Enabling digest password on Tomcat

By default the OnTime for Microsoft bootstrap, administator, password is saved in clear text. If you wish you may enable digest passwords so passwords are not stored in clear text. To enable this feature follow the below steps on your OnTime for Microsoft server:

This requires OnTime for Microsoft version 2.5.0 or newer. 

  1. Open a Command Prompt
  2. Navigate to the tomcat binary directory of the OnTime for Microsoft installation e.g. "C:\Program Files\IntraVision\OnTimeMS-2.6.0\apache-tomcat-8.5.8-otd\bin"
  3. Set the JRE_HOME variable by running the following commands using the Java Server runtime directory name:
    SET JRE_HOME=C:\Program Files\IntraVision\OnTimeMS-2.6.0\jdk1.8.0_121-otd\jre
  4. Execute the digest.bat file specifying the administrator password of your choosing on the command line like so:

    digest.bat -a sha-256 "<password>"
    digest.bat -a sha-256 "MyFunkyPassword"

    The command returns the plaintext password and the digest password separated by a colon as shown below. Note the value returned and copy the returned value after the colon.

  5. Navigate to the conf-directory
  6. cd ..\conf
  7. Edit the tomcat-users.xml file - notepad tomcat-users.xml
  8. Replace the value of the password attribute for the admin-user with the digest password you copied above. Save and close the file.
  9. Edit the server.xml file - notepad server.xml
  10. Locate the Realm-tag referencing "UserDatabase" and change it from

    <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
    <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase">
    <CredentialHandler className="org.apache.catalina.realm.MessageDigestCredentialHandler" algorithm="sha-256"/>

  11. Save and close the file.
  12. Restart the Apache Tomcat service.

You should now be able to login using the chosen password without the password being stored as plaintext.

Thursday, 09 November 2017 Posted in Administration