According to the documentation:
https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/14-0/implementing/communication-encryption/enterprise-management-server-ssl-communication.html#concept.dita_46fbb8ad2b5fbfe561eb46cfabfb704756dd05db_UpdatetheSSLCertificatewithTomcatHostName
It is possible to change the CA PIM 14.0 tomcat password.
However, as per the documentation, tomcat's password must be stored in plain text in the server.xml tomcat configuration file, thus posing a possible security risk.
This document provides a possible mechanism for encrypting the password
CA Privileged Identity Management (CA PIM) 14.X
Storing the password in plain text in the tomcat server.xml configuration is the default option for tomcat.
As such CA PIM uses just the third party software component and it does not modify its default behaviour.
This problem has been documented for other vendors and products using tomcat 7.X and 8.X servers, and hence it is not specific of CA PIM.
There have been several solutions suggested for achieving this goal. None of them is part of CA PIM best practice or supported configuration change, since as said, it is a feature already coming with the third party component used by the product.
However, we have been successfully testing one of the proposed solutions and we are therefore providing the procedure for securitizing the password in what follows, in case there is a business requirement for it.
Please note that any change will be done at your own risk and that Broadcom should not be held liable for any problem derived from this implementation. Please use at your own risk. Nor is Broadcom bound to support the changes made or any problem with them, since this is a third party procedure, not a support-issued solution.
The procedure described hereafter is an implementation of the accepted solution in the following document
https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password
In attachment to this document the java source files corresponding to the necessary classes are included (PasswordEncryption.7z).
For more information and the fundamentals of the implementation, please check the original reference.
Hereby we assume that the tomcat version running is tomcat-7.0.2
To protect tomcat's password ,follow this step
C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\lib>java -cp ".;PasswordEncryptor.jar" ClientForPasswordGeneration
Enter password:**********
Encrypted Password:
rp1mdmefUD2homxgU7GVNA==
The value rp1mdmefUD2homxgU7GVNA== is the encrypted password you will need to specify in the server.xml tomcat configuration file
<Connector port="8443" sslProtocols="TLSv1,TLSv1.1,TLSv1.2"
server="PIMProxy" secure="true" scheme="https"
protocol="Http11NioProtocol"
maxThreads="150" keystorePass="rp1mdmefUD2homxgU7GVNA=="
keystoreFile="C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\tomcat.keystore.jks"
clientAuth="false" SSLEnabled="true"/>
Note that the keystorePass corresponds to the hashed password and the protocol to the Http11NioProtocol class we have created