apache.catalina.startup.Bootstrap
tomcat 14974 14973 42 23:51 ? 00:00:02 jsvc.exec -pidfile
/var/run/jsvc.pid -cp
/usr/local/apache/bin/bootstrap.jar:/usr/local/apache/bin/tomcat-juli.jar -user
tomcat -Xmx512m -Xms512m -outfile /usr/local/apache/logs/catalina.out -errfile
/usr/local/apache/logs/catalina.err
-Dcom.sun.management.jmxremote.password.file=/usr/local/apache/conf/jmxremote.password
-Dcom.sun.management.jmxremote.access.file=/usr/local/apache/conf/jmxremote.access
-Dcom.sun.management.jmxremote.authenticate=true
-Dcom.sun.management.jmxremote.ssl=true
-Dcom.sun.management.jmxremote.registry.ssl=true
-Djavax.net.ssl.keyStore=/usr/local/apache/conf/jmxkeystore
-Djavax.net.ssl.keyStorePassword=secret
-Dcom.sun.management.jmxremote.ssl.need.client.auth=true
-Djavax.net.ssl.trustStore=/usr/local/apache/conf/jmxtruststore
-Djavax.net.ssl.trustStorePassword=secret org.apache.catalina.startup.Bootstrap
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
