10.19 Ensure Manager Application Passwords are Encrypted

Warning! Audit Deprecated

This audit has been deprecated and will be removed in a future update.

View Next Audit Version

Information

Apache Tomcat ships with a Manager Application which requires users with a role of manager-gui, manager-status, manager-script, and/or manager-jmx to authenticate. The usernames and passwords to log onto the Manager Application are stored in the tomcat-users.xml in plain text by default.

Rationale:

Storing passwords in plain text may allow users with access to read the tomcat-users.xml file to obtain the credentials of user who have been assigned roles for the Manager Application. This may allow for accounts to be compromised on Tomcat and elsewhere.

Solution

Generate the encrypted password:

cd $CATALINA_HOME/bin
digest.bat -a sha-256 YOURPASSWORD

This will return the original password followed by encrypted password:

YOURPASSWORD:240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9

Replace the plain text password with the above encrypted password generated above in CATALINA_HOME/conf/tomcat-user.xml file as follows.

<user username='admin' password='240be518fabd2724ddb6f04eeb1da5967448d7e831c08c8fa822809f74c720a9'
roles='manager-gui'/>

Add the digest element as a child to the login-config element where the realm-name element has a value of UserDatabase. For example:

<login-config>
<auth-method>DIGEST</auth-method>
<realm-name>UserDatabase</realm-name>
</login-config>

See Also

https://workbench.cisecurity.org/files/3090