[CARBON-13743] Key store password of catalina-server.xml can not be secure with Secure vault Created: 30/Jul/12 Updated: 11/Mar/15 Resolved: 11/Mar/15 Status: Project: Component/s: Affects Version/s: Fix Version/s: Resolved WSO2 Carbon None 4.0.0 Type: Reporter: Resolution: Labels: Remaining Estimate: Time Spent: Original Estimate: Bug Asela Pathberiya Fixed None Not Specified 4.0.0, 4.4.0 Priority: Assignee: Votes: Highest Kishanthan Thangarajah 0 Not Specified Not Specified Blocker Severity: Moderate Estimated Complexity: Test cases added: Yes Description catalina-server.xml is not a Carbon configuration file, Therefore secure vault can not support this by default. However, we can fix this by modifying the input stream of catalina-server.xml file that is fed to tomcat Comments Comment by Asela Pathberiya [ 30/Jul/12 ] Fixed in r 135660 Comment by Kishanthan Thangarajah [ 10/Mar/15 ] Reopening this to verify the securvault support for catalina-server.xml with kernel release 4.4.0. Comment by Kishanthan Thangarajah [ 11/Mar/15 ] Secure vault do have support for encrypting keystorePassword in catalina-server.xml (r135660). But the cipher-t needs some improvement as it has the following issue. Once we configure the file (catalina-server.xml) using cipher-tool, we can see that the secret alias is being added But the value of keystorePass still remains as "wso2carbon". This should get changed to "password". <Connector SSLEnabled="true" URIEncoding="UTF-8" acceptCount="200" acceptorThreadCount="2" bindOnInit="false" clientAuth="false" compressableMimeType="text/html,text/javascript,application/xjavascript,application/javascript,application/xml,text/css,application/xslt+xml,text/xsl,image/gif,image/jpg,image compression="on" compressionMinSize="2048" connectionUploadTimeout="120000" disableUploadTimeout=" enableLookups="false" keystoreFile="$ {carbon.home} /repository/resources/security/wso2carbon.jks" keystorePass="wso2carbon" maxHttpHeaderSize="8192" maxKeepAliveRequests="200" maxThreads="250" minSpareThreads="50" noCompressionUserAgents="gozilla traviata" port="9443" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" server="WSO2 Carbon Server" sslProtocol="TLS" svns:secretAlias="Server.Service.Connector.keystorePass">password</Connector> The actual reason is that this is the only file (may be the first one), where we need to encrypt a value of an xml attribute. Other config files, we had to encrypt the value of the xml node element. Comment by Kishanthan Thangarajah [ 11/Mar/15 ] Resolving this and created to track the improvement/issue mentioned above with cipher-tool. Generated at Wed Feb 10 11:08:28 IST 2016 using JIRA 6.0.1#6096sha1:e4a48bd73c6b8a4d99c824976ce5808b4c85857d.