Question
Why, when configuring an Enterprise On-Premises installation of Contrast to use HTTPS, is the keystore password stored on the filesystem in plain text?
Answer
The On-Premises Contrast Server uses an embedded version of the Apache Tomcat application server to host the server application.
As explained here, the thinking behind storing the password in plain text is that there is no good way to "secure" it. When Tomcat needs to connect to the keystore, it needs the original password. While the password could be encoded, there still needs to be a mechanism to decode it. And since the source to Tomcat is freely available, the attacker would know the decoding method. So at best, the password is obscured - but not really protected.
That said, any configuration file that does contain a password needs to be appropriately secured. That means limiting access to the file so that it could be read only by the user that Tomcat process runs as and root (or the administrator on Windows).