Strengthening Tomcat's user database hash

The bundled deployment server used by CM1 (The DTS) is Tomcat 7, by default we have every Tomcat user's password (not CM1 users) hashed with sha-1.

We can however strengthen the hash being used to a stronger version.  However first, you will want to first shut down CM1 and the DTS.

The file server.xml located at {DTS_INSTALL}/Server/conf has the entry that determines which hash to use for the tomcat users. 

On that entry, you can swap the digest from sha-1 to sha-256; for example:

<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="sha"/>


<Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="SHA-256"/>

However, lastly you will want to change the hash being used in tomcat-users.xml for each user from their sha-1 version to their sha-256 version.  Afterwards you can restart CM1 and the DTS, and to verify that the change was successful you can do a publish of any sort.  If there are no failures, then the transition from sha-1 to sha-256 was successful.

Leave a comment