Is it possible to encrypt the Tomcat 'keystorepass' value?
search cancel

Is it possible to encrypt the Tomcat 'keystorepass' value?


Article ID: 213806


Updated On:


CA Service Management - Service Desk Manager CA Service Desk Manager CA Service Catalog


When configuring Service Desk Manager (SDM) Tomcat for SSL, the NX_ROOT\bopcfg\www\CATALINA_BASE\conf\server.xml file is updated.

Part of this update includes adding a 'keystorepass' value (password set for the SSL certificate) to the connection string.

For example (keystorePass parameter highlighted in bold)

<Connector SSLEnabled="true" ciphers="TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC _SHA,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WI TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SHA" clientAuth="false" keystoreFile="PATH_TO_CERTIFCATE" keystorePass="YOURPASSWORD" keystoreType="PKCS12" maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true" sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2" sslProtocol="TLS"/>

Is it possible to encrypt the Tomcat 'keystorepass' value?


Service Catalog and Service Desk Manager 17.x

All Supported Operating Systems


The KEYSTOREPASS is common to Apache Tomcat.  Someone would need access to the server itself to access the Tomcat SERVER.XML file to access the 'keystorepass' value.

Unfortunately, we do not have documentation regarding encrypting the KEYSTOREPASS nor have we tried any such encryption.

A quick internet search revealed some possible workarounds.  An example can be found on Stackoverflow.

As a reminder, test all changes in a non-PROD environment first after ensuring that a valid backup of the environment is available.

Additional Information

For Catalog, the Tomcat component is initiated internally during startup.  It is not possible to modify the internal script to encrypt the given password field.

Additional information on updating SDM Tomcat for SSL communication can be found here.