This article details a method for securely storing the keystore password and making it available to Flow's Tomcat [where Flow is installed on a Microsoft Azure VM] using Azure Key Vault and PowerShell without exposing the plaintext password in server.xml.
A PowerShell script securely injects a keystore password (stored as a secret in Azure Key Vault) into the Tomcat Java options for Azure VM-hosted FME Flow's Tomcat service (FMEFlowAppServer). Then it restarts the service, so the password is applied.
Kindly have your team's Azure admin review, approve, and perform any tasks involving Azure.
Prerequisites
- Azure CLI is installed on the Flow VM.
- Go to the official download page. Download and run AzureCLI.msi.
- After installation, open Command Prompt or PowerShell, and run:
az version
The version and component list will be returned if the CLI is installed correctly.
- The HTTPS configuration for FME Flow is already completed using certificates in the CER/CRT file format or a PFX file format. These are the two methods that would have the keystore password in plaintext in server.xml.
Step-by-Step Instructions
1. Store the Keystore Password in Azure Key Vault
Run the Azure CLI command below or create via Azure Portal-
az keyvault secret set --vault-name "<ExistingKeyVault>" --name "<keystore-password-name>" --value "<Keystore-password>"
2. Enable System Assigned Managed Identity on the Azure VM hosting the FME Flow
In Azure Portal, go to your Azure VM >Security >Identity > System assigned and set Status: On. Take a note of the Object (principal) ID for the next step.
Assign Key Vault Secrets User role to the FME Flow Azure VM using this Azure CLI command-
az role assignment create --assignee <vm-object-id> --role "Key Vault Secrets User" --scope "/subscriptions/<sub-id>/resourceGroups/<rg>/providers/Microsoft.KeyVault/vaults/<vault-name>"
3. Create a PowerShell Script to Retrieve the Secret and Inject the Password
We are injecting the keystore password into the Options9 key in the path "Computer\HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEFlowAppServer\Parameters\Java".
In the script below, please confirm the FME Flow AppServer service name on your Flow install version and edit the $serviceName variable if required.
- "FMEFlowAppServer" or "FMEServerAppServer" as displayed on the Windows services console
Similarly, please check the registry path and key to update on your Flow install version, and edit the $regPath variable as required.
- FME Flow:
"HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEServerAppServer\Parameters\Java" - FME Server:
"HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEFlowAppServer\Parameters\Java"
Save the following as C:\scripts\inject-tomcat-password.ps1 on FME Flow machine:
# Authenticate using Managed Identity
try {
$tokenResponse = Invoke-RestMethod -Headers @{Metadata="true"} -Method GET -Uri "http://169.254.169.254/metadata/identity/oauth2/token?resource=https://vault.azure.net&api-version=2018-02-01"
$accessToken = $tokenResponse.access_token
Write-Host "Successfully retrieved access token from Managed Identity."
} catch {
Write-Error "Failed to retrieve access token from Managed Identity: $_"
exit 1
}
# Define Key Vault and secret name
$vaultName = "HTTPSwithKeyVaul"
$secretName = "tomcatKeystorePassword"
# Validate and confirm secret name
if ([string]::IsNullOrWhiteSpace($secretName)) {
Write-Error "Secret name variable is empty or undefined."
exit 1
}
Write-Host "Secret Name: $secretName"
# Build the full secret URI
$secretUri = "https://$vaultName.vault.azure.net/secrets/$secretName/?api-version=7.3"
Write-Host "Requesting secret from URL: $secretUri"
# Retrieve the secret from Azure Key Vault
try {
$response = Invoke-RestMethod -Headers @{Authorization = "Bearer $accessToken"} -Uri $secretUri -Method GET
$plainPassword = $response.value
Write-Host "Retrieved secret '$secretName' from Key Vault '$vaultName'."
} catch {
Write-Error "Failed to retrieve secret from Azure Key Vault: $_"
exit 1
}
# Define registry path and key for Tomcat options
$regPath = "HKLM:\SOFTWARE\WOW6432Node\Apache Software Foundation\Procrun 2.0\FMEFlowAppServer\Parameters\Java"
$regValue = "Options9"
# Read and update the registry value
try {
$current = Get-ItemProperty -Path $regPath -Name $regValue -ErrorAction Stop | Select-Object -ExpandProperty $regValue
if ($current -isnot [System.Array]) {
$current = @($current)
}
} catch {
Write-Warning "'$regValue' not found. Initializing new array."
$current = @()
}
# Remove old keystore password entry
$filtered = $current | Where-Object { $_ -notmatch "^-Djavax.net.ssl.keyStorePassword=" }
# Append new keystore password option
$updated = $filtered + "-Djavax.net.ssl.keyStorePassword=$plainPassword"
# Write to registry
try {
Set-ItemProperty -Path $regPath -Name $regValue -Value $updated
Write-Host "Updated registry key '$regValue' at '$regPath'."
} catch {
Write-Error "Failed to write to registry: $_"
exit 1
}
# Restart the FME Flow Tomcat service
$serviceName = "FMEFlowAppServer"
try {
$service = Get-Service -Name $serviceName -ErrorAction Stop
if ($service.Status -ne "Stopped") {
Write-Host "Stopping service '$serviceName'..."
Stop-Service -Name $serviceName -Force -ErrorAction Stop
Start-Sleep -Seconds 5
}
Write-Host "Starting service '$serviceName'..."
Start-Service -Name $serviceName -ErrorAction Stop
Write-Host "Service '$serviceName' restarted successfully."
} catch {
Write-Error "Failed to restart service '$serviceName': $_"
exit 1
}
4. Set keyStorePassword Reference in server.xml
In server.xml, update the HTTPS connector: keystorePass="${javax.net.ssl.keyStorePassword}"
Tomcat will read the injected system property at runtime.
5. Run the Script
It should auto-restart Flow web app service
6. Automate Script Execution at Boot (Optional)
To ensure the password is injected before Tomcat starts:
- Open Task Scheduler
- Create a new task:
- Trigger: At system startup
- Action: Run powershell.exe
-
Arguments:
-ExecutionPolicy Bypass -File "C:\scripts\inject-tomcat-password.ps1"
- Run with the highest privileges