tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marco_Strull...@swissre.com
Subject configured truststore ignored by tomcat
Date Wed, 19 Sep 2012 06:40:29 GMT
Hi all, 
I have a tomcat 6.0.35 that needs to connect to a remote server using 
https, so it is acting as a https client: it means that tomcat must have 
the remote server certificate installed.

The ideal solution I found is to configure the truststore in the 
server.xml.

Please see the following:

 <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="keystore/keystore.p12"
               keystoreType="pkcs12"
               keystorePass="<password>"
               truststoreFile="keystore/truststore.p12"
               truststoreType="pkcs12"
               truststorePass="<password>"
               clientAuth="optional" sslProtocol="TLS" />

So, I configured the truststore and the server.xml.

After restarting tomcat I got an ssl excetpion 

sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

Enabling the property javax.net.debug I could see that tomcat is simply 
ignoring the truststore I configured.

Let me add that I tried also with no luck to change the truststore format 
to jks. I add also that the remote server cert is inside the truststore 
since I can see it with keytool.

Do you know why? What else could I check? 

Regards


Marco





This e-mail, including attachments, is intended for the person(s) or company named and may
contain confidential and/or legally privileged information.
Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited.
If you are not the intended recipient, please delete this message and notify the sender.
All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise
you not to use the Swiss Re e-mail account for any private, non-business related communications.
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message