Encrypting Passwords in TomEE

Its a good practice to encrypt the data base passwords in tomee.xml and user passwords in tomcat-users.xml. Following is sample procedure/steps to encrypt the corresponding passwords.

Note: The following configuration is just an example to hash the passwords using 'SHA-512' algorithm. This should be changed depending upon the standards prescribed by individual companies.

To Hash the data base password in tomee.xml:

1. Navigate to the bin folder in tomee home directory.
2. Depending on the OS, open the corresponding files
   1. Open tomee.bat in command prompt for Windows. Open tomee.sh for Linux
   2. type the following:
      1. tomee.bat cipher <original password> for Windows. For Linux, tomee.sh cipher <original password>
         • Example: tomee.bat/sh cipher password (cipher is the key word and password is the string which needs to be encrypted)
      2. Once the hashed string is available, update the password in the tomee.xml file as below:

      <Resource id="ADMINSERVERSEARCHDS" type="javax.sql.DataSource">

      jdbcDriver = oracle.jdbc.driver.OracleDriver

      jdbcUrl = jdbc:oracle:thin:@localhost:1521:orcl

      userName = oipaqa

      password = pfgn0gS/5rozVUv5LG7YLA==

      PasswordCipher = Static3DES

      jtaManaged = false

      </Resource>

To Hash the user password in tomcat-users.xml:

1. Navigate to the bin folder in tomee home directory.
2. Depending on the OS, open the corresponding files
   1. Open digest.bat for Windows. Open digest.sh for Linux
3. Generate the hashed string for the user password by providing the user password as input.
   1. For Using the SHA-256 algorithm:
      1. ./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Linux env
      2. digest.bat -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Windows env
   2. For Using the SHA-512 algorithm:
      1. ./digest.sh -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Linux env
      2. digest.bat -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Windows env
   3. For Using the SHA-md5 algorithm:
      1. ./digest.sh -a md5 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Linux env
      2. digest.bat -a md5 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password) → For Windows env
4. Once the hashed string is generated with any of the above algorithms, change the configurations in server.xml file

<Realm className="org.apache.catalina.realm.LockOutRealm">

<!-- This Realm uses the UserDatabase configured in the global JNDIresources under the key "UserDatabase". Any editsthat are performed against this UserDatabase are immediately available for use by the Realm.

<Realm className= "org.apache.catalina.realm.UserDatabaseRealm"resourceName="UserDatabase">

<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-512" />

</Realm>

</Realm>

The algorithm which selected for hashing the given password should the same as the algorithm mentioned in the server.xml file

5. Finally, the generated hashed password should be updated in the tomcat-users.xml file

   <user username="qatester" password="c732f45c5877232dbbc992b464f381019c16c4b7bb8680a1452a08f6db6d910f$1$c1daf3eb0daadcb0e60ca97f42048c17143c7487b29ced0deb18994b856737a0f8274e40a121eca99ff0ff0579b8fcc413310ace9cb0fce543beeb4d462d5801" roles="SL_ADMIN" />