Encrypting passwords in server.xml
Confluence provides the following protocols that extend Tomcat protocols with support for password encryption. If the table isn't fully displayed, scroll it to the right to see the content.
Protocol class | Based on Tomcat protocol | Attributes that support password encryption |
com.atlassian.secrets.tomcat.protocol. | Http11NioProtocol |
|
com.atlassian.secrets.tomcat.protocol. | Http11Nio2Protocol |
|
com.atlassian.secrets.tomcat.protocol. | Http11AprProtocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpNioProtocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpNio2Protocol |
|
com.atlassian.secrets.tomcat.protocol. | AjpAprProtocol |
|
Encrypting a single password
When you create an encrypted password, the encryption tool will generate two files — encryptedPassword and encryptionKey.
You can also add your own encryption key file name as an optional argument to the end of the command in the steps below, and the encryption tool will use your file name instead of generating a new file with the encryption key. If you use your own file name, make sure it already exists in your current directory.
Go to
<Confluence-installation-directory>/bin.Run the following command to encrypt your password:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionToolIf you want to provide your own encryption key, make sure that:
you add the filename to the end of the command
the file already exists in your current directory:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool encryptionKey_1698120035971
When prompted, enter your password.
If you provide your own encryption key to the end of the command, the encryption tool will generate theencryptedPasswordandencryptionKeyfiles.
If you specify your own encryption key file name at the end of the command, the encryption tool will generate theencryptedPasswordfile only.Move these two new files to a safe location. You can also rename the files if you want.
Encrypting multiple passwords for one connector
If you want to encrypt multiple passwords for a single connector, you must use the same encryption key for all passwords. After you encrypt your first password, use the generated encryptionKey file to encrypt the subsequent password by passing the path to the key to the encryption tool:
java -cp "./*" com.atlassian.secrets.cli.tomcat.TomcatEncryptionTool /path/to/encryptionKeyThe encryption tool will generate only the encryptedPassword file.
Using encrypted passwords in Connector configuration
To use encrypted passwords in Connector configuration, set up the following properties:
protocol— use one of the protocol classes described aboveproductEncryptionKey— specify a path to theencryptionKeyfile
You can then use a path to a file with the encrypted password file in place of a plaintext password in the Connector configuration.
For example, in the Confluence conf/server.xml file, the configuration of a Http11Nio2 Connector with encrypted keystore and key passwords might look like this:
<Connector
protocol="com.atlassian.secrets.tomcat.protocol.Http11Nio2ProtocolWithPasswordEncryption"
port="8443"
(...)
keystoreFile="/var/secrets/keystore/keystore"
keystorePass="/var/secrets/keystore/encryptedKeystorePass"
keyPass="/var/secrets/keystore/encryptedKeyPass"
productEncryptionKey="/var/secrets/encryptionKey"
/>Note that only one productEncryptionKey is specified, and both keystorePass and keyPass had to be encrypted with the same key.
Troubleshooting
Known issues
If your HTTPS site is not loading and you see the following error in Tomcat’s catalina.out log file, follow the steps below.
Error: java.lang.NoClassDefFoundError: org/slf4j/LoggerFactory
Caused by: java.lang.ClassNotFoundException: org.slf4j.LoggerFactory- Copy the JAR file
<installed-home>/synchrony-proxy/WEB-INF/lib/slf4j-api-<version>.jarto<installation-home>/lib. - Restart Confluence.
For more details about this issue, see CONFSERVER-98347.