tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: configured truststore ignored by tomcat
Date Thu, 20 Sep 2012 14:21:29 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan,

On 9/19/12 10:33 AM, Daniel Mikusa wrote:
> On Sep 19, 2012, at 2:40 AM, Marco_Strullato@swissre.com wrote:
> 
>> Hi all, I have a tomcat 6.0.35 that needs to connect to a remote
>> server using https, so it is acting as a https client: it means
>> that tomcat must have the remote server certificate installed.
>> 
>> The ideal solution I found is to configure the truststore in the
>>  server.xml.
>> 
>> Please see the following:
>> 
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" 
>> keystoreFile="keystore/keystore.p12" keystoreType="pkcs12" 
>> keystorePass="<password>" 
>> truststoreFile="keystore/truststore.p12" truststoreType="pkcs12" 
>> truststorePass="<password>" clientAuth="optional"
>> sslProtocol="TLS" />
>> 
>> So, I configured the truststore and the server.xml.
> 
> This will configure the keystone / truststore used by the
> Connector. It does not configure the keystone / truststore used by
> the JVM for making HTTPS client requests.

+1

>> After restarting tomcat I got an ssl excetpion
>> 
>> sun.security.validator.ValidatorException: PKIX path building
>> failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> 
>> Enabling the property javax.net.debug I could see that tomcat is
>> simply ignoring the truststore I configured.
>> 
>> Let me add that I tried also with no luck to change the
>> truststore format to jks. I add also that the remote server cert
>> is inside the truststore since I can see it with keytool.
>> 
>> Do you know why? What else could I check?
> 
> See explanation above.  Here is an example.  The trick is to set
> the "javax.net.ssl.trustStore" and
> "javax.net.ssl.trustStorePassword" system properties.
> 
> http://www.exampledepot.com/egs/javax.net.ssl/client.html
> 
> or you could disable validation all together.  Not something you'd
> want to do for a production site though.
> 
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html

Better yet, configure the library (httpclient?) directly to use the
truststore of your choosing: there's no need to set the trust store
for the entire JVM (also, it makes your application more configurable
IMO).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBbJmkACgkQ9CaO5/Lv0PB6xgCgrdgSV/77X+gmULLUI6lugmqC
m6MAnjW6wKyU643y/gpTGSZ4VaRyW9dV
=Ih1h
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message