Tomcat password encryption steps
For each of the standard Realm implementations, the user’s password (by default) is stored in clear text. In many environments, this is undesirable because casual observers of the authentication data can collect enough information to log on successfully, and impersonate other users. To avoid this problem, the standard implementations support the concept of digesting user passwords. This allows the stored version of the passwords to be encoded (in a form that is not easily reversible), but that the Realm implementation can still utilize for authentication.
When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the digest attribute on your <Realm> element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm.
When the authenticate() method of the Realm is called, the (clear text) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the Realm. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.
Let’s discuss each step briefly and enforce the password encryption policy for the Tomcat Manager.
Here we will discuss about using SHA-256 and MD5 hash algorithms to encrypt the tomcat manager password in Tomcat 8.5.6 and Tomcat 6/7
Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:
For Tomcat 8:
SHA-256:
<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack --> <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" /> </Realm> </Realm>
MD5:
If you want to use any other algorithms like MD5 then just replace the algorithm section with MD5 like below keeping everything else same.
<Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase"> <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" /> </Realm> </Realm>
For Tomcat 6/7:
In older version tomcat like the version tomcat 7 you can use below way to add your algorithm.
<Realm className= "org.apache.catalina.realm.MemoryRealm"digest="MD5" />
Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm, as shown in the following screenshot:
For Tomcat 8:
SHA-256:
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i <iterations>] [-s <salt-length>] [-k <key-length>] [-h <handler-class-name>] <credentials> D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler mysecret_password mysecret_password:371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa
MD5:
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat -a MD5 -h org.apache.catalina.realm.MessageDigestCredentialHandler mysecret_password mysecret_password:da1a3f77b3a85fec4526096c2d26d50c4c9a62111c6eb4fc4492d59b319ef9d0$1$81ac256f4c7b588e9bae66f64a1a5e33
Note:
- Only Copy the encrypted password in bold to use in tomcat-users.xml file.
- It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.
For Tomcat 6/7:
[root@localhost bin]# ./digest.sh -a MD5 secret
The previous command can be described as ./digest.sh = script, which generates the password for Tomcat realm and -a = algorithm used, currently we are using MD5 algorithm for tomcat 6/7.
Step 3. Copy the SHA-256 or MD5 string and replace the password text from tomcat_user.xml with the following line of code:
For Tomcat 8:
SHA-256:
<role rolename="manager-gui"/> <role rolename="manager"/> <role rolename="admin"/> <user username="admin" password="371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa" roles="manager-gui,manager,admin"></user>
MD5:
<role rolename="manager-gui"/> <role rolename="manager"/> <role rolename="admin"/> <user username="admin" password="da1a3f77b3a85fec4526096c2d26d50c4c9a62111c6eb4fc4492d59b319ef9d0$1$81ac256f4c7b588e9bae66f64a1a5e33" roles="manager-gui,manager,admin"></user> </tomcat-users>
For Tomcat 6/7:
<user name="admin" password="5ebe2294ecd0e0f08eab7690d2a6ee69 " roles="manager-gui" />
Step 4. Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.
If you have followed exactly whats written in this article then for Tomcat 8 the username will be admin and password is mysecret_password and for Tomcat 6/7 user name will be admin and password will be secret.
Access http://hostname:8080/manager/
login using the plain passwords:
If you want more info on other tomcat realm’s then you may visit the official tomcat site for more info.
If any one still having issues with encryption to work I have uploaded the tested tomcat zip with all settings for SHA-256 here for download and use.
Tomcat manager username password: admin/admin
Make sure JDK version is as below to replicate the exact testing scenario(JDK can be downloaded from Oracle Java archive here):
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>java -version java version "1.7.0_25" Java(TM) SE Runtime Environment (build 1.7.0_25-b17) Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)
My CLASSPATH and PATH was set to below:
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>echo %PATH% D:\Programs\Java\jdk1.7.0_25/bin;F:\Oracle12c\product\12.1.0\dbhome_1\bin;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\ D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>echo %CLASSPATH% .;D:\Programs\Java\jdk1.7.0_25\lib\tools.jar;D:\Programs\Java\jdk1.7.0_25\jre\lib\rt.jar
How to setup the pre-packaged tomcat with SHA-256 encryption:
- Download the JDK 1.7.0_25 from Oracle Java archive here.
