Encrypting Passwords in TomEE

It is a good practice to encrypt the data base passwords in tomee.xml and user passwords in tomcat-users.xml. Following is sample procedure/steps to encrypt the corresponding passwords.

Note: The following configuration is just an example to hash the passwords using 'SHA-512' algorithm. This should be changed depending upon the standards prescribed by individual companies.

To Hash the data base password in tomee.xml:

Navigate to the bin folder in tomee home directory.
Depending on the OS, open the corresponding files
1. Open tomee.bat in command prompt for Windows. Open tomee.sh for Linux.
2. Type the following:
  1. tomee.bat cipher <original password> for Windows. For Linux, tomee.sh cipher <original password>
    - Example: tomee.bat/sh cipher password (cipher is the key word and password is the string which needs to be encrypted)
  2. Once the hashed string is available, update the password in the tomee.xml file as:
  Sample Configuration
  <Resource id="ADMINSERVERSEARCHDS" type="javax.sql.DataSource">
  jdbcDriver = oracle.jdbc.driver.OracleDriver
  jdbcUrl = jdbc:oracle:thin:@localhost:1521:orcl
  userName = oipaqa
  password = pfgn0gS/5rozVUv5LG7YLA==
  PasswordCipher = Static3DES
  jtaManaged = false
  </Resource>

To Hash the user password in tomcat-users.xml:

Navigate to the bin folder in tomee home directory.
Depending on the OS, open the corresponding files
1. Open digest.bat for Windows. Open digest.sh for Linux
Generate the hashed string for the user password by providing the user password as input.
1. Using the SHA-256 algorithm:
  1. For Linux environment: ./digest.sh -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password).
  2. For Windows environment: digest.bat -a sha-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password).
2. Using the SHA-512 algorithm:
  1. For Linux environment: ./digest.sh -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password)
  2. For Windows environment: digest.bat -a sha-512 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password)
3. Using the SHA-md5 algorithm:
  1. For Linux environment: ./digest.sh -a md5 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password).
  2. For Windows environment: digest.bat -a md5 -h org.apache.catalina.realm.MessageDigestCredentialHandler password (this password is the actual user password).
Once the hashed string is generated with any of the above algorithms, change the configurations in server.xml file

Configuration

<!-- This Realm uses the UserDatabase configured in the global JNDIresources under the key "UserDatabase". Any editsthat are performed against this UserDatabase are immediatelyavailable for use by the Realm. ¿

</Realm>

The algorithm which selected for hashing the given password should the same as the algorithm mentioned in the server.xml file.

Finally, the generated hashed password should be updated in the tomcat-users.xml file.

Example
<user username="qatester" password="c732f45c5877232dbbc992b464f381019c16c4b7bb8680a1452a08f6db6d910f$1$c1daf3eb0daadcb0e60ca97f42048c17143c7487b29ced0deb18994b856737a0f8274e40a121eca99ff0ff0579b8fcc413310ace9cb0fce543beeb4d462d5801" roles="AC_ADMIN" />

Example
<user password="qatester3" roles="AC_ADMIN" username="qatester3"/>

Single user can be associated with multiple roles as given below:

Example
<user password="qatester3" roles="AC_ADMIN, AC_CYCLE" username="qatester3"/>