tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex O'Ree" <alexo...@apache.org>
Subject Re: using default cacerts AND custom keystore
Date Thu, 22 Feb 2018 03:44:47 GMT
anything related to SSL, key stores, trust stores, X509 certificates, etc
will do that to you!

On Mon, Feb 19, 2018 at 9:16 AM, Chris Cheshire <yahoonomas@gmail.com>
wrote:

> On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz
> <chris@christopherschultz.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Chris,
> >
> > On 2/14/18 3:34 PM, Chris Cheshire wrote:
> >> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <markt@apache.org>
> >> wrote:
> >>> On 14/02/18 17:17, Chris Cheshire wrote:
> >>>> I am trying to set up my webapp to connect to an external
> >>>> database via ssl. The database uses a self-signed certificate.
> >>>> I have created a keystore with the self-signed CA and the
> >>>> client key & cert. This keystore is configured via JAVA_OPTS in
> >>>> setenv.sh
> >>>>
> >>>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
> >>>> \ -Djavax.net.ssl.keyStorePassword=password \
> >>>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
> >>>> -Djavax.net.ssl.trustStorePassword=password"
> >>>>
> >>>> This allows me to connect to the database without a problem.
> >>>> However now I cannot connect to any external web service
> >>>> because their certs will no longer validate.
> >>>>
> >>>> How do I configure tomcat such that the default cacerts is used
> >>>> in addition to my self-signed certificates without importing
> >>>> those into the default keystore (which is a Bad Idea™)?
> >>>
> >>> This is nothing to do with Tomcat. Tomcat plays no role in
> >>> out-going TLS connections.
> >>>
> >>> The short answer is rather than using system properties, you
> >>> should set the keystore and truststore programmatically so they
> >>> apply just to the database connections rather than globally.
> >>>
> >>
> >> So after a bit of digging [1,2] I found that this is achieved by
> >> adding the following parameters to the mysql jdbc url in the
> >> resource definition:
> >>
> >> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >>
> >>
> > clientCertificateKeyStorePassword=password
> >> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >> trustCertificateKeyStorePassword=changeit
> >>
> >> Note that  [2] has a couple of errors. A) it specifies
> >> clientCertificateKeyStore[Url|Password] in lieu of trustStore
> >> system property, that should be
> >> trustCertificateKeyStore[Url|Password] B) it specifies specifies
> >> the urls in the form file:path_to_truststore_file, that is also
> >> incorrect it should be file://path_to_truststore_file (which will
> >> give a triple slash if an absolute path is used)
> >>
> >>
> >> [1]
> >> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
> > figuration-properties.html
> >>
> >>
> > [2]
> > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
> > - -ssl.html
> >
> > It might depend upon the version of Connector/J you are using. For
> > example, I have this in my connection URL:
> >
> > '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks'
> >
> > Only a single leading / for an absolute path in my case, and it works
> > as expected.
> >
> > The use of file:// was a historical mistake web browser users made,
> > thinking that // was necessary between the protocol and anything after
> > it. It was never the case, and any software requiring a URL like
> > file:/// should be considered broken.
> >
> > - -chris
>
> So I went back to retest everything to make sure I wasn't going crazy,
> and it turns out that I actually am. It really is working as expected
> without the double slash (and with). I guess I went crosseyed looking
> at the error logs after so many attempts trying to get this working
> initially.
>
> Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message