- Install the same and set the PATH and CLASSPATH like below. Example for windows:
open command prompt in administrator mode or normal user mode set PATH=D:\Programs\Java\jdk1.7.0_25\bin;%PATH% set CLASSPATH=.;D:\Programs\Java\jdk1.7.0_25\lib\tools.jar;D:\Programs\Java\jdk1.7.0_25\jre\lib\rt.jar cd to <Tomcat extract dir>/bin use startup.bat to start the tomcat. Access http://localhost:8081/manager/ URL when prompted for password use admin/admin as username and password you shall be able to login now. Example start Output from my screen: D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>cd D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>startup.bat Using CATALINA_BASE: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6" Using CATALINA_HOME: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6" Using CATALINA_TMPDIR: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\temp" Using JRE_HOME: "D:\Programs\Java\jdk1.7.0_25" Using CLASSPATH: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin\bootstrap.jar;D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin\tomcat-juli.jar"
In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.
I have tried this every single way I can think of and nothing works…
WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property
Check your conf/tomcat-users.xml file, it shall look like below:
<role rolename=”manager-gui”></role>
<user username=”admin” password=”admin” roles=”manager-gui”></user>
Try encrypting password using below command as you are using sha-256
C:/tomcat/bin>digest.bat -a sha-256 admin
admin:8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
C:tomcatbin>
in conf/server.xml add below and restart tomcat
from:
<realm className=”org.apache.catalina.realm.UserDatabaseRealm”
resourceName=”UserDatabase”></realm>
to
<realm className=”org.apache.catalina.realm.UserDatabaseRealm”
resourceName=”UserDatabase”
digest=”sha-256″></realm>
No luck. This is Tomcat 8.5.6.0 if that makes any difference.
This is the change made to ./conf/server.xml:
— conf/server.xml.orig 2016-12-04 18:52:12.000000000 -0500
+++ conf/server.xml 2016-12-04 18:51:55.000000000 -0500
@@ -139,7 +139,8 @@
that are performed against this UserDatabase are immediately
available for use by the Realm. –>
+ resourceName=”UserDatabase”
+ digest=”sha-256″/>
<Host name="localhost" appBase="webapps"
This is the line added to ./conf/tomcat-users.xml:
… whereas the password=”” value was generated using ./bin/digest -a sha-256
Upon restarting tomcat, the following warning is logged in logs/catalina.out
04-Dec-2016 18:53:09.735 WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property.
… and upon testing access to the manager and host-manager application, it refuses to take the cleartext-password. I have to literally put my password in as “29186ec242f7ba10dbf0c29605e20c86bf587925b09965fe6dbf7d6f276122e3$1$b7a0a85be8a471dbd169630eaa9356fd181087d783cff8e7e26218646b2c8d47” because the digest modification made to server.xml isn’t working.
I would be grateful if you had any clues that would help get me out of this pickle.
– Ben
It doesn’t look like that diff/patch pasted correctly. Here’s a pastebin of the change made to server.xml.
http://pastebin.com/SPfVQDpC
Hi Ben,
The answer to your question is using the -h tag while generating the digest password in tomcat 8. It seems all articles on internet are not pointing to the correct syntax so I have updated the article with exact steps to complete SHA-256 encyption in Tomcat 8.5.6 and lower versions of tomcat. Please have a look at it. If you like the solution then do share and recommend the article. Thanks
I never left message to bloggers, but this one, literally helped me a lot, just want to say, Thank YOU!
Glad this helped you…! appreciate the feedback.. 🙂
I tried again, no luck. Generating the digest doesn’t seem to be the bottom, it’s the parameters in server.xml that aren’t being applied. Each time I can paste in the literal hash and it lets me in – so it’s treating the contents of the password attribute as cleartext every single time. I don’t understand why.
Again, the server.xml entry is this:
and each time, it results in the logs/catalina.out warning:
11-Dec-2016 00:49:07.811 WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property.
