Tomcat,从 -D 选项中隐藏 javax.net.ssl.keyStorePassword [英] Tomcat, hide javax.net.ssl.keyStorePassword from -D options
问题描述
安装在 Tomcat (9.0.36.B.RELEASE) 上的应用程序使用 SSL(在本例中为 IBM MQ)连接到外部源.因此,我需要为此信任库指定信任库和密码.
The application installed on Tomcat (9.0.36.B.RELEASE) connects to an external source using SSL (in this case, IBM MQ). I therefore need to specify a truststore, and password for this truststore.
我把它添加到 setenv.sh 中的 JVM_OPTS 中:
I got it to work adding this to the JVM_OPTS in setenv.sh:
-Djavax.net.ssl.trustStore=/opt/apps/certs/myapplication.truststore
-Djavax.net.ssl.trustStorePassword=TRUSTSTORE-PASSWORD
-Djavax.net.ssl.keyStore=/opt/apps/certs/myapplication.keystore
-Djavax.net.ssl.keyStorePassword=KEYSTORE-PASSWORD
经典问题,当我执行 ps -ef|grep java(在 RHEL 上运行)时,密码是可见的.
Classic issue with this, the passwords are visible when I do ps -ef|grep java (runs on RHEL).
我看到了一些关于如何执行此操作的建议(例如 在 JVM 启动参数中隐藏纯文本密码.ps -ef | grep 'javax.net.ssl.keyStorePassword'").但是这些更改/添加了 WAR 文件中的代码或配置.
I have seen a couple suggestions on how to do this (like Hiding plain text password in JVM startup argumnets. " ps -ef | grep 'javax.net.ssl.keyStorePassword'"). But these change/add code or configuration in the WAR file.
我正在寻找tomcat"解决方案.在Tomcat的范围内有没有办法做到这一点.对 WAR 文件的更改难以实施,因为应用程序来自供应商.
I am looking for a "tomcat" solution. Is there a way to to this within the confines of Tomcat. Changes to the WAR file are difficult to implement, as the application comes from a vendor.
注意:这不适用于 web.xml 中的连接器配置,因为它只会为传入连接设置 SSL.此处应用程序正在与外部系统建立连接(从 Tomcat 的角度来看是出站).</p>
Note: this is not for a connector configuration in web.xml since that would only setup SSL for incoming connections. Here the application is making connections to an external system (so outbound from Tomcat's perspective).
推荐答案
您可以向 $CATALINA_BASE/conf/catalina.properties 添加其他属性,它们将在 Tomcat 启动期间提供.您肯定知道,系统属性对于 JVM 是全局的,因此无法将此配置仅限于单个应用程序:整个 Tomcat 服务器都会受到影响.
You can add additional properties to $CATALINA_BASE/conf/catalina.properties and they will be sourced during Tomcat's startup. As you are certainly aware, system properties are global to the JVM, so there is no way to restrict this configuration to a single application only: the entire Tomcat server will be affected.
几乎所有 Java 系统属性都可以通过这种方式设置,但有一些例外:
Almost all Java system properties can by set this way, with a few exceptions:
catalina.base和catalina.home(显然),- Tomcat 日志记录的配置,
- 在用户代码之前启动的 JMX 和其他工具的配置.
catalina.baseandcatalina.home(obviously),- the configuration for Tomcat logging,
- the configuration for JMX and other tools that start before user code.
注意:您必须检查VersionLoggerListener(在server.xml 中定义)是否没有logProps=true";,否则将记录系统属性的值.默认情况下,仅记录 JVM 参数.
Attention: You must check whether the VersionLoggerListener (defined in server.xml) does not have logProps="true", otherwise the values of system properties will be logged. By default only the JVM arguments are logged.
这篇关于Tomcat,从 -D 选项中隐藏 javax.net.ssl.keyStorePassword的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
