In my previous post,
we discussed about access to Tomcat Manager. In this post, we will discuss how to encrypt the Tomcat Manager password to make it more secure.
Recall that we had entered a plaintext password in the tomcat_users.xml file for access to Tomcat Manager. In this post we'll see how to encrypt the plaintext string using either SHA or MD5 encryption.
Go to bin folder within your Apache Tomcat home folder { eg: /usr/temp/apache-tomcat-7.0.47/bin }
Run the script digest.sh and pass your plaintext password to it in following way:
.
/digest.sh -a sha abc123 { For
SHA encryption } The output will give SHA encrypted password
abc123:6367c48dd193d56ea7b0baad25b19455e529f5ee
Alternatively use .
/digest.sh -a md5 abc123 { If you intend to use
MD5 encryption }
Note this encrypted password somewhere as you'd need this later.
Now, go to the conf folder and edit the tomcat-users.xml. Enter this encrypted password for the admin role instead of the plaintext password you entered previously for accessing tomcat manager.
Eg:
<user username="admin" password="6367c48dd193d56ea7b0baad25b19455e529f5ee" roles="admin-gui,admin-script,manager-gui,manager-script"/>
Now,
lets edit the server.xml file, which also is present in the conf folder.
Search for the following text:
<!-- Use the LockOutRealm to prevent attempts to guess user passwords
via a brute-force attack -->
<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
Once you locate the above code block, we just have to
add digest="sha" at its end.
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"
digest="sha"/>
Check out the screenshot for reference
Restart the Tomcat server so that the changes take effect.