Search

Use Windows Credential Manager to securely store the HTTPS keystore password for FME Flow

Merline George
Merline George
  • Updated

This article details a method for securely storing the keystore password and making it available to Flow's Tomcat using Windows Credential Manager and PowerShell without exposing the plaintext password in server.xml.

A PowerShell script securely injects a keystore password (stored in Windows Credential Manager) into the Tomcat Java options for FME Flow's Tomcat service (FMEServerAppServer), and then restarts the service, so the password is applied.

Prerequisite 

The HTTPS configuration for FME Flow is already completed using certificates in the CER/CRT file format or a PFX file format. These are the two methods that would have the keystore password in plaintext in server.xml.

Step-by-Step Instructions

1. Install CredentialManager PowerShell Module

Run this in PowerShell as Administrator:

Install-Module -Name CredentialManager -Scope AllUsers -Force


If prompted to allow PowerShellGet to install, enter Y.

2. Store the Keystore Password in Windows Credential Manager Manually via GUI

Open Control Panel → Credential Manager

Click Windows Credentials → Add a generic credential and fill in the following fields:

  • Internet/Network Address: TomcatKeystorePassword
  • Username: not-used
  • Password: <YourKeystorePassword>

Click OK to save and exit

3. Create a PowerShell Script to Fetch and Inject Password

We are injecting the keystore password into Options9 key in the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEServerAppServer\Parameters\Java".

In the script below, please confirm the FME Flow AppServer service name on your Flow install version and edit the $serviceName variable if required. 

  • "FMEFlowAppServer" or "FMEServerAppServer" as displayed on the Windows services console 

Similarly, please check the registry path and key to update on your Flow install version, and edit the $regPath variable as required.

  • FME Flow: "HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEServerAppServer\Parameters\Java"
  • FME Server: "HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEFlowAppServer\Parameters\Java"

Save the following as C:\scripts\inject-tomcat-password.ps1:

# Load the CredentialManager module

if (-not (Get-Module -ListAvailable -Name CredentialManager)) {

    Write-Host "CredentialManager module not found. Installing..."

    try {

        Install-Module -Name CredentialManager -Force -Scope AllUsers

    } catch {

        Write-Error "Failed to install CredentialManager module. Exiting."

        exit 1

    }

}

Import-Module CredentialManager

# Retrieve password from Credential Manager

$target = "TomcatKeystorePassword"

$creds = Get-StoredCredential -Target $target

if (-not $creds) {

    Write-Error "Credential '$target' not found in Windows Credential Manager."

    exit 1

}

# Convert SecureString to plain text

try {

    $plainPassword = [System.Runtime.InteropServices.Marshal]::PtrToStringAuto(

        [System.Runtime.InteropServices.Marshal]::SecureStringToBSTR($creds.Password)

    )

    Write-Host "Retrieved password from Credential Manager."

} catch {

    Write-Error "Failed to convert SecureString to plain text."

    exit 1

}

# Define registry path and key to update

$regPath = "HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEServerAppServer\Parameters\Java"

$regValueName = "Options9"

$newOption = "-Djavax.net.ssl.keyStorePassword=$plainPassword"

try {

    # Read existing registry value

    $currentOptions = Get-ItemProperty -Path $regPath -Name $regValueName -ErrorAction Stop | Select-Object -ExpandProperty $regValueName

    # Remove any existing keyStorePassword entries

    $filteredOptions = $currentOptions | Where-Object { $_ -notmatch "^-Djavax.net.ssl.keyStorePassword=" }

    # Append the new keystore password option

    $updatedOptions = $filteredOptions + $newOption

    # Write the updated value back to the registry

    Set-ItemProperty -Path $regPath -Name $regValueName -Value $updatedOptions

    Write-Host "Updated '$regValueName' with keystore password at:"

    Write-Host "  $regPath"

} catch {

    Write-Warning "Skipped '$regValueName'  key not found or update failed: $_"

}

# Restart FME Flow AppServer service

$serviceName = "FMEServerAppServer"

try {

    $service = Get-Service -Name $serviceName -ErrorAction Stop

    if ($service.Status -ne "Stopped") {

        Write-Host "Stopping service '$serviceName'..."

        Stop-Service -Name $serviceName -Force -ErrorAction Stop

        Start-Sleep -Seconds 5

    }

    Write-Host "Starting service '$serviceName'..."

    Start-Service -Name $serviceName -ErrorAction Stop

    Write-Host "Service '$serviceName' restarted successfully."

} catch {

    Write-Error "Failed to restart service '$serviceName'. $_"

    exit 1

}


4. Set keyStorePassword reference in server.xml

In server.xml, update the HTTPS connector: keystorePass="${javax.net.ssl.keyStorePassword}"

Tomcat will read the injected system property at runtime.

5. Run the script 

It should auto-restart the Flow web app service

6. Automate Script Execution at Boot (Optional)

To ensure the password is injected before Tomcat starts, open Task Scheduler and create a new task with the following parameters:

  • Trigger: At system startup
  • Action: Run powershell.exe
  • Arguments: -ExecutionPolicy Bypass -File "C:\scripts\inject-tomcat-password.ps1"

Run with the highest privileges

Was this article helpful?

We're sorry to hear that.

Please tell us why.

As of January 14th, 2026, comments on knowledge base articles have been closed. To make sure questions don’t get missed and to enable more community support, we’ve moved discussions to the FME Community. If you have a question or a comment about this article, please create a new post or create a support ticket.