Tomcat password encryption steps

Apache Tomcat J2EE Server

For each of the standard Realm implementations, the user’s password (by default) is stored in clear text. In many environments, this is undesirable because casual observers of the authentication data can collect enough information to log on successfully, and impersonate other users. To avoid this problem, the standard implementations support the concept of digesting user passwords. This allows the stored version of the passwords to be encoded (in a form that is not easily reversible), but that the Realm implementation can still utilize for authentication.

When a standard realm authenticates by retrieving the stored password and comparing it with the value presented by the user, you can select digested passwords by specifying the digest attribute on your <Realm> element. The value for this attribute must be one of the digest algorithms supported by the java.security.MessageDigest class (SHA, MD2, or MD5). When you select this option, the contents of the password that is stored in the Realm must be the cleartext version of the password, as digested by the specified algorithm.

When the authenticate() method of the Realm is called, the (clear text) password specified by the user is itself digested by the same algorithm, and the result is compared with the value returned by the Realm. An equal match implies that the cleartext version of the original password is the same as the one presented by the user, so that this user should be authorized.

Let’s discuss each step briefly and enforce the password encryption policy for the Tomcat Manager.

Here we will discuss about using SHA-256 and MD5 hash algorithms to encrypt the tomcat manager password in Tomcat 8.5.6 and Tomcat 6/7

Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:

For Tomcat 8:

SHA-256:

<!-- Use the LockOutRealm to prevent attempts to guess user passwords via a brute-force attack -->

<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="SHA-256" />
</Realm>
</Realm>

Tomcat password encryption sha-256

MD5:

If you want to use any other algorithms like MD5 then just replace the algorithm section with MD5 like below keeping everything else same.

<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
<CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="MD5" />
</Realm>
</Realm>

For Tomcat 6/7:

In older version tomcat like the version tomcat 7 you can use below way to add your algorithm.

<Realm className= "org.apache.catalina.realm.MemoryRealm"digest="MD5" />

Apache Catalina Memory Realm

Note: We can define the algorithm based on the OS requirement, such as SHA, RSA, MD5, and so on.

Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm, as shown in the following screenshot:

For Tomcat 8:

SHA-256:

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat
Usage: RealmBase [-a <algorithm>] [-e <encoding>] [-i <iterations>] [-s <salt-length>] [-k <key-length>] [-h <handler-class-name>] <credentials>
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler mysecret_password
mysecret_password:371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa

tomcat manager default password

MD5:

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>digest.bat -a MD5 -h org.apache.catalina.realm.MessageDigestCredentialHandler mysecret_password
mysecret_password:da1a3f77b3a85fec4526096c2d26d50c4c9a62111c6eb4fc4492d59b319ef9d0$1$81ac256f4c7b588e9bae66f64a1a5e33

Note:

  1. Only Copy the encrypted password in bold to use in tomcat-users.xml file.
  2. It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.

For Tomcat 6/7:

[root@localhost bin]# ./digest.sh -a MD5 secret

Digest MD5 password encryption

The previous command can be described as ./digest.sh = script, which generates the password for Tomcat realm and -a = algorithm used, currently we are using MD5 algorithm for tomcat 6/7.

Step 3. Copy the SHA-256 or MD5 string and replace the password text from tomcat_user.xml with the following line of code:

For Tomcat 8:

SHA-256:

<role rolename="manager-gui"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="admin" password="371c8e07f4d7c0ae8b352e675ad67ee3c4e44154a50be700e42c66ed3741c3f4$1$e0f79e487e8c443aff9777d825ffd95d8d29e5b1c45b7a041b3c37ecb1418faa" roles="manager-gui,manager,admin"></user>

tomcat users xml file

MD5:

<role rolename="manager-gui"/>
<role rolename="manager"/>
<role rolename="admin"/>
<user username="admin" password="da1a3f77b3a85fec4526096c2d26d50c4c9a62111c6eb4fc4492d59b319ef9d0$1$81ac256f4c7b588e9bae66f64a1a5e33" roles="manager-gui,manager,admin"></user>
</tomcat-users>

For Tomcat 6/7:

<user name="admin" password="5ebe2294ecd0e0f08eab7690d2a6ee69 " roles="manager-gui" />

Step 4. Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.

