In the STDERR of the TOMCAT STC, the content of the Tomcat configuration dataset, server.xml is displayed in plain text and therefore the password of the TOMCAT is also displayed. 

<Certificate type="RSA" certificateKeystorePassword="displayed-password"                                                                               
 certificateKeystoreFile="/keystore/displayed_keystore"                                                                    
 certificateKeyAlias="displayed-certificate"                                                                                                                          
 />    

COMMON SERVICES 15.0 - z/OS supported releases - 

In $CATALINA_BASE/conf/logging.properties add this line: 

org.apache.catalina.startup.Catalina.level = WARNING


Then in the member of the dataset associated to the STDENV DD, add these java options: 

IJO="$IJO -Djava.util.logging.config.file=$CATALINA_BASE/conf/logging.properties"
IJO="$IJO -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager"


This should leave the contents of server.xml out of the joblog.  However, this will also suppress these messages:

Server initialization in [] milliseconds
Server startup in [] milliseconds 

After these modifications, the content of the server.xml and the keystore should no longer be displayed in the log.

In addition, even if the following boot information:

Server initialization in [] milliseconds
Server startup in [] milliseconds

no longer appear, the line: 

17.05.51 STC43769 BPXM023I (XXXX) CATC0002I CA-CCS Tomcat started in: 11113 ms (Apache Tomcat/9.0.56)

always appears, which allows to confirm that Tomcat has started correctly.