Monday, September 23, 2013

Tomcat : Password Encryption Policy

Passwords in tomcat are defined in the tomcat-user.xml file .The passwords in this file are defined in a plain text format. Normally in tomcat a UserDatabaseRealm exits which reads the users for the tomcat-users.xml file to authenticate the users

The Plain Text passwords can be changed by using a digest available in tomcat .The plain text passwords are not good in side the production environments, these can be encoded by a method called digesting the passwords which is provided by tomcat itself.

Rhe realm used authenticates by retrieving the stored password with the one that user submitted. We can configure the realm element to select the digested passwords. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5).

When the authenticate() method of the Realm is called, the (cleartext) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the Realm. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.

Now lets see how can we configure the tomcat to use the digesting of the passwords

1.Modify the server.xml file Realm Elements like

<Realm className="org.apache.catalina.realm.LockOutRealm">
<!-- This Realm uses the UserDatabase configured in the global JNDI
resources under the key "UserDatabase". Any edits
that are performed against this UserDatabase are immediately
available for use by the Realm. -->

<Realm className="org.apache.catalina.realm.MemoryRealm" digest="MD5" />
</Realm>

In the above snippet ,i added the MemoryRealm with the digest as MD5.

2.Create a MD5 digest password,go the tomcat/bin location and run

./digest.sh -a MD5 secret
secret:5ebe2294ecd0e0f08eab7690d2a6ee69

In the above snippet ,i have created a md5 for the string “secret” which I will use as password

3.Now once we have the MD5 , we modify in the tomcat-users.xml file as

<role rolename="manager-gui"/>
<user username="tomcat" password="5ebe2294ecd0e0f08eab7690d2a6ee69" roles="manager-gui"/>

4.Restart and open the tomcat manager console with the user name and password.

More to Come , Happy learning :-)