If you have followed exactly whats written in this article then for Tomcat 8 the username will be admin and password is mysecret_password and for Tomcat 6/7 user name will be admin and password will be secret.

Access http://hostname:8080/manager/

login using the plain passwords:

tomcat manager

If you want more info on other tomcat realm’s then you may visit the official tomcat site for more info.

 

If any one still having issues with encryption to work I have uploaded the tested tomcat zip with all settings for SHA-256 here for download and use.

Tomcat manager username password: admin/admin

Make sure JDK version is as below to replicate the exact testing scenario(JDK can be downloaded from Oracle Java archive here):

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>java -version
java version "1.7.0_25"
Java(TM) SE Runtime Environment (build 1.7.0_25-b17)
Java HotSpot(TM) 64-Bit Server VM (build 23.25-b01, mixed mode)

My CLASSPATH and PATH was set to below:

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>echo %PATH%
D:\Programs\Java\jdk1.7.0_25/bin;F:\Oracle12c\product\12.1.0\dbhome_1\bin;C:\Program Files (x86)\Intel\iCLS Client\;C:\Program Files\Intel\iCLS Client\

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>echo %CLASSPATH%
.;D:\Programs\Java\jdk1.7.0_25\lib\tools.jar;D:\Programs\Java\jdk1.7.0_25\jre\lib\rt.jar

 

How to setup the pre-packaged tomcat with SHA-256 encryption:

  1. Download the JDK 1.7.0_25 from Oracle Java archive here.
  2. Install the same and set the PATH and CLASSPATH like below. Example for windows:
open command prompt in administrator mode or normal user mode

set PATH=D:\Programs\Java\jdk1.7.0_25\bin;%PATH%

set CLASSPATH=.;D:\Programs\Java\jdk1.7.0_25\lib\tools.jar;D:\Programs\Java\jdk1.7.0_25\jre\lib\rt.jar

cd to <Tomcat extract dir>/bin

use startup.bat to start the tomcat.

Access http://localhost:8081/manager/ URL

when prompted for password use admin/admin as username and password

you shall be able to login now.

Example start Output from my screen:
D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>cd D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin

D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin>startup.bat
Using CATALINA_BASE: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6"
Using CATALINA_HOME: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6"
Using CATALINA_TMPDIR: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\temp"
Using JRE_HOME: "D:\Programs\Java\jdk1.7.0_25"
Using CLASSPATH: "D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin\bootstrap.jar;D:\Programs\apache-tomcat-8.5.6\apache-tomcat-8.5.6\bin\tomcat-juli.jar"

 

In case of any ©Copyright or missing credits issue please check CopyRights page for faster resolutions.

30 Responses

  1. Ben says:

    I have tried this every single way I can think of and nothing works…

    WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property

  2. TechPaste says:

    Check your conf/tomcat-users.xml file, it shall look like below:

    <role rolename=”manager-gui”></role>
    <user username=”admin” password=”admin” roles=”manager-gui”></user>

    Try encrypting password using below command as you are using sha-256

    C:/tomcat/bin>digest.bat -a sha-256 admin
    admin:8c6976e5b5410415bde908bd4dee15dfb167a9c873fc4bb8a81f6f2ab448a918
    C:tomcatbin>

    in conf/server.xml add below and restart tomcat

    from:

    <realm className=”org.apache.catalina.realm.UserDatabaseRealm”
    resourceName=”UserDatabase”></realm>

    to

    <realm className=”org.apache.catalina.realm.UserDatabaseRealm”
    resourceName=”UserDatabase”
    digest=”sha-256″></realm>

  3. Ben says:

    No luck. This is Tomcat 8.5.6.0 if that makes any difference.

