Tomcat database password

1,352 views
Skip to first unread message

Søren Christian Aarup

unread,
Apr 3, 2019, 3:26:21 PM4/3/19
to Vault
So I have to set up some DB-datasources in a Tomcat context.xml. I do not want to have plaintext passwords in there, and since I have an installation of Vault already, the password should come from there. I cannot find anyone who has done this. What about you?

Thank you.

Becca Petrin

unread,
Apr 3, 2019, 7:00:00 PM4/3/19
to Vault
Hi Søren!

I'll presume that means your application is in Java. If so, this might be helpful: https://learn.hashicorp.com/vault/encryption-as-a-service/eaas-spring-demo.

-B

Becca Petrin

unread,
Apr 3, 2019, 7:09:22 PM4/3/19
to Vault
Hi again,

Also, I suppose, to be more clear, I'm not suggesting you do everything in that walk-through. The link is more intended to get you in the right direction of seeing how to interact with Vault through Java. There are some Java client libraries, though they're through third parties, and you can also roll your own Java HTTP calls directly to our Rest API. So a simple win might be to move your context.xml secrets into the Vault KV secrets engine, then update your code to authenticate to Vault and then pull secrets from it.

-B

mic...@hashicorp.com

unread,
Apr 4, 2019, 3:03:26 AM4/4/19
to Vault
Hi,

the information Becca provided is the right way to go.

However, sometimes it's not possible to directly connect your application with Vault. In that case, I recommend to have a look at consul-template: https://github.com/hashicorp/consul-template
It allows you to dynamically insert secrets from Vault into your context.xml file.

Cheers,
Michel

Søren Christian Aarup

unread,
Apr 4, 2019, 5:44:13 AM4/4/19
to Vault
Hi guys.

Thanks for your answers.

I have been looking a bit on Spring Vault already and it looks like you have to be a developer to to get going there. I am a Linux operations guy. I didn't know about consul-templates, but the thing is, that we are not allowed to store passwords in plain conf/text files.

Nick Cabatoff

unread,
Apr 4, 2019, 8:10:31 AM4/4/19
to vault...@googlegroups.com
It sounds like you can use env vars in context.xml: https://stackoverflow.com/questions/44761831/tomcat-8-context-xml-use-environment-variable-in-datasource

You could use something like envconsul to fetch the secret from Vault, populate the env var, then invoke Tomcat.

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault-tool+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/vault-tool/7d668288-258c-4b40-a496-09859b695784%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Søren Christian Aarup

unread,
Apr 5, 2019, 8:04:17 AM4/5/19
to Vault
That's very interesting. As long as I don't reveal passwords in the processlist though. I will try it out.


torsdag den 4. april 2019 kl. 14.10.31 UTC+2 skrev Nick Cabatoff:
It sounds like you can use env vars in context.xml: https://stackoverflow.com/questions/44761831/tomcat-8-context-xml-use-environment-variable-in-datasource

You could use something like envconsul to fetch the secret from Vault, populate the env var, then invoke Tomcat.

On Thu, Apr 4, 2019 at 5:44 AM Søren Christian Aarup <s...@aarup.org> wrote:
Hi guys.

Thanks for your answers.

I have been looking a bit on Spring Vault already and it looks like you have to be a developer to to get going there. I am a Linux operations guy. I didn't know about consul-templates, but the thing is, that we are not allowed to store passwords in plain conf/text files.



torsdag den 4. april 2019 kl. 09.03.26 UTC+2 skrev mic...@hashicorp.com:
Hi,

the information Becca provided is the right way to go.

However, sometimes it's not possible to directly connect your application with Vault. In that case, I recommend to have a look at consul-template: https://github.com/hashicorp/consul-template
It allows you to dynamically insert secrets from Vault into your context.xml file.

Cheers,
Michel

--
This mailing list is governed under the HashiCorp Community Guidelines - https://www.hashicorp.com/community-guidelines.html. Behavior in violation of those guidelines may result in your removal from this mailing list.
 
GitHub Issues: https://github.com/hashicorp/vault/issues
IRC: #vault-tool on Freenode
---
You received this message because you are subscribed to the Google Groups "Vault" group.
To unsubscribe from this group and stop receiving emails from it, send an email to vault...@googlegroups.com.

Niranjan Kolly

unread,
May 30, 2020, 1:02:35 PM5/30/20
to Vault
Did you solve this use case? I am also looking for the same solution. As suggested by Nick if we use JVM variables , any admin guy who login to the server and executes ps-ef|grep java you still see the plain text password in the process.

Vasilyev Viacheslav

unread,
May 31, 2020, 1:05:30 PM5/31/20
to Vault
if you've seen secrets exposure by the jvm variables, then the only solution is not to use this method, as an alternative you may try to use banzai-cloud's vault-env (or analogs) to inject secrets over process-specific environment variables, and then read them with System.getenv call
Reply all
Reply to author
Forward
0 new messages