stackoom
  简体   繁体   中英

Adding a foreign server's self-signed certificate to the trusted certificates of my Tomcat

 原文  2011-06-27 18:21:14       java/ tomcat/ ssl/ certificate/ tomcat6

Question

My Tomcat needs to connect to another web server (at https://foreign.example.com ) using SSL (TLS).

foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is: 

$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore 
 $JRE/lib/security/cacerts

This works : My Tomcat allows the SSL connection.

However, I don't like to do it this way : It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.

So I tried importing it into the tomcat-user's keystore at ~/.keystore , and setting up Tomcat's <Connector> with these attributes: 

keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"

However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)

I tried the same with the truststoreFile / truststorePass attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html )

Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java which makes my keystore (and keystore passphrase) available to the JVM instance?

2 answers

solution1
 7 ACCPTED  2011-06-27 19:02:30

JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.

-Djavax.net.ssl.trustStore=C:\\Applications\\jboss-as\\server\\default\\conf\\cacerts -Djavax.net.ssl.trustStorePassword=changeit

Therefor this should also work for Tomcat.

solution2
 0  2016-05-05 06:53:10

An alternative approach is to add it to the SSL connector in tomcat in your tomcat server.xml file. Specifically you need to set the truststoreFile properties to enable trust of certificates from other servers. 

        <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               keystoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" keystorePass="changeit"
               truststoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" truststorePass="changeit"/>

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Tomcat server AND HTTP Client accepting expired self-signed certificate Accept server's self-signed ssl certificate in Java client Adding self-signed certificate OkHttpClient Self-signed certificate Self-Signed Certificates With Java 8 SSL/TLS communication not happening with Tomcat Server on using self-signed certificate Client connecting to an SSL server with Self-Signed Certificates TLS 1.3 server socket with Java 11 and self-signed certificates Call API on server that is signed using Self-Signed Certificate SSL with self-signed certificate
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM