By default SSL keystore password is used as plain text in server.xml file
For example:
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/tomcat/.keystore" keystorePass="password" clientAuth="false" sslProtocol="TLS"/>
If required we can implement our own encryption to secure this password. In this post I’m not explaining anything about encryption/decryption, but a solution to implement decryption at the time of tomcat reading keystore file.
Softwares:
- Eclipse (Optional)
- JDK 8
- Apache Tomcat 7
- Apache Maven
Steps
- Add following dependency to maven project
<dependency> <groupId>org.apache.tomcat</groupId> <artifactId>tomcat-coyote</artifactId> <version>7.0.42</version> <scope>provided</scope> </dependency>
Note that the scope of the dependency is “provided” since we will be placing the jar file of this project inside “tomcat/lib/ext” directory and tomcat-coyote jar file is already available inside lib directory.
- Create a new class Http11Nio2Protocol which extends org.apache.coyote.http11.Http11NioProtocol.
public class Http11Nio2Protocol extends org.apache.coyote.http11.Http11NioProtocol { @Override public void setKeystorePass(String keystorePass) { //TODO Decryption logic goes here super.setKeystorePass(encryptedKeystorePass); } }
- Once you have the decryption logic added, generate the jar file of this project and place it inside “tomcat/lib/ext” directory. If there are any additional dependencies used to implement the decryption, add those jar files as well
- Update server.xml file and change value of keystorePass to the encrypted value.
<Connector protocol="org.apache.coyote.http11.Http11NioProtocol" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/opt/tomcat/.keystore" keystorePass="ENCRYPTED_PASSWORD" clientAuth="false" sslProtocol="TLS"/> <!-- Define an AJP 1.3 Connector on port 8009 --> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
- Restart tomcat server