OneClick server.xml file contains the clear text password for the keystore

Document ID : KB000018998
Last Modified Date : 14/02/2018
Show Technical Document Details


Security conscience customers will find that the keystore password for the Apache Tomcat is stored in clear text.


Storage of the clear text password in server.xml is a limitation by tomcat itself. Therefore it is not technically feasible for Spectrum/CA to implementthe encryption of the keystore password in server.xml file. Apache has designed this intentionally and have clarified this in their FAQ One would need to take steps for securing the configuration file as mentioned in the FAQ, a section of which is mentioned below.

"Any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows)"… which is done in the case of Spectrum.