My Tomcat needs to connect to another web server (at https://foreign.example.com) using SSL (TLS).
foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:
$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore
$JRE/lib/security/cacerts
This works: My Tomcat allows the SSL connection.
However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.
So I tried importing it into the tomcat-user's keystore at ~/.keystore
, and setting up Tomcat's <Connector>
with these attributes:
keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"
However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)
I tried the same with the truststoreFile
/truststorePass
attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java
which makes my keystore (and keystore passphrase) available to the JVM instance?
java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must not be empty
- which means, that it didn't find the truststore file... I wonder, if maybe${user.home}
doesn't work in this place? – Chris Lerchertruststore
parameters only dictate the behaviour of the connector (i.e. for client-certs). When you say "My Tomcat needs to connect to another web server", I guess your webapp is the client, not the container (and definitely not the connector). The trust config will change depending on the client lib. The defaultSSLContext
(which it's likely to use if nothing else is specified) is configured via thejavax.net.ssl.trustStore
system property. If you want a more local configuration, we'd need to know which client library you're using. – Bruno