Apache Tomcat – Encrypting keystore password

Posted on By sastrija

By default SSL keystore password is used as plain text in server.xml file

For example:

<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/tomcat/.keystore"
keystorePass="password"
clientAuth="false" sslProtocol="TLS"/>

If required we can implement our own encryption to secure this password. In this post I’m not explaining anything about encryption/decryption, but a solution to implement decryption at the time of tomcat reading keystore file.

Softwares:

  • Eclipse (Optional)
  • JDK 8
  • Apache Tomcat 7
  • Apache Maven

Steps

  1. Add following dependency to maven project 
    <dependency>
  <groupId>org.apache.tomcat</groupId>
  <artifactId>tomcat-coyote</artifactId>
  <version>7.0.42</version>
  <scope>provided</scope>
</dependency>

    Note that the scope of the dependency is “provided” since we will be placing the jar file of this project inside “tomcat/lib/ext” directory and tomcat-coyote jar file is already available inside lib directory.

  2. Create a new class Http11Nio2Protocol which  extends org.apache.coyote.http11.Http11NioProtocol. 
    public class Http11Nio2Protocol extends org.apache.coyote.http11.Http11NioProtocol {

  @Override
  public void setKeystorePass(String keystorePass) {
    //TODO Decryption logic goes here
    super.setKeystorePass(encryptedKeystorePass);
  }
}
  3. Once you have the decryption logic added, generate the jar file of this project and place it inside “tomcat/lib/ext” directory. If there are any additional dependencies used to implement the decryption, add those jar files as well
  4. Update server.xml file and change value of keystorePass to the encrypted value. 
    <Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="/opt/tomcat/.keystore"
keystorePass="ENCRYPTED_PASSWORD"
clientAuth="false" sslProtocol="TLS"/>
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
  5. Restart tomcat server
Java/J2EE Miscellaneous