Apache Tomcat Server is most popular open source web server with servlet container. It’s light wight web server and will not required much space in the system. Apache Tomcat server having a lot of of security vulnerabilities and we need to fix those to make secure web server. OWSAP list down critical security vulnerabilities with solution. You can go through here and learn how to make secure Apache Tomcat Server. Here I am going to sharing How to encrypt Apache Tomcat Server Admin’s Password, It’s very simple. By default Admin’s passwords are plain text format and these credentials are stored in tomcat-user.xml. Which is exist inside the conf folder under Tomcat installation folder.
Tomcat comes with a nice little app called the Web Application Manager, which makes it easy to deploy a new war-file. To be able to use the application you have to add an account with the role of “manager-gui”. This is done by adding the following two lines to the
<role rolename="manager-gui"/> <user username="admin" password="admin" roles="manager-gui"/>
Go to command prompt, then go to tomcat installation directory till bin folder and execute the following command.
Tomcat comes with a script that allows us to encrypt passwords. This script is called
digest.bat on Windows or
digest.sh on Linux and can be found in the
bin directory. With this we can specify the encryption algorithm that we want to use – here we’re using SHA-256 – and we enter the text we want to encrypt:
D:\Tools\Apache\apache-tomcat-6.0.26\bin>digest.bat -a sha-256 admin123 admin123:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9 D:\Tools\Apache\apache-tomcat-6.0.26\bin>
Replace the plain text password with the above encrypted password generated above in tomcat-user.xml file as follows.
<role rolename="manager-gui"/> <user username="admin" password="240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9" roles="manager-gui"/>
We have tell to Tomcat like password is encrypted by doing the changes in server.xml
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" />
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha-256" />
Then restart the Apache Tomcat Server and access the Manager Application and enter the user name and password to login.
I hope you understood now to encrypt Apache Tomcat Server Admin’s Password. Please leave a reply in comment if you need any assistance.