Encrypting Tomcat passwords in the server.xml file

You can add extra security to your Crowd instance by encrypting passwords used to configure the connectors in the Tomcat’s server.xml file.

はじめる前に

The solution outlined below provides a level of protection for encrypting passwords in the server.xml file, but does not offer complete security. Crowd still needs to use the plain-text passwords to connect to your database, so your configuration will contain all the information needed to decrypt the password. An attacker could act as Crowd to obtain the password. We recommend that you additionally secure the server where Crowd and its database reside.

Protocols used by Crowd

Crowd provides the following protocols that extend the Tomcat protocols with support for password encryption. You will need to choose one of those protocols in the server.xml file.

Select to view the list of protocols...
Crowd protocol

Tomcat プロトコルに基づく

Supported attributes for password encryption

com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption


Http11NioProtocol
  • KeystorePass

  • KeyPass

  • SSLPassword

  • TruststorePass

com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption
Http11Nio2Protocol
  • KeystorePass

  • KeyPass

  • SSLPassword

  • TruststorePass

com.atlassian.secrets.tomcat.protocol.Http11AprProtocolWithPasswordEncryption
Http11AprProtocol
  • KeystorePass

  • KeyPass

  • SSLPassword

  • TruststorePass

com.atlassian.secrets.tomcat.protocol.AjpNioProtocolWithPasswordEncryption
AjpNioProtocol
  • シークレット

com.atlassian.secrets.tomcat.protocol.AjpNio2ProtocolWithPasswordEncryption
AjpNio2Protocol
  • シークレット

com.atlassian.secrets.tomcat.protocol.AjpAprProtocolWithPasswordEncryption
AjpAprProtocol
  • シークレット

Encrypt and use the passwords in the server.xml file

Complete the following steps to encrypt your passwords, and then use them in the server.xml file.

Encrypt your passwords

To encrypt your passwords:

  1. <Crowd-installation-directory> に移動します。

  2. 次のコマンドを実行します。 

    java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool
  3. When prompted, enter the password you want to encrypt.

結果

The encryption tool will generate two files: encryptedPassword_*** and encryptionKey_***. Move those files to a safe location accessible by Crowd. If you’re running a multi-node Crowd configuration, the files must be in a directory accessible by all nodes, for example <Crowd-home-directory>/shared/.

Reusing the encryption key

All encrypted passwords that you’ll provide for a single connector in the server.xml file need to be encrypted using the same encryptionKey. To reuse the encryptionKey created by the encryption tool, you can run the following command:

java -jar crowd-tomcat-encryption-utils-<your crowd version>.jar <path to encryptionKey_***>

This command will also prompt you for a password and then encrypt this password using the same encryptionKey

Use your encrypted passwords in the server.xml file

To use the encrypted passwords in your Tomcat configuration, you need to specify the following properties for the connector:

  • protocol - use one of the protocols listed above

  • encryptionKey - specify a path to the encryptionKey file

Then, you can provide the path to the encrypted password files instead of plain-text passwords in the Tomcat configuration.

The following snippet shows an example configuration that uses the Http11NioProtocolWithPasswordEncryption protocol with the encrypted keystore and key passwords:

<Connector 
port="8443"
protocol="com.atlassian.secrets.tomcat.protocol.Http11NioProtocolWithPasswordEncryption"

(...)

keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyAlias="tomcat" 
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>

Note that, as mentioned earlier, you must use the same encryptionKey_*** to encrypt all passwords used for a specific connector, as you can specify only one encryption key. Different connectors can use different keys and protocols.

最終更新日 2024 年 7 月 11 日

この内容はお役に立ちましたか?

はい
いいえ
この記事についてのフィードバックを送信する
Powered by Confluence and Scroll Viewport.