Hash Tomcat credentials
Closed, ResolvedPublic
Actions

Assigned To

Authored By

	dereckson
	Oct 13 2025, 20:24

Description

Out of the box, Orbeon is configured to use a tomcat-users.xml with cleartext credentials.

Short-term plan is to switch to hashes:

orbeon.xml is configured in rOPS under "server.xml", rename it
import server.xml in rOPS as is
switch to SHA-256 hashes both in Vault and in server.xml

Middle-term to long-term plan is to switch to LDAP or another SSO solution once we've Keycloak or an identity provider configured.

Revisions and Commits

rOPS Nasqueron Operations
	D3755	rOPSba7b0da5ed63 Configure Tomcat server explicitly
	D3754	rOPS7b013aaafa27 Use target name instead of generic name for orbeon.xml

Event Timeline

dereckson triaged this task as High priority.Oct 13 2025, 20:24

dereckson created this task.

dereckson added a revision: D3754: Use target name instead of generic name for orbeon.xml.Oct 13 2025, 20:27

dereckson added a revision: D3755: Configure Tomcat server explicitly.Oct 13 2025, 20:47

Credentials have been hashed directly in Vault, so we don't need to manipulate cleartext password with Salt.
Salt updated the tomcat-users.xml accordingly.

Server successfully restarted and I can login with my password.

Agora documentation updated: https://agora.nasqueron.org/index.php?title=Operations_grimoire%2FOrbeon&diff=2047&oldid=1372

dereckson moved this task from Backlog to Pending review on the security board.Oct 13 2025, 22:43

dereckson moved this task from Backlog to Pending review on the Servers board.

dereckson moved this task from Backlog to Pending review on the Nasqueron Docker deployment squad board.

dereckson added a commit: rOPS7b013aaafa27: Use target name instead of generic name for orbeon.xml.Nov 27 2025, 10:45

dereckson added a commit: rOPSba7b0da5ed63: Configure Tomcat server explicitly.Nov 27 2025, 11:08

dereckson closed this task as Resolved.Sun, Mar 22, 19:02

dereckson shifted this object from the Restricted Space space to the S1 Nasqueron space.

dereckson changed the visibility from "Nasqueron security operations squad (Project)" to "Public (No Login Required)".