Hi Ben,
I think you must have done some small syntax mistake due to which it is not recognizing encryption. I usually don’t do this but for now I have also uploaded the complete tomcat 8.5.6 zip file with SHA-256 encryption configured and TESTED for your download and use. The password and username are admin/admin. Below is the link to download the complete tomcat and for other things like JDK version and download url etc I have uploaded to the end of post. please do check it… if still this does not work there must be something else as issue not tomcat.
Tomcat standalone zip: http://www.techpaste.com/wp-content/uploads/2016/12/apache-tomcat-8.5.6_SHA256.zip
JDK 1.7.0_25 : http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u25-oth-JPR
HTH,
Ram
This helps immensely. My server.xml and your’s are completely different where it counts.
I should disclose my apache-tomcat 8.5.6 is delivered as part of apache-tomee 7.0.2, but I would hope that shouldn’t make a difference.
I started with:
<Realm className=”org.apache.catalina.realm.LockOutRealm”>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
resourceName=”UserDatabase”/>
</Realm>
and after researching, I changed to:
<Realm className=”org.apache.catalina.realm.LockOutRealm”>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
digest=”SHA-256″ resourceName=”UserDatabase”/>
</Realm>
Which totally didn’t work… You have:
<Realm className=”org.apache.catalina.realm.LockOutRealm”>
<Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase”>
<CredentialHandler className=”org.apache.catalina.realm.MessageDigestCredentialHandler” algorithm=”SHA-256″ />
</Realm>
</Realm>
…which includes the entire CredentialHandler part… I can’t figure out where I should have known this was supposed to go in.
I changed my server.xml to look like your’s above and now it works great! Thank you so much for your help, and I’m sorry this was so much trouble.
NP. Glad this helped you. Thanks… 🙂
http://pastebin.com/78CsnyKi
Explain me pls this essential: WHY DOES THE HASH DIFFER EACH TIME ??? (the same without the handler parameter)
$ /opt/apache-tomcat-8.5.9/bin/digest.sh -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler my_pwd
my_pwd:ea3de47cb39b8ed3c3b144e83953746ee08308cfc0620fb7fa12336b7cf6f583$1$02ab35ffbba2f9002d95c8246ec4218e6c100ff7ada2d33d1005480ce793fc7b
$ /opt/apache-tomcat-8.5.9/bin/digest.sh -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler my_pwd
my_pwd:19c84adacf8a294d1208b48c3ae7992f105d1cf8c7ad7ab07cd4784ef13a2a39$1$191dddd5cd34bf456de316e16094c7bef610df739b50292bd41dea53b26e4194
SHA-256 produces a hash that is 256 bits long, so there are 22562256 possibilities.
self response: the digest.sh script requires “-s 0” to work as expected
hi, i followed your complete article, i find it very helpful. But am unable to achieve the goal of encrypting password. After copying the encrypted password in tomcat-users.xml file as suggested, have restarted the tomcat. When i try to login manager console using my normal credentials(user name:admin, password: test@123) its not allowing. It allows only when i use encrypted password which i have copied in users.xml file but not “test@123”. Result of this, an still having plain text issues in our security scan system. Please advise me where am going wrong
Hi You can directly download the tested tomcat from below link which has the encryption already enabled and compare the same with your internal instance.
http://www.techpaste.com/wp-content/uploads/2016/12/apache-tomcat-8.5.6_SHA256.zip
One very important thing you left out is to make sure to edit the \webapps\manager\WEB-INF\web.xml
You need to update the HTMLManager servlet area to use DIGEST or it won’t work.
Example:
HTMLManager
org.apache.catalina.manager.HTMLManagerServlet
debug
2
<!– Uncomment this to show proxy sessions from the Backup manager or a
StoreManager in the sessions list for an application
showProxySessions
true
–>
DIGEST
UserDatabase
Thanks for sharing the info.
Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:
Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm.
digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler
Note:
Only Copy the encrypted password in bold to use in tomcat-users.xml file.
It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.
