tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Mikusa <dmik...@vmware.com>
Subject Re: configured truststore ignored by tomcat
Date Wed, 19 Sep 2012 14:33:31 GMT
On Sep 19, 2012, at 2:40 AM, Marco_Strullato@swissre.com wrote:

> Hi all, 
> I have a tomcat 6.0.35 that needs to connect to a remote server using 
> https, so it is acting as a https client: it means that tomcat must have 
> the remote server certificate installed.
> 
> The ideal solution I found is to configure the truststore in the 
> server.xml.
> 
> Please see the following:
> 
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>               maxThreads="150" scheme="https" secure="true"
>               keystoreFile="keystore/keystore.p12"
>               keystoreType="pkcs12"
>               keystorePass="<password>"
>               truststoreFile="keystore/truststore.p12"
>               truststoreType="pkcs12"
>               truststorePass="<password>"
>               clientAuth="optional" sslProtocol="TLS" />
> 
> So, I configured the truststore and the server.xml.

This will configure the keystone / truststore used by the Connector.  It does not configure
the keystone / truststore used by the JVM for making HTTPS client requests.

> 
> After restarting tomcat I got an ssl excetpion 
> 
> sun.security.validator.ValidatorException: PKIX path building failed: 
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target
> 
> Enabling the property javax.net.debug I could see that tomcat is simply 
> ignoring the truststore I configured.
> 
> Let me add that I tried also with no luck to change the truststore format 
> to jks. I add also that the remote server cert is inside the truststore 
> since I can see it with keytool.
> 
> Do you know why? What else could I check? 

See explanation above.  Here is an example.  The trick is to set the "javax.net.ssl.trustStore"
and "javax.net.ssl.trustStorePassword" system properties.

   http://www.exampledepot.com/egs/javax.net.ssl/client.html

or you could disable validation all together.  Not something you'd want to do for a production
site though.

   http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html

Dan


> Regards
> 
> 
> Marco
> 
> 
> 
> 
> 
> This e-mail, including attachments, is intended for the person(s) or company named and
may contain confidential and/or legally privileged information.
> Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited.
If you are not the intended recipient, please delete this message and notify the sender.
> All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message
Repository.
> If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly
advise you not to use the Swiss Re e-mail account for any private, non-business related communications.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message