Monday, 3 February 2014

Encrypt Tomcat Manager Password

In my previous post, we discussed about access to Tomcat Manager. In this post, we will discuss how to encrypt the Tomcat Manager password to make it more secure.

Recall that we had entered a plaintext password in the tomcat_users.xml file for access to Tomcat Manager. In this post we'll see how to encrypt the plaintext string using either SHA or MD5 encryption.

Go to bin folder within your Apache Tomcat home folder { eg: /usr/temp/apache-tomcat-7.0.47/bin }

Run the script digest.sh and pass your plaintext password to it in following way:

./digest.sh -a sha abc123  { For SHA encryption }  The output will give SHA encrypted password

abc123:6367c48dd193d56ea7b0baad25b19455e529f5ee

Alternatively use ./digest.sh -a md5 abc123 { If you intend to use MD5 encryption }

Note this encrypted password somewhere as you'd need this later.

Now, go to the conf folder and edit the tomcat-users.xml. Enter this encrypted password for the admin role instead of the plaintext password you entered previously for accessing tomcat manager.

Eg:

<user username="admin" password="6367c48dd193d56ea7b0baad25b19455e529f5ee" roles="admin-gui,admin-script,manager-gui,manager-script"/>

Now, lets edit the server.xml file, which also is present in the conf folder.

Search for the following text:

      <!-- Use the LockOutRealm to prevent attempts to guess user passwords
           via a brute-force attack -->
      <Realm className="org.apache.catalina.realm.LockOutRealm">
        <!-- This Realm uses the UserDatabase configured in the global JNDI
             resources under the key "UserDatabase".  Any edits
             that are performed against this UserDatabase are immediately
             available for use by the Realm.  -->
        <Realm className="org.apache.catalina.realm.UserDatabaseRealm"

Once you locate the above code block, we just have to add digest="sha" at its end.

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               resourceName="UserDatabase" digest="sha"/>

Check out the screenshot for reference


Restart the Tomcat server so that the changes take effect.

No comments:

Post a Comment

Related Posts Plugin for WordPress, Blogger...
eXTReMe Tracker