How does your company handle other Tomcat applications that connect to resources? If credentials are decrypted on the fly, then how do web applications get that decryption key? The application will need a plain text password/key to decrypt; where is that plain text password stored?

Best practice from the Tomcat team is to properly secure your configuration files. See https://cwiki.apache.org/confluence/display/TOMCAT/Password