I am rather confused by the purpose of the trustore file in a tomcat server.
I.e use of the truststoreFile
parameter when setting up a TLS enabled connector.
According to the tomcat docs:
truststoreFile
The trust store file to use to validate client certificates. The default is the value of the javax.net.ssl.trustStore system property. If neither this attribute nor the default system property is set, no trust store will be configured.
To me this is telling me that for an inbound connection to my tomcat server, this is where I would store certificates that a client would present. (e.g. a users browser)
Would I really put in 3rd party CA certificates here or other 3rd party server certificates, if my tomcat server wants to make an outbound connection to a TLS enabled server (e.g. an LDAPS server)?
As per my understanding the place to do this is the cacerts file.
To elaborate further, the purpose of truststoreFile
seems to be explicity different from the java parameter javax.net.ssl.trustStore
The latter appears to be for trusting 3rd party CA certs, in much the same way as a browsers CA list.
The default file being jssecerts
or cacerts
Have I got this completely wrong?
You're correct about the fact that the truststore is used to check the client certificate for inbound connections.
But this should not be done in the cacert file. The cacert file contains all trusted ca certificates. This means that any client connection to your tomcat using a valid certificate, signed by a trusted CA would be allowed access.
The truststore is therefore used to limit access to a certain client or clients.
For instance : You have multiple applications deployed, each for a different client. Each application has a webservice that accepts data. In order to prevent that client A consumes the webservice of client B, you can configure your tomcats with truststores and ask your clients to send their own client certificates with the requests. When client A makes a request with his certificate to the tomcat of client B, the latter will not find the certificate in his truststore and will not trust the connection and abort it.