How to encrypt Apache Tomcat Server Admin’s Password

 

Apache Tomcat Server is most popular open source web server with servlet container. It’s light wight web server and will not required much space in the system. Apache Tomcat server having a lot of of security vulnerabilities and we need to fix those to make secure web server. OWSAP list down critical security vulnerabilities with solution. You can go through here and learn how to make secure Apache Tomcat Server. Here I am going to sharing How to encrypt Apache Tomcat Server Admin’s Password, It’s very simple. By default Admin’s passwords are plain text format and these credentials are stored in tomcat-user.xml. Which is exist inside the conf folder under Tomcat installation folder.

Ex: <Tomcat-Installation>/Conf

Tomcat comes with a nice little app called the Web Application Manager, which makes it easy to deploy a new war-file. To be able to use the application you have to add an account with the role of “manager-gui”. This is done by adding the following two lines to the tomcat-users.xml file:

<role rolename="manager-gui"/>
<user username="admin" password="admin" roles="manager-gui"/>

 

Step 1

Go to command prompt, then go to tomcat installation directory till bin folder and execute the following command.

Tomcat comes with a script that  allows us to encrypt passwords. This script is called digest.bat on Windows or digest.sh on Linux and can be found in the bin directory. With this we can specify the encryption algorithm that we want to use – here we’re using SHA-256 – and we enter the text we want to encrypt:

 

D:\Tools\Apache\apache-tomcat-6.0.26\bin>digest.bat -a sha-256 admin123
admin123:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9
D:\Tools\Apache\apache-tomcat-6.0.26\bin>

 

Step 2

Replace the plain text password with the above encrypted password generated above  in tomcat-user.xml file as follows.

<role rolename="manager-gui"/>
<user username="admin" password="240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9" roles="manager-gui"/>

 

Step 3

We have tell to Tomcat like password is encrypted by doing the changes in server.xml

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase" />

Change to

<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
       resourceName="UserDatabase" digest="sha-256" />

 

Step 4

Then restart the Apache Tomcat Server and access the Manager Application and enter the user name and password to login.

References

https://www.owasp.org/index.php/Securing_tomcat

 

I hope you understood now to encrypt Apache Tomcat Server Admin’s Password. Please leave a reply in comment if you need any assistance.

 

 

Leave a Reply