How can I encrypt the keystorepass in Tomcat

Ravi Shankar shared this question 9 days ago
Awaiting Reply

Hi

I have see post to encrypt password in web.xml, will same steps work for keystorepass in "appserver/conf/server.xml"


refer >> https://community.yellowfinbi.com/topic/how-can-i-re-encrypt-my-yellowfin-db-password-in-the-web-xml#comment-19076


Pasting sample xml tag from server.xml file.


<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

SSLEnabled="true" scheme="https" secure="true" clientAuth="false"

sslProtocol="TLS" maxHttpHeaderSize="8192" maxThreads="150" sslEnabledProtocols="TLSv1.2"

minSpareThreads="25" enableLookups="false"

disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"

keystoreFile="${catalina.home}/conf/tomcat.key"

ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

keystorePass="TEST"

/>

Comments (4)

photo
1

Hello Ravi,

Thank you for reaching out with this question.

The server.xml isn't Yellowfin, but Tomcat. This being said I am unsure if you can functionally encrypt this in a similar way as the password within the web.xml file. I would suggest looking into tomcat documentation to clarify upon this futher. If you do encrypt this I should note that we have no way of guaranteeing that Yellowfin will continue to work.

Please let me know if you have any further questions regarding this.

Thanks,

Jared

photo
1

Hi Jared

Tomcat is integrated with YF, in my opinion YF team should work on this and provide necessary information/steps to encrypt password. This should be part of your integration testing.

YF must work with both plain text and encrypted password.

photo
1

Hello Ravi,

I looked into ways to encrypt the server.xml keystore and found this: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password . Within this article are a few suggestions on how this might be enabled.

I will reach out to my team to see if anyone has worked with this before and has any insight to share.

Thanks,

Jared

photo
1

Hello Ravi,

I apologize for the delay in my response.

Did the suggestion provided help?

While we do ship with Tomcat, it's still a 3rd party web server which we didn't make. We may not be familiar with configuring Tomcat, however we're happy to help as much as we can in terms of modifying Tomcat to support this.

I could raise an enhancement for us to look at making changes to the Tomcat we ship with to support certain configuration changes. To do so I would need a use case to present to the development team.

I would also like to verify if this is a client requirement or something being implemented and tested for internal purposes

Please let me know if this is something you would like.

Thanks,

Jared