How can I encrypt the keystorepass in Tomcat

Ravi Shankar shared this question 4 months ago
Answered

Hi

I have see post to encrypt password in web.xml, will same steps work for keystorepass in "appserver/conf/server.xml"


refer >> https://community.yellowfinbi.com/topic/how-can-i-re-encrypt-my-yellowfin-db-password-in-the-web-xml#comment-19076


Pasting sample xml tag from server.xml file.


<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"

SSLEnabled="true" scheme="https" secure="true" clientAuth="false"

sslProtocol="TLS" maxHttpHeaderSize="8192" maxThreads="150" sslEnabledProtocols="TLSv1.2"

minSpareThreads="25" enableLookups="false"

disableUploadTimeout="true" acceptCount="100" URIEncoding="UTF-8"

keystoreFile="${catalina.home}/conf/tomcat.key"

ciphers="TLS_RSA_WITH_AES_256_CBC_SHA,SSL_RSA_WITH_3DES_EDE_CBC_SHA"

keystorePass="TEST"

/>

Comments (6)

photo
1

Hello Ravi,

Thank you for reaching out with this question.

The server.xml isn't Yellowfin, but Tomcat. This being said I am unsure if you can functionally encrypt this in a similar way as the password within the web.xml file. I would suggest looking into tomcat documentation to clarify upon this futher. If you do encrypt this I should note that we have no way of guaranteeing that Yellowfin will continue to work.

Please let me know if you have any further questions regarding this.

Thanks,

Jared

photo
1

Hi Jared

Tomcat is integrated with YF, in my opinion YF team should work on this and provide necessary information/steps to encrypt password. This should be part of your integration testing.

YF must work with both plain text and encrypted password.

photo
1

Hello Ravi,

I looked into ways to encrypt the server.xml keystore and found this: https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password . Within this article are a few suggestions on how this might be enabled.

I will reach out to my team to see if anyone has worked with this before and has any insight to share.

Thanks,

Jared

photo
1

Hello Ravi,

I apologize for the delay in my response.

Did the suggestion provided help?

While we do ship with Tomcat, it's still a 3rd party web server which we didn't make. We may not be familiar with configuring Tomcat, however we're happy to help as much as we can in terms of modifying Tomcat to support this.

I could raise an enhancement for us to look at making changes to the Tomcat we ship with to support certain configuration changes. To do so I would need a use case to present to the development team.

I would also like to verify if this is a client requirement or something being implemented and tested for internal purposes

Please let me know if this is something you would like.

Thanks,

Jared

photo
1

Hello Ravi,

Hope you're having a good week.

Just wanted to check-in and see how it's all going. Was there anything you were needing from me to help get this resolved?


Regards,

Jared

photo
1

Jared, Thanks for help.

Please close this for now, i will reach out to you again if any help needed.

photo
photo
1

Hello Ravi,

As per your request, I will mark this ticket as complete for now.

If you run into any issues with this please feel free to reopen this ticket.

Thanks,

Jared