ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Protecting the CA PIM 14.0 ENTM - tomcat keystore password

book

Article ID: 212478

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

According to the documentation:

https://techdocs.broadcom.com/us/en/symantec-security-software/identity-security/privileged-identity-manager/14-0/implementing/communication-encryption/enterprise-management-server-ssl-communication.html#concept.dita_46fbb8ad2b5fbfe561eb46cfabfb704756dd05db_UpdatetheSSLCertificatewithTomcatHostName

It is possible to change the CA PIM 14.0 tomcat password.

However, as per the documentation, tomcat's password must be stored in plain text in the server.xml tomcat configuration file, thus posing a possible security risk.

This document provides a possible mechanism for encrypting the password

Environment

 CA Privileged Identity Management (CA PIM) 14.X 

Resolution

Storing the password in plain text in the tomcat server.xml configuration is the default option for tomcat. 

As such CA PIM uses just the third party software component and it does not modify its default behaviour.

This problem has been documented for other vendors and products using tomcat 7.X and 8.X servers, and hence it is not specific of CA PIM.

There have been several solutions suggested for achieving this goal. None of them is part of CA PIM best practice or supported configuration change, since as said, it is a feature already coming with the third party component used by the product.

However, we have been successfully testing one of the proposed solutions and we are therefore providing the procedure for securitizing the password in what follows, in case there is a business requirement for it.

Please note that any change will be done at your own risk and that Broadcom should not be held liable for any problem derived from this implementation. Please use at your own risk. Nor is Broadcom bound to support the changes made or any problem with them, since this is a third party procedure, not a support-issued solution.

The procedure described hereafter is an implementation of the accepted solution in the following document

https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password

In attachment to this document the java source files corresponding to the necessary classes are included (PasswordEncryption.7z).

For more information and the fundamentals of the implementation, please check the original reference.

Hereby we assume that the tomcat version running is tomcat-7.0.2

To protect tomcat's password ,follow this step

  1. Create the necessary classes in java using the java source files included in the attachments (PasswordEncryption.7z)  to this document. To do this
    • Unzip the zipped source files  the lib folder of your tomcat, where tomcat-coyote.jar is located
    • Compile the classes: javac -cp ".;tomcat-coyote.jar" *.java
  2. Create a jar file with the compiled classes
    • jar -cvf  PasswordEncryptor.jar  *.class
  3. Generate the hashed password
    • C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\lib>java -cp ".;PasswordEncryptor.jar" ClientForPasswordGeneration
      Enter password:**********
      Encrypted Password:
      rp1mdmefUD2homxgU7GVNA==

      The value rp1mdmefUD2homxgU7GVNA== is the encrypted password you will need to specify in the server.xml tomcat configuration file

  4. In  server.xml tomcat configuration file, modify the definition of the connector must be changed to use the newly defined protocol for encryption/decryption, Http11NioProtocol
    • <Connector port="8443" sslProtocols="TLSv1,TLSv1.1,TLSv1.2" 
                     server="PIMProxy" secure="true" scheme="https" 
                     protocol="Http11NioProtocol
                     maxThreads="150" keystorePass="rp1mdmefUD2homxgU7GVNA==" 
                     keystoreFile="C:\Program Files\CA\AccessControlServer\apache-tomcat-7.0.72\tomcat.keystore.jks" 
                     clientAuth="false" SSLEnabled="true"/>

      Note that the keystorePass corresponds to the hashed password and the protocol to the Http11NioProtocol class we have created

  5. Restart tomcat: it should start seamlessly 

Attachments

1618231072022__PasswordEncryption.7z get_app