    This is the change made to ./conf/server.xml:

    — conf/server.xml.orig 2016-12-04 18:52:12.000000000 -0500
    +++ conf/server.xml 2016-12-04 18:51:55.000000000 -0500
    @@ -139,7 +139,8 @@
    that are performed against this UserDatabase are immediately
    available for use by the Realm. –>

    + resourceName=”UserDatabase”
    + digest=”sha-256″/>

    <Host name="localhost" appBase="webapps"

    This is the line added to ./conf/tomcat-users.xml:

    … whereas the password=”” value was generated using ./bin/digest -a sha-256

    Upon restarting tomcat, the following warning is logged in logs/catalina.out

    04-Dec-2016 18:53:09.735 WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property.

    … and upon testing access to the manager and host-manager application, it refuses to take the cleartext-password. I have to literally put my password in as “29186ec242f7ba10dbf0c29605e20c86bf587925b09965fe6dbf7d6f276122e3$1$b7a0a85be8a471dbd169630eaa9356fd181087d783cff8e7e26218646b2c8d47” because the digest modification made to server.xml isn’t working.

    I would be grateful if you had any clues that would help get me out of this pickle.

    – Ben

  4. Ben says:

    It doesn’t look like that diff/patch pasted correctly. Here’s a pastebin of the change made to server.xml.

    http://pastebin.com/SPfVQDpC

    • TechPaste says:

      Hi Ben,

      The answer to your question is using the -h tag while generating the digest password in tomcat 8. It seems all articles on internet are not pointing to the correct syntax so I have updated the article with exact steps to complete SHA-256 encyption in Tomcat 8.5.6 and lower versions of tomcat. Please have a look at it. If you like the solution then do share and recommend the article. Thanks

  5. chen says:

    I never left message to bloggers, but this one, literally helped me a lot, just want to say, Thank YOU!

  6. Ben says:

    I tried again, no luck. Generating the digest doesn’t seem to be the bottom, it’s the parameters in server.xml that aren’t being applied. Each time I can paste in the literal hash and it lets me in – so it’s treating the contents of the password attribute as cleartext every single time. I don’t understand why.

    Again, the server.xml entry is this:

    and each time, it results in the logs/catalina.out warning:

    11-Dec-2016 00:49:07.811 WARNING [main] sun.reflect.NativeMethodAccessorImpl.invoke [SetPropertiesRule]{Server/Service/Engine/Realm/Realm} Setting property ‘digest’ to ‘sha-256’ did not find a matching property.

    • TechPaste says:

      Hi Ben,

      I think you must have done some small syntax mistake due to which it is not recognizing encryption. I usually don’t do this but for now I have also uploaded the complete tomcat 8.5.6 zip file with SHA-256 encryption configured and TESTED for your download and use. The password and username are admin/admin. Below is the link to download the complete tomcat and for other things like JDK version and download url etc I have uploaded to the end of post. please do check it… if still this does not work there must be something else as issue not tomcat.

      Tomcat standalone zip: http://www.techpaste.com/wp-content/uploads/2016/12/apache-tomcat-8.5.6_SHA256.zip
      JDK 1.7.0_25 : http://www.oracle.com/technetwork/java/javase/downloads/java-archive-downloads-javase7-521261.html#jdk-7u25-oth-JPR

      HTH,
      Ram

      • Ben says:

        This helps immensely. My server.xml and your’s are completely different where it counts.

        I should disclose my apache-tomcat 8.5.6 is delivered as part of apache-tomee 7.0.2, but I would hope that shouldn’t make a difference.

        I started with:

        <Realm className=”org.apache.catalina.realm.LockOutRealm”>
        <Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
        resourceName=”UserDatabase”/>
        </Realm>

        and after researching, I changed to:

        <Realm className=”org.apache.catalina.realm.LockOutRealm”>
        <Realm className=”org.apache.catalina.realm.UserDatabaseRealm”
        digest=”SHA-256″ resourceName=”UserDatabase”/>
        </Realm>

        Which totally didn’t work… You have:

        <Realm className=”org.apache.catalina.realm.LockOutRealm”>
        <Realm className=”org.apache.catalina.realm.UserDatabaseRealm” resourceName=”UserDatabase”>
        <CredentialHandler className=”org.apache.catalina.realm.MessageDigestCredentialHandler” algorithm=”SHA-256″ />
        </Realm>
        </Realm>

        …which includes the entire CredentialHandler part… I can’t figure out where I should have known this was supposed to go in.

