Potential security concerns relating to Tomcat configuration files in Critical System Protection

book

Article ID: 158969

calendar_today

Updated On:

Products

Critical System Protection

Issue/Introduction

You are concerned that the keystore password in the server.xml Tomcat configuration file appears in cleartext.

Cause

This is a limitation of the Tomcat platform that is used by Critical System Protection. There are several reasons why it is not straightforward to encrypt or obfusticate the keystore passwords in the Server.xml file. These are clearly explained in the following OWASP document:

https://www.owasp.org/index.php/Securing_tomcat#Cleartext_Passwords_in_CATALINA_HOME.2Fconf.2Fserver.xml

 

Resolution

This limitation can be best worked around by the use of SCSP itself. Applying a Windows Strict IPS policy to the SCSP Manager System will lock down the CSP directory contents. Further configuration is optional. Alternatively, or in addition, a custom file monitoring (IDS) policy can be put in place to ensure that the server.xml file is not accessed or modified.