tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Tomcat and Outgoing SSL
Date Fri, 25 Sep 2009 15:17:36 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Steve,

On 9/23/2009 11:49 PM, Steve Cohen wrote:
> I have an backend application that runs under Tomcat.  It does not serve
> Web pages.  It depends on various services that use SSL in one way or
> another:
> 
> 1) It connects with a vendor's Web Service over https:, which depends on
> one of the certificates in the default cacerts file
> 
> 2) It connects with another vendor's Web Service over https: but this
> one depends on a CA certificate issued by the vendor.
> 
> 3) It makes SSL-encrypted connections to a MySQL database using a
> self-generated SSL certificate.
> 
> I can get this to work by using keytool and importing the entire cacerts
> keystore, the self-generated CA cert for mysql, and the second vendor's
> ca cert into a single truststore, then Setting system properties to
> point at this at app startup.
> 
> But this feels like a real hack.

So, you basically copy the system cacerts file and merge-in the two
other certificates? That doesn't sound too bad to me.

Another option is to simply modify the system cacerts file.

I thought that the JVM would load the system cacerts file plus
~/.cacerts or something similar automatically. Have you looked at the
documentation for SocketFactory and friends?

Another option is to simply turn-off certificate checking for SSL
connections, but I really don't recommend this except for testing
environments.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkq83xAACgkQ9CaO5/Lv0PBetgCfQKIyryVLRtOu3Mcr6Z2/Stnr
W5UAoLLPqNnbfHl9ZfcPwpDf2oLwEIWC
=SaIR
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message