        I changed my server.xml to look like your’s above and now it works great! Thank you so much for your help, and I’m sorry this was so much trouble.

  7. dont-understander says:

    Explain me pls this essential: WHY DOES THE HASH DIFFER EACH TIME ??? (the same without the handler parameter)

    $ /opt/apache-tomcat-8.5.9/bin/digest.sh -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler my_pwd
    my_pwd:ea3de47cb39b8ed3c3b144e83953746ee08308cfc0620fb7fa12336b7cf6f583$1$02ab35ffbba2f9002d95c8246ec4218e6c100ff7ada2d33d1005480ce793fc7b

    $ /opt/apache-tomcat-8.5.9/bin/digest.sh -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler my_pwd
    my_pwd:19c84adacf8a294d1208b48c3ae7992f105d1cf8c7ad7ab07cd4784ef13a2a39$1$191dddd5cd34bf456de316e16094c7bef610df739b50292bd41dea53b26e4194

  8. dont-understander says:

    self response: the digest.sh script requires “-s 0” to work as expected

  9. Sreekanth says:

    hi, i followed your complete article, i find it very helpful. But am unable to achieve the goal of encrypting password. After copying the encrypted password in tomcat-users.xml file as suggested, have restarted the tomcat. When i try to login manager console using my normal credentials(user name:admin, password: test@123) its not allowing. It allows only when i use encrypted password which i have copied in users.xml file but not “test@123”. Result of this, an still having plain text issues in our security scan system. Please advise me where am going wrong

  10. atom8888 says:

    One very important thing you left out is to make sure to edit the \webapps\manager\WEB-INF\web.xml

    You need to update the HTMLManager servlet area to use DIGEST or it won’t work.

    Example:

    HTMLManager
    org.apache.catalina.manager.HTMLManagerServlet

    debug
    2

    <!– Uncomment this to show proxy sessions from the Backup manager or a
    StoreManager in the sessions list for an application

    showProxySessions
    true

    –>

    DIGEST
    UserDatabase

    • Ramakanta says:

      Thanks for sharing the info.

      • Suresh says:

        Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:

        Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm.

        digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler

        Note:

        Only Copy the encrypted password in bold to use in tomcat-users.xml file.
        It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.

        Example:

        digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler suresh

        suresh:574ab3ed077d2916eb74c6be7cee9b9da9fd05772049d7db155133c79ced98ca$1$c0d46d
        019379a072d936692ab7e574dd5d6e76d50208fb5f326b91854f5c11a3

        Step 3. Copy the SHA-256 string and replace the password text from tomcat_user.xml with the following line of code:

        Step 4: updated the HTMLManager servlet area to use DIGEST
        Step 5: Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.

        now i am able to login with the hashed password but not with old password, in my case digest is not working , please help me to resolve this issue.

        Thank you !!!

  11. Russell Rottach says:

    I wanted to share how I was able to get the tomcat manager’s password encrypted

    I am using ubuntu 16.04, apache/tomcat 8.5.11, java 8

    1. Generate the hash
    a. navigate to $CATALINA_HOME/bin (in my case its /opt/tomcat/bin)
    b. run the following command
    ./digest.sh -a sha-512 -s 0 -e utf-8 -h org.apache.catalina.realm.MessageDigestCredentialHandler [password you want to encrypt here] i used password for this post and this is the result

    password:b109f3bbbc244eb82441917ed06d618b9008dd09b3befd1b5e07394c706a8bb980b1d7785e5976ec049b46df5f1326af5a2ea6d103fd07c95385ffab0cacbc86
    c. copy the generated hash not including password:

    2. Modify the tomcat-users.xml file and replace the password with the hash in the password field

    3. Modify the server.xml and add the following

    The end result should look similiar to this

    4. Restart Tomcat and log in to Tomcat Manager

  12. Suresh says:

    Hello All,

    i am trying to encrypt the plain pwds in user.xml file. my current environment is Apache Tomcat/8.0.14 running on Windows Server 2008 R2. below is the process i am used to follow.

