0

I have some concerns on Tomcat JDBC password encryption and decryption.

As I know, normally, we set datasource on tomcat like below.

<Resource name="jdbc/MyDB"
      factory="nl.wimvanhaaren.tomcat.secured.EncryptedDataSourceFactory"
      secretKey="secretKeyId"
      auth="Container"
      type="javax.sql.DataSource"
      maxActive="100"
      maxIdle="30"
      maxWait="10000"
      username="databaseUser"
      password="dd30b6e87a972be1999fda04f657eca0"
      driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
      url="jdbc:sqlserver://localhost:1433;databaseName=MyDB"/>

Or we set secretKey on DataSourceFactory jar file.

In my understanding, in those cases, people who can access to the server can extract the actual password through :

  1. decrypting using jar file with the "secretkey" from the tomcat config file, or
  2. decrypting using jar file which already includes "secretkey" inside the jar file.

IBM WebSphere has masking feature when inserting DB password, so no-one can see the password after insert by Security Team. Is there any way to do this on Tomcat? I need to use tomcat on Azure instead of on-prem WebSphere from now on(Migration) but couldn't find and answers or contents related to this on google. Please help~!

Thanks in advance.

Improve this question

1 Answer 1

Reset to default
1

IBM WebSphere has masking feature when inserting DB password, so no-one can see the password after insert by Security Team

It principially works the same way as in Tomcat, just WS has less documented how is the password encrypted . If you take the stored db password, library used to encrypt /decrypt the password and the master password/key (all stored in the filesystem) , then someone having access to the server could as well decrypt the DB password on WS too. The process is just less trasparent.

It is principally so, as soons as some system needs to decrypt and use some data, the key needs to be at hand (or credentials and parameters to get the key).

Improve this answer
Sign up to request clarification or add additional context in comments.

2 Comments

This entry in Tomcat's wiki provides some ideas on alternative "Security through Obscurity" methods.
stackoverflow.com/questions/64651533/… - may help you

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.