Encrypting tomcat-users.xml Passwords

It’s a good practice to encrypt the user passwords in tomcat-users.xml. Following are sample procedures/steps to encrypt the corresponding passwords.

Note: The following configuration is just an example of hashing the passwords using 'SHA-512' algorithm. This should be changed depending on the standards prescribed by individual companies.

To Hash the user password in tomcat-users.xml:

Navigate to the bin folder in tomee home directory.
Open digest.sh for Linux.
Generate the hashed string for the user password by providing the user password as input.

For Using the SHA-256 algorithm:

For Linux env:
./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password)

For Using the SHA-512 algorithm:

For Linux env:
./digest.sh -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password)

For Using the SHA-md5 algorithm:

For Linux env:
./digest.sh -a md5 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password)

Once the hashed string is generated with any of the above algorithms, change the configurations in the server.xml file

<!-- This Realm uses the UserDatabase configured in the global JNDIresources under the key "UserDatabase". Any edits that are performed against this UserDatabase are immediately available for use by Realm.

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">

<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-512" />

</Realm>

</Realm>

The algorithm selected for hashing the given password should the same as the algorithm mentioned in the server.xml file.

Finally, the generated hashed password should be updated in the tomcat-users.xml file

Example: <user username="qatester" password="c732f45c5877232dbbc992b464f3fcc413310ace9cb0fce543beeb4d462d5801" roles="AC_ADMIN" />>