    Step 1. We have to define the password encryption algorithm in the Realm section of server.xml, as in the following line of code:

    Step 2. Now go to tomcat_home/bin and run the following command, it will generate the encrypted algorithm.

    digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler

    Note:

    Only Copy the encrypted password in bold to use in tomcat-users.xml file.
    It is very important to use the -h org.apache.catalina.realm.MessageDigestCredentialHandler tag while generating the password else it will not work.

    Example:

    digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler suresh

    suresh:574ab3ed077d2916eb74c6be7cee9b9da9fd05772049d7db155133c79ced98ca$1$c0d46d
    019379a072d936692ab7e574dd5d6e76d50208fb5f326b91854f5c11a3

    Step 3. Copy the SHA-256 string and replace the password text from tomcat_user.xml with the following line of code:

    step 4:configure your web.xml to use “DIGEST” passwords and update RealmName to match above (in the HTMLManager section)

    /webapps/manager\WEB-INF\web.xml

    DIGEST
    UserDatabase

    Step 5. Reload/restart the Tomcat services and log in to the Tomcat Manager using the password.

    the thing is i am unable to login with plain password, but i am able to login with the hashed password,

  13. Suresh says:

    3. Modify the server.xml and add the following

    which parameters you have added in server.xml

  14. Ram says:

    I am able to get this done with MD5 algorithm. But not with SHA. Here are the steps I am doing.

    1. Generate hash using following command.

    ./digest.sh -a sha-512 -s 0 -e utf-8 -h org.apache.catalina.realm.MessageDigestCredentialHandler password

    2. Take the hashed password and place it in tomcat-users.xml file.

    3. Finally, restart the tomcat.

    I tried with various combinations of salt. Some websites says password needs to be in the format username:realm Name:password.

    I downloaded the given tomcat zip file. In the websites, I don’t find the website, which is configured for DIGEST authentication.

  15. Ram says:

    When I downloaded given tomcat application and tried to access manager application, it says invalid credentials. Here are the steps I did.

    1. Download apache-tomcat-8.5.6_SHA256 zip file.
    2. Extract it and start tomcat.
    3. Go to http://localhost:8080/ and access manager app, which is asking for credentails.
    4. When i enter username and password as “admin”, its throwing invalid credentials.

    Am i doing something wrong here?

  16. Basi says:

    C:\apache-tomcat-8.5.6_SHA256\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password
    password:0e7e41b19ba44ba1118f589999eade03a35f8026958446407c333dd694e479ee$1$cb5341b3105b17ee6559a597dd5eb81be8e0130b0f84b93d39497e48dac65ffe

    C:\apache-tomcat-8.5.6_SHA256\apache-tomcat-8.5.6\bin>digest.bat -a SHA-256 -h org.apache.catalina.realm.MessageDigestCredentialHandler password
    password:abe6af13733979a2469ce0d9c2bba6dc492d2767ba92a3f39e532d44fffdca03$1$52f4c7c7b491210780c62835214b5bfed87f9ada1e54b03487d75dde2608cfe2

    Why am I getting different hash value everytime I run with same password? Is it because of different salt being used internally for each run?

    How does server validates the password when there are multiple possibilities?

  17. Gopal says:

    I am trying to use the given application and i am facing this problem. Once i login into the application with proper credentials, I am stopping the server and restarting the tomcat server. Now when i am trying to launch the http://localhost:port/manager URL its automatically taking me to the manager page and not asking for the login credentials again. I assume that post server restart the login page should be prompted again which is not happening. Can someone help pls ??

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.