tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: configured truststore ignored by tomcat
Date Thu, 20 Sep 2012 14:21:29 GMT
Hash: SHA1


On 9/19/12 10:33 AM, Daniel Mikusa wrote:
> On Sep 19, 2012, at 2:40 AM, wrote:
>> Hi all, I have a tomcat 6.0.35 that needs to connect to a remote
>> server using https, so it is acting as a https client: it means
>> that tomcat must have the remote server certificate installed.
>> The ideal solution I found is to configure the truststore in the
>>  server.xml.
>> Please see the following:
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" 
>> keystoreFile="keystore/keystore.p12" keystoreType="pkcs12" 
>> keystorePass="<password>" 
>> truststoreFile="keystore/truststore.p12" truststoreType="pkcs12" 
>> truststorePass="<password>" clientAuth="optional"
>> sslProtocol="TLS" />
>> So, I configured the truststore and the server.xml.
> This will configure the keystone / truststore used by the
> Connector. It does not configure the keystone / truststore used by
> the JVM for making HTTPS client requests.


>> After restarting tomcat I got an ssl excetpion
>> PKIX path building
>> failed: 
>> unable to find valid certification path to requested target
>> Enabling the property I could see that tomcat is
>> simply ignoring the truststore I configured.
>> Let me add that I tried also with no luck to change the
>> truststore format to jks. I add also that the remote server cert
>> is inside the truststore since I can see it with keytool.
>> Do you know why? What else could I check?
> See explanation above.  Here is an example.  The trick is to set
> the "" and
> "" system properties.
> or you could disable validation all together.  Not something you'd
> want to do for a production site though.

Better yet, configure the library (httpclient?) directly to use the
truststore of your choosing: there's no need to set the trust store
for the entire JVM (also, it makes your application more configurable

- -chris
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools -
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message