Home / server / Questions / 845141
Accepted
johnymachine
Asked: 2017-04-19 11:38:14 +0800 CST

Where to put certificates in Tomcat, when app acts as client?

  • 772

For starters, i have my Tomcat8 configured for https with valid certificated linked in connector xml file.

Something like this:

    <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
           SSLEnabled="true" maxThreads="150" scheme="https" secure="true"
           clientAuth="false" sslProtocol="TLS" enableLookups="false" keyAlias="https"
           keystoreFile="C:\Program Files\Apache Software Foundation\Tomcat 8.0\conf\keystore.jks"
           keystorePass="changeit"/>

But I need my web aplication to connect as client to third party data provider with valid certificate. Where do i put this extra certificate? When I put in keystore for connector, "https" certificate is not first certificate and it breaks stuff. I can probably fix that with keyAlias atribute in connector...

But... Are the connector keystores application wide? What is the best option for this kind of setup?

This article pretty much sums up my options, which one to pick? Best option seems to be pass keystore with both certificates to JVM, but how to tell connector which certificate to use?

EDIT:

After suggestion I edited my connector and keystore like this: keystore

Now I am getting:

Wrapped javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException:
PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target
Cause: sun.security.validator.ValidatorException: PKIX path building 
failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target]
ssl

2 Answers

  1. In our environment (tomcat7) if we use java keystore, then our connector looks like: 

    <Connector SSLEnabled="true"
    acceptCount="100"
    connectionTimeout="20000"
    executor="tomcatThreadPool"
    keyAlias="tomcat"
    keystoreFile="${catalina.base}/conf/tomcat.keystore"
    keystorePass="changeme"
    maxKeepAliveRequests="15"
    port="443"
    protocol="org.apache.coyote.http11.Http11Protocol"
    redirectPort="8443"
    scheme="https"
    secure="true"/>

    Differences are ${catalina.base} (in our case /opt/tomcat/) instead of ${user.home}/, and as you mentioned keyAlias.

    If you want to import a key into keystore, you could do it like that (we use that when tomcat is a client to authenticate at ADFS): 

    keytool -importcert -file cert.cer -keystore tomcat.keystore -alias myalias

    I think with the keystore at ${catalina.base} and keyAlaias you should be able to solve your question.

    • 1
  2. Best Answer

    At the end, I created one keystore (with keystore explorer on windows) with all the necessary certificates(keys) and aliases. Then I filled out keystore and trustore as java VM launch parameters:

      -Djavax.net.ssl.keyStore=%KEYSTORE% 
  -Djavax.net.ssl.keyStorePassword=changeme
  -Djavax.net.ssl.trustStore=%TRUSTSTORE% 
  -Djavax.net.ssl.trustStorePassword=changeme

    Same keystore is used in tomcat connector, with appropriate keyAlias for HTTPS.

    Enabling -Djava.net.debug=ssl is also very helpful when debugging.

    • 0