How to bypass configuring plain
text keystorepassword in Tomcat
Tomcat
5.5.20 compels the configuration of plain text keystore
password in server.xml
But Tomcat 5.5.33 has one more provision to set the
keyStorePassword - as a system property (javax.net.ssl.keyStorePassword)
Solution:
Change the corresponding tomcat's source (org.apache.tomcat.util.net.jsse.JSSESocketFactory
in apache/tomcat/server/lib/tomcat-util.jar)
to reflect this change.
Changes in Tomcat to achieve this:
1. Tomcat's 5.5.20 source (JSSESocketFactory.java)
is downloaded.
2. The method getKeystorePassword
is changed to get the password also from the system property javax.net.ssl.keyStorePassword.
3. The above modified source is compiled.
4. The class as well as this source is updated in apache/tomcat/server/lib/tomcat-util.jar.
5. Replace the original tomcat-util.jar
In the above manner we had successfully prevented the
configuration of plain text keystorePassword.
Go through the modified JSSESocketFactory.java - Search for "keyStorePassword is also got from System property".
Ensure to bundle this modified JSSESocketFactory.java along with your
product in $TOMCAT_HOME/server/lib/tomcat-util.jar parallel to
JSSESocketFactory .class file
Hope the above steps will enable you too to achieve this.
Uploading ....