ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

Is it possible to encrypt the Tomcat 'keystorepass' value?

book

Article ID: 213806

calendar_today

Updated On:

Products

CA Service Management - Service Desk Manager CA Service Desk Manager

Issue/Introduction

When configuring Service Desk Manager (SDM) Tomcat for SSL, the NX_ROOT\bopcfg\www\CATALINA_BASE\conf\server.xml file is updated.

Part of this update includes adding a 'keystorepass' value (password set for the SSL certificate) to the connection string.

For example (keystorePass parameter highlighted in bold)

<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="PATH_TO_CERTIFCATE" keystorePass="YOURPASSWORD" keystoreType="PKCS12" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

Is it possible to encrypt the Tomcat 'keystorepass' value?

Environment

Service Desk Manager 17.x

All Supported Operating Systems

Resolution

The KEYSTOREPASS is common to Apache Tomcat.  Someone would need access to the server itself to access the Tomcat SERVER.XML file to access the 'keystorepass' value.

Unfortunately, we do not have documentation regarding encrypting the KEYSTOREPASS nor have we tried any such encryption.

A quick internet search revealed some possible workarounds, like https://stackoverflow.com/questions/16194052/encrypt-tomcat-keystore-password.

As a reminder, test all changes in a non-PROD environment first after ensuring that a valid backup of the environment is available.

Additional Information

https://techdocs.broadcom.com/us/en/ca-enterprise-software/business-management/ca-service-management/17-3/administering/enable-ssl-authentication-for-ca-service-management-solution.html