Potential security concerns relating to Tomcat configuration files in Critical System Protection
Last Updated February 17, 2014
You are concerned that the keystore password in the server.xml Tomcat configuration file appears in cleartext.
This is a limitation of the Tomcat platform that is used by Critical System Protection. There are several reasons why it is not straightforward to encrypt or obfusticate the keystore passwords in the Server.xml file. These are clearly explained in the following OWASP document:
This limitation can be best worked around by the use of SCSP itself. Applying a Windows Strict IPS policy to the SCSP Manager System will lock down the CSP directory contents. Further configuration is optional. Alternatively, or in addition, a custom file monitoring (IDS) policy can be put in place to ensure that the server.xml file is not accessed or modified.
Imported Document ID: TECH215085
Subscribing will provide email updates when this Article is updated. Login is required to Subscribe