tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Client certificate keystore configuration
Date Tue, 02 Sep 2014 16:00:38 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Javier,

On 8/28/14, 3:14 PM, Javier Conti wrote:
> On 28 August 2014 13:50, Konstantin Kolinko
> <knst.kolinko@gmail.com> wrote:
> 
>> 2014-08-28 14:46 GMT+04:00 Javier Conti
>> <javier.conti@gmail.com>:
>>> Hi all,
>>> 
>>> in a Tomcat 7.0.53 container we are running an application
>>> which needs to use client certificates to connect to other
>>> webservices. This is currently done by configuring a keystore
>>> containing keys, certificates and CAs for the JVM (via command
>>> line arguments) as follows:
>>> 
>>> -Djavax.net.ssl.keyStore=$keystore_path 
>>> -Djavax.net.ssl.keyStorePassword=$keystore_password 
>>> -Djavax.net.ssl.keyStoreType=jks 
>>> -Djavax.net.ssl.trustStore=$keystore_path 
>>> -Djavax.net.ssl.trustStorePassword=$keystore_password 
>>> -Djavax.net.ssl.trustStoreType=jks
>>> 
>>> This configuration works and requires no changes in the
>>> application code. However, since we have to pass those command
>>> line arguments in the
>> startup
>>> script somehow (including the password, which can be seen in
>>> the running process list), we are considering the various
>>> options to "cleanup" the configuration. In particular, we are
>>> investigating the possibility to configure all that in the
>>> server.xml configuration file.
>>> 
>>> I've found many examples of Tomcat SSL configuration but all
>>> deal with configuring the "server side", not the "client side"
>>> for applications running inside the container. By the way, for
>>> the Connector we're using
>> the
>>> Native one with OpenSSL (and we could use x509 and RSA for the
>>> client
>> side
>>> too).
>>> 
>>> Has anybody some pointers to documentation or examples?
>>> 
>> 
>> 
>> You can configure a KeyStore and TrustStore programmatically,
>> without relying on system properties. Tomcat does so in its
>> source code (search for "import javax.net.ssl") and tests  (e.g. 
>> test/org.apache.tomcat.util.net.TesterSupport.configureClientSsl()),
>>
>> 
but passing those to your HTTP client depends on what client you are
>> using and on API of that client.
>> 
>> You are not saying what client implementation you are using. It
>> may be better to ask on their mailing lists.
>> 
>> 
> While this could be feasible, our developers use various APIs and
> according to them it would be rather complicated to maintain the
> code should the client authentication be performed in it. However,
> the current implementation (a cert for the whole JVM) seems to be 
> sufficient for our use case: we'd just like to take the password
> out of the command line arguments, so non privileged users
> performing other tasks on the servers wouldn't see it.

You can try setting that property in
CATALINA_BASE/conf/catalina.properties

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUBemmAAoJEBzwKT+lPKRYhK4P/23OLic/iZ09/gZehsYikxIj
5TyQqIET/IxXG1RylT41/b5Pu/TXAKclheVONoaC8UMjnuVf98W2EQHZTiPqWsp7
9JNb5HlXeRPhrAcjsZxdv2KoFEehnWOJwtnxgOEJ3UviMiPPW+yycXtZYEL7DG5p
1bjXS2SKVuw5BjMH1t7fyMcQJ76ZvZ3BqbzYu1uGTC6Aqyhf2XKwAvaxjphunoRe
tXV5/65ou5rRZlPa7ibXrp54qGT0459Jjfb1pZfQwtfbNOA20SZYmGtWNr/jdiFX
b/2AgBIQejVRjK8VQRPSnLWSqFmRMqsc2PllmIOWs6DfYXGtz9SNS2dkDSJFc0g8
vCgSv2WaWJ6NtDaNgOYHL+RwWqh/Adt4fo1+tPBWtOtkN2WSU/MjgDA38p8enx3c
zkLE86Kpf8Fsm/n42EwGMGGlXkHfA/BEPdumxjuUp4v+mmGqHp0ildJUSb2naDot
msHh8BOS4lYlPwOuNoiSij4svrCErisjTqJpvamc4EHdKUnuLmVgae3F2J6rvXhC
XbzELHCeWqgzDkq/LVp+MjuPK0bgLmS6lrzs7R9ogR5hj4TjURkaSOXWovGhnO9W
euHrgujt/2zZzPai+Z3cTQDhu21m2gvIJDAU/SOjzJRpb2OGG/6gIi/DkX/gOwsn
RU0qo70oSvGeX8e9/f5m
=Nkaz
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message