tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Chris Cheshire <yahoono...@gmail.com>
Subject Re: using default cacerts AND custom keystore
Date Wed, 14 Feb 2018 20:34:41 GMT
On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <markt@apache.org> wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in setenv.sh
>>
>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
>>     -Djavax.net.ssl.keyStorePassword=password \
>>     -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>>     -Djavax.net.ssl.trustStorePassword=password"
>>
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>>
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
>
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> connections.
>
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.
>

So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource
definition:

clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
clientCertificateKeyStorePassword=password
trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
trustCertificateKeyStorePassword=changeit

Note that  [2] has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
trustCertificateKeyStore[Url|Password]
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)


[1] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
[2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html

Hope this helps someone else that happens to read the archives.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message