Return-Path: 
 <users-return-236752-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
X-Original-To: apmail-tomcat-users-archive@www.apache.org
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id BF7A3D537
	for <apmail-tomcat-users-archive@www.apache.org>;
 Thu, 20 Sep 2012 14:27:00 +0000 (UTC)
Received: (qmail 6434 invoked by uid 500); 20 Sep 2012 14:26:57 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 6384 invoked by uid 500); 20 Sep 2012 14:26:57 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 6375 invoked by uid 99); 20 Sep 2012 14:26:57 -0000
Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Sep 2012 14:26:57 +0000
X-ASF-Spam-Status: No, hits=0.7 required=5.0
	tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL
X-Spam-Check-By: apache.org
Received-SPF: neutral (athena.apache.org: local policy)
Received: from [76.96.59.243] (HELO qmta13.westchester.pa.mail.comcast.net)
 (76.96.59.243)
    by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 20 Sep 2012 14:26:51 +0000
Received: from omta13.westchester.pa.mail.comcast.net ([76.96.62.52])
	by qmta13.westchester.pa.mail.comcast.net with comcast
	id 1NtX1k00117dt5G5DSSa8U; Thu, 20 Sep 2012 14:26:34 +0000
Received: from Christophers-MacBook-Pro.local ([69.143.109.145])
	by omta13.westchester.pa.mail.comcast.net with comcast
	id 1SN81k00438FjT13ZSN95S; Thu, 20 Sep 2012 14:22:11 +0000
Message-ID: <505B2669.7010208@christopherschultz.net>
Date: Thu, 20 Sep 2012 10:21:29 -0400
From: Christopher Schultz <chris@christopherschultz.net>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8;
 rv:15.0) Gecko/20120907 Thunderbird/15.0.1
MIME-Version: 1.0
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: configured truststore ignored by tomcat
References: 
 <OF88E07649.43FF5939-ONC1257A7E.002318D1-C1257A7E.0024AAA6@swissre.com>
 <851E370D-2BE1-4C3F-93B2-36BC9E1E464C@vmware.com>
In-Reply-To: <851E370D-2BE1-4C3F-93B2-36BC9E1E464C@vmware.com>
X-Enigmail-Version: 1.4.4
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
X-Virus-Checked: Checked by ClamAV on apache.org

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Dan,

On 9/19/12 10:33 AM, Daniel Mikusa wrote:
> On Sep 19, 2012, at 2:40 AM, Marco_Strullato@swissre.com wrote:
> 
>> Hi all, I have a tomcat 6.0.35 that needs to connect to a remote
>> server using https, so it is acting as a https client: it means
>> that tomcat must have the remote server certificate installed.
>> 
>> The ideal solution I found is to configure the truststore in the
>>  server.xml.
>> 
>> Please see the following:
>> 
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" 
>> maxThreads="150" scheme="https" secure="true" 
>> keystoreFile="keystore/keystore.p12" keystoreType="pkcs12" 
>> keystorePass="<password>" 
>> truststoreFile="keystore/truststore.p12" truststoreType="pkcs12" 
>> truststorePass="<password>" clientAuth="optional"
>> sslProtocol="TLS" />
>> 
>> So, I configured the truststore and the server.xml.
> 
> This will configure the keystone / truststore used by the
> Connector. It does not configure the keystone / truststore used by
> the JVM for making HTTPS client requests.

+1

>> After restarting tomcat I got an ssl excetpion
>> 
>> sun.security.validator.ValidatorException: PKIX path building
>> failed: 
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>> 
>> Enabling the property javax.net.debug I could see that tomcat is
>> simply ignoring the truststore I configured.
>> 
>> Let me add that I tried also with no luck to change the
>> truststore format to jks. I add also that the remote server cert
>> is inside the truststore since I can see it with keytool.
>> 
>> Do you know why? What else could I check?
> 
> See explanation above.  Here is an example.  The trick is to set
> the "javax.net.ssl.trustStore" and
> "javax.net.ssl.trustStorePassword" system properties.
> 
> http://www.exampledepot.com/egs/javax.net.ssl/client.html
> 
> or you could disable validation all together.  Not something you'd
> want to do for a production site though.
> 
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html

Better yet, configure the library (httpclient?) directly to use the
truststore of your choosing: there's no need to set the trust store
for the entire JVM (also, it makes your application more configurable
IMO).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iEYEARECAAYFAlBbJmkACgkQ9CaO5/Lv0PB6xgCgrdgSV/77X+gmULLUI6lugmqC
m6MAnjW6wKyU643y/gpTGSZ4VaRyW9dV
=Ih1h
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org