Tomcat JDBC (Datasource) password encryption and decryption

Question

I have some concerns on Tomcat JDBC password encryption and decryption.

As I know, normally, we set datasource on tomcat like below.

<Resource name="jdbc/MyDB"
      factory="nl.wimvanhaaren.tomcat.secured.EncryptedDataSourceFactory"
      secretKey="secretKeyId"
      auth="Container"
      type="javax.sql.DataSource"
      maxActive="100"
      maxIdle="30"
      maxWait="10000"
      username="databaseUser"
      password="dd30b6e87a972be1999fda04f657eca0"
      driverClassName="com.microsoft.sqlserver.jdbc.SQLServerDriver"
      url="jdbc:sqlserver://localhost:1433;databaseName=MyDB"/>

Or we set secretKey on DataSourceFactory jar file.

In my understanding, in those cases, people who can access to the server can extract the actual password through:

1. decrypting using jar file with the "secretkey" from the tomcat config file, or
2. decrypting using jar file which already includes "secretkey" inside the jar file.

IBM WebSphere has masking feature when inserting DB password, so no-one can see the password after insert by Security Team. Is there any way to do this on Tomcat? I need to use tomcat on Azure instead of on-prem WebSphere from now on(Migration) but couldn't find and answers or contents related to this on google. Please help~!

Thanks in advance.

Answer 1

IBM WebSphere has masking feature when inserting DB password, so no-one can see the password after insert by Security Team

It principially works the same way as in Tomcat, just WS has less documented how is the password encrypted. If you take the stored db password, library used to encrypt /decrypt the password and the master password/key (all stored in the filesystem), then someone having access to the server could as well decrypt the DB password on WS too. The process is just less trasparent.

It is principally so, as soons as some system needs to decrypt and use some data, the key needs to be at hand (or credentials and parameters to get the key).