Example:
digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler suresh
suresh:574ab3ed077d2916eb74c6be7cee9b9da9fd05772049d7db155133c79ced98ca$1$c0d46d
019379a072d936692ab7e574dd5d6e76d50208fb5f326b91854f5c11a3
Step 3. Copy the SHA-256 string and replace the password text from tomcat_user.xml with the following line of code:
Step 4: updated the HTMLManager servlet area to use DIGEST
Step 5: Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.
now i am able to login with the hashed password but not with old password, in my case digest is not working , please help me to resolve this issue.
Thank you !!!
I wanted to share how I was able to get the tomcat manager’s password encrypted
I am using ubuntu 16.04, apache/tomcat 8.5.11, java 8
1. Generate the hash
a. navigate to $CATALINA_HOME/bin (in my case its /opt/tomcat/bin)
b. run the following command
./digest.sh -a sha-512 -s 0 -e utf-8 -h org.apache.catalina.realm.MessageDigestCredentialHandler [password you want to encrypt here] i used password for this post and this is the result
password:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
c. copy the generated hash not including password:
2. Modify the tomcat-users.xml file and replace the password with the hash in the password field
3. Modify the server.xml and add the following
The end result should look similiar to this
4. Restart Tomcat and log in to Tomcat Manager
Thanks for sharing the info
Hello All,
i am trying to encrypt the plain pwds in user.xml file. my current environment is Apache Tomcat/8.0.14 running on Windows Server 2008 R2. below is the process i am used to follow.
Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:
Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm.
digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler
Note:
Only Copy the encrypted password in bold to use in tomcat-users.xml file.
It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.
Example:
digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler suresh
suresh:574ab3ed077d2916eb74c6be7cee9b9da9fd05772049d7db155133c79ced98ca$1$c0d46d
019379a072d936692ab7e574dd5d6e76d50208fb5f326b91854f5c11a3
Step 3. Copy the SHA-256 string and replace the password text from tomcat_user.xml with the following line of code:
step 4:configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)
/webapps/manager\WEB-INF\web.xml
DIGEST
UserDatabase
Step 5. Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.
the thing is i am unable to login with plain password, but i am able to login with the hashed password,
3. Modify the server.xml and add the following
which parameters you have added in server.xml
I am able to get this done with MD5 algorithm. But not with SHA. Here are the steps I am doing.
1. Generate hash using following command.
./digest.sh -a sha-512 -s 0 -e utf-8 -h org.apache.catalina.realm.MessageDigestCredentialHandler password
2. Take the hashed password and place it in tomcat-users.xml file.
3. Finally, restart the tomcat.
I tried with various combinations of salt. Some websites says password needs to be in the format username:realm Name:password.
I downloaded the given tomcat zip file. In the websites, I don’t find the website, which is configured for DIGEST authentication.
When I downloaded given tomcat application and tried to access manager application, it says invalid credentials. Here are the steps I did.
1. Download apache-tomcat-8.5.6_SHA256 zip file.
2. Extract it and start tomcat.
3. Go to http://localhost:8080/ and access manager app, which is asking for credentails.
4. When i enter username and password as “admin”, its throwing invalid credentials.
Am i doing something wrong here?
user Name: admin
Password : mysecret_password
C:\apache-tomcat-8.5.6_SHA256\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password
password:0e7e41b19ba44ba1118f589999eade03a35f8026958446407c333dd694e479ee$1$cb5341b3105b17ee6559a597dd5eb81be8e0130b0f84b93d39497e48dac65ffe
C:\apache-tomcat-8.5.6_SHA256\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password
password:abe6af13733979a2469ce0d9c2bba6dc492d2767ba92a3f39e532d44fffdca03$1$52f4c7c7b491210780c62835214b5bfed87f9ada1e54b03487d75dde2608cfe2
Why am I getting different hash value everytime I run with same password? Is it because of different salt being used internally for each run?
How does server validates the password when there are multiple possibilities?
Nevermind. I understood how the digest is generated and validated by server.
I am trying to use the given application and i am facing this problem. Once i login into the application with proper credentials, I am stopping the server and restarting the tomcat server. Now when i am trying to launch the http://localhost:port/manager URL its automatically taking me to the manager page and not asking for the login credentials again. I assume that post server restart the login page should be prompted again which is not happening. Can someone help pls ??