Hi! I've noticed that it's trivial to discover the exact version information about the servlet container that runs a particular CA instance, one only has to visit an invalid URL for a given instance, e.g.: https://CA_SERVER:9443/qwerty =================== HTTP Status 404 - /qwerty type Status report message /qwerty description The requested resource (/qwerty) is not available. Apache Tomcat/5.5.26 =================== Security by obscurity arguments aside, IMHO it's not so wise to immediately provide exact version information for the server running such security critical service. This information isn't a vulnerability in itself, but makes it so much easier to plan an attack strategy for a potential intruder. In Apache, it's enough to use the "ServerTokens" configuration directive to suppress giving out the exact server version, but AFAIK in Tomcat one has to prepare a customised error page and configure it in web app's web.xml (the <error-page> element - http://www.apache-korea.org/tomcat/faq/misc.html#error). With Tomact, most admins won't bother since it requires so much labour. I think it would be nice to package simple error pages that don't divulge version information in the pki RPMs by default - do you agree? That would require modifying the following (all webapps' contexts have to be customised): /usr/share/pki/INSTANCE_NAME/conf/web.xml /usr/share/pki/INSTANCE_NAME/webapps/ROOT/WEB-INF/web.xml /usr/share/pki/INSTANCE_NAME/webapps/INSTANCE_NAME/WEB-INF/web.xml -- Best Regards, Aleksander Adamowski GG#: 274614 ICQ UIN: 19780575 http://olo.org.pl