[CARBON-13743] Key store password of catalina-server.xml can not be secure
with Secure vault Created: 30/Jul/12 Updated: 11/Mar/15 Resolved: 11/Mar/15
Status:
Project:
Component/s:
Affects
Version/s:
Fix Version/s:
Resolved
WSO2 Carbon
None
4.0.0
Type:
Reporter:
Resolution:
Labels:
Remaining
Estimate:
Time Spent:
Original
Estimate:
Bug
Asela Pathberiya
Fixed
None
Not Specified
4.0.0, 4.4.0
Priority:
Assignee:
Votes:
Highest
Kishanthan Thangarajah
0
Not Specified
Not Specified
Blocker
Severity:
Moderate
Estimated
Complexity:
Test cases added: Yes
Description
catalina-server.xml is not a Carbon configuration file, Therefore secure vault can not support
this by default. However, we can fix this by modifying the input stream of catalina-server.xml
file that is fed to tomcat
Comments
Comment by Asela Pathberiya [ 30/Jul/12 ]
Fixed in r 135660
Comment by Kishanthan Thangarajah [ 10/Mar/15 ]
Reopening this to verify the securvault support for catalina-server.xml with kernel release 4.4.0.
Comment by Kishanthan Thangarajah [ 11/Mar/15 ]
Secure vault do have support for encrypting keystorePassword in catalina-server.xml (r135660). But the cipher-t
needs some improvement as it has the following issue.
Once we configure the file (catalina-server.xml) using cipher-tool, we can see that the secret alias is being added
But the value of keystorePass still remains as "wso2carbon". This should get changed to "password".
<Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="200" acceptorThreadCount="2"
bindOnInit="false" clientAuth="false" compressableMimeType="text/html,text/javascript,application/xjavascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image
compression="on" compressionMinSize="2048" connectionUploadTimeout="120000" disableUploadTimeout="
enableLookups="false" keystoreFile="$
{carbon.home}
/repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" maxHttpHeaderSize="8192"
maxKeepAliveRequests="200" maxThreads="250" minSpareThreads="50" noCompressionUserAgents="gozilla
traviata" port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true"
server="WSO2 Carbon Server" sslProtocol="TLS"
svns:secretAlias="Server.Service.Connector.keystorePass">password</Connector>
The actual reason is that this is the only file (may be the first one), where we need to encrypt a value of an xml
attribute. Other config files, we had to encrypt the value of the xml node element.
Comment by Kishanthan Thangarajah [ 11/Mar/15 ]
Resolving this and created to track the improvement/issue mentioned above with cipher-tool.
Generated at Wed Feb 10 11:08:28 IST 2016 using JIRA 6.0.1#6096sha1:e4a48bd73c6b8a4d99c824976ce5808b4c85857d.