Potential security concerns relating to Tomcat configuration files in Critical System Protection


Article ID: 158969


Updated On:


Critical System Protection


You are concerned that the keystore password in the server.xml Tomcat configuration file appears in cleartext.


This is a limitation of the Tomcat platform that is used by Critical System Protection. There are several reasons why it is not straightforward to encrypt or obfusticate the keystore passwords in the Server.xml file. These are clearly explained in the following OWASP document:




This limitation can be best worked around by the use of SCSP itself. Applying a Windows Strict IPS policy to the SCSP Manager System will lock down the CSP directory contents. Further configuration is optional. Alternatively, or in addition, a custom file monitoring (IDS) policy can be put in place to ensure that the server.xml file is not accessed or modified.