0

I want to migrate from Tomcat 6 to Tomcat 9. There is a problem in the Tomcat 6 which is the resource passwords are in plain text. Is there a method to encrypt them in Tomcat 9?

an example for the resource is: 

    <Resource name="jdbc/HasanDB" auth="Container" type="javax.sql.DataSource"
              maxTotal="10" maxIdle="15" minIdle="3" initialSize="2" maxWaitMillis="10000"
              removeAbondend="true" removeAbondendTimeout="300"
              username="hasan" password="hasanpass" driverClassName="com.mysql.jdbc.Driver"
              url="jdbc:mysql://localhost:3306/HasanDB"/>

If there is no encryption method available, could a software be used to feed the passwords when Tomcat starts?

Hasan
  • 296
  • 1
  • 8
  • 23
  • 1
    Does this answer your question? [how to encrypt password of server.xml in tomcat 7](https://stackoverflow.com/questions/37053880/how-to-encrypt-password-of-server-xml-in-tomcat-7) – Mark Rotteveel Aug 20 '21 at 08:06

2 Answers2

3

This even has its own section in the Tomcat FAQ. Basically: Encryption of the password would be snake oil - you can only make it slightly harder for people to get access to the password.

The FAQ gives several options, my favorite part of it is where they suggest the encryption methods that can easily be used in a custom, password-encrypting, implementation:

XOR and ROT13 are great candidates for this since their strength matches the protection you'll actually get.

If, even after the warnings from the FAQ, you still would like to take some action, check the Tomcat Vault.

Olaf Kock
  • 46,930
  • 8
  • 59
  • 90
  • I've read that already, but I do not know if this applies to the Tomcat 9 (it can have a better way) and also I do not know how to implement it. – Hasan Aug 10 '17 at 11:52
  • 1) The FAQ talks about the general lack of security, which is unchanged. It only *looks* like it's more secure, but you should worry about something else. 2) "how to implement *it*" - which of the non-recommended options in the FAQ are you talking about? 3) a simple way with just encoding a password can be found in the answers to this question: https://stackoverflow.com/questions/16194052 – Olaf Kock Aug 10 '17 at 12:18
  • I have made the implementation but it does not read the method setKeystorePass – Hasan Aug 11 '17 at 13:04
  • Of course you'll have to adopt this, and encode your password this way - the question is about encoding the password for the keystore, while you want to encode your database password. `password="chiks"` would be one of the possible outcomes that you can try – Olaf Kock Aug 14 '17 at 16:39
-1

Tomcat comes with a script that allows us to encrypt passwords. This script is called digest.bat on Windows or digest.sh on Linux and can be found in the bin directory. With this we can specify the encryption algorithm that we want to use – here we’re using SHA-256 – and we enter the text we want to encrypt CATALINA_HOME/bin/digest.[bat|sh] -a {algorithm} {cleartext-password} Example:- CATALINA_HOME/bin>digest.sh -a sha-256 hasanpass

dot
  • 11
  • 4
  • this tool hashes the Passwords. but when they are hasched could they be used in Server.xml see here: https://wiki.apache.org/tomcat/FAQ/Password – Hasan Aug 10 '17 at 11:56
  • And all it does is print the result on standard output. – user207421 Aug 10 '17 at 12:09