How-To hide sensitive detail from Tomcat command line

  • Updated

Objective

Any user with access to the system running an instance of the On-Premises Contrast UI can list running processes from the command line and potentially gain access to sensitive information such as the Java TrustStore password.

For example, running the command ps aux | grep java might result in an output like this:

contras+ 10977  103 29.5 12888812 4802512 ?    Sl   19:52   3:47 /app/contrast/jre/bin/java -server -Dcontrast.home=${installer:sys.installationDir} -enableassertions -Djava.net.preferIPv4Stack=true -XX:+UseG1GC -XX:+PrintVMOptions -XX:+PrintCommandLineFlags -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/app/contrast/logs -Dfile.encoding=utf-8 -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -Xloggc:/app/contrast/gc.log -Dorg.owasp.esapi.logSpecial.discard=true -XX:+UseStringDeduplication -server -Djava.awt.headless=true --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.base/sun.net.spi=ALL-UNNAMED --add-opens=java.base/sun.net.spi=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.base/sun.security.ssl=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED -Djavax.net.ssl.trustStore=/app/contrast/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=mytruststorepassword -classpath /app/contrast/.install4j/i4jruntime.jar:/app/contrast/.install4j/launcher172586ef.jar:/app/contrast/lib/* install4j.com.contrastsecurity.teamserver.Server start --contrast.home=${installer:sys.installationDir}

This article details how to obfuscate such sensitive data.

Process

Embedded Tomcat

When installing Contrast using the installer, the resulting UI will run on an embedded version of Tomcat.  The embedded version of Tomcat has custom methods of configuration that differ from the methods used by a standalone Tomcat installation.

Custom environment variables that are visible only in the context of the running Tomcat server can be added to an Install4j configuration file (the embedded Contrast installer uses Install4j) and then referenced in custom JVM options, resulting in the values being obfuscated in the running process command line.

To use the above example, you could add a TrustStore password to the configuration file - which you can find at $CONTRAST_HOME/.install4j/response.varfile like so:

trustStorePassword=myp@$$w0rd

and then configure the Contrast Server JVM options by editing $CONTRAST_HOME/bin/contrast-server.vmoptions to reference this variable like so:

-Djavax.net.ssl.trustStorePassword=${installer:TrustStorePassword}

Now, the running process will show up as follows, with the password obfuscated:

contras+ 10977  103 29.5 12888812 4802512 ?    Sl   19:52   3:47 /app/contrast/jre/bin/java -server -Dcontrast.home=${installer:sys.installationDir} -enableassertions -Djava.net.preferIPv4Stack=true -XX:+UseG1GC -XX:+PrintVMOptions -XX:+PrintCommandLineFlags -XX:+HeapDumpOnOutOfMemoryError -XX:HeapDumpPath=/app/contrast/logs -Dfile.encoding=utf-8 -XX:InitialRAMPercentage=50.0 -XX:MaxRAMPercentage=50.0 -XX:MinRAMPercentage=50.0 -Xloggc:/app/contrast/gc.log -Dorg.owasp.esapi.logSpecial.discard=true -XX:+UseStringDeduplication -server -Djava.awt.headless=true --add-opens=java.base/java.util=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.base/java.net=ALL-UNNAMED --add-opens=java.base/java.util.regex=ALL-UNNAMED --add-opens=java.base/java.lang=ALL-UNNAMED --add-exports=java.base/sun.net.spi=ALL-UNNAMED --add-opens=java.base/sun.net.spi=ALL-UNNAMED --add-exports=java.naming/com.sun.jndi.ldap=ALL-UNNAMED --add-exports=java.base/sun.security.ssl=ALL-UNNAMED --add-opens=java.base/java.math=ALL-UNNAMED -Djavax.net.ssl.trustStore=/app/contrast/jre/lib/security/cacerts -Djavax.net.ssl.trustStorePassword=${installer.TrustStorePassword} -classpath /app/contrast/.install4j/i4jruntime.jar:/app/contrast/.install4j/launcher172586ef.jar:/app/contrast/lib/* install4j.com.contrastsecurity.teamserver.Server start --contrast.home=${installer:sys.installationDir}

Standalone Tomcat

For a standalone instance of Tomcat, a similar process is used except that, in this case, the configuration file that the environment variable can be added to is $CATALINA_BASE/conf/catalina.properties and when referencing the variable in the Contrast Server JVM options, it would look like this:

-Djavax.net.ssl.trustStorePassword=${TrustStorePassword}
As detailed in the related article linked below, the above suggestions only obfuscate the value of these variables from a user that has access to the ps command and can see details of running processes.  In addition to these steps, it is further necessary to limit access to files containing sensitive data such as the password in the example.

Related Articles

 

 

 

Was this article helpful?

0 out of 0 found this helpful

Have more questions? Submit a request