You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chris Cheshire <ya...@gmail.com> on 2018/02/14 17:17:31 UTC
using default cacerts AND custom keystore
I am trying to set up my webapp to connect to an external database via
ssl. The database uses a self-signed certificate. I have created a
keystore with the self-signed CA and the client key & cert. This
keystore is configured via JAVA_OPTS in setenv.sh
JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
-Djavax.net.ssl.keyStorePassword=password \
-Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
-Djavax.net.ssl.trustStorePassword=password"
This allows me to connect to the database without a problem. However
now I cannot connect to any external web service because their certs
will no longer validate.
How do I configure tomcat such that the default cacerts is used in
addition to my self-signed certificates without importing those into
the default keystore (which is a Bad Idea™)?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using default cacerts AND custom keystore
Posted by Alex O'Ree <al...@apache.org>.
anything related to SSL, key stores, trust stores, X509 certificates, etc
will do that to you!
On Mon, Feb 19, 2018 at 9:16 AM, Chris Cheshire <ya...@gmail.com>
wrote:
> On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz
> <ch...@christopherschultz.net> wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> >
> > Chris,
> >
> > On 2/14/18 3:34 PM, Chris Cheshire wrote:
> >> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org>
> >> wrote:
> >>> On 14/02/18 17:17, Chris Cheshire wrote:
> >>>> I am trying to set up my webapp to connect to an external
> >>>> database via ssl. The database uses a self-signed certificate.
> >>>> I have created a keystore with the self-signed CA and the
> >>>> client key & cert. This keystore is configured via JAVA_OPTS in
> >>>> setenv.sh
> >>>>
> >>>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
> >>>> \ -Djavax.net.ssl.keyStorePassword=password \
> >>>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
> >>>> -Djavax.net.ssl.trustStorePassword=password"
> >>>>
> >>>> This allows me to connect to the database without a problem.
> >>>> However now I cannot connect to any external web service
> >>>> because their certs will no longer validate.
> >>>>
> >>>> How do I configure tomcat such that the default cacerts is used
> >>>> in addition to my self-signed certificates without importing
> >>>> those into the default keystore (which is a Bad Idea™)?
> >>>
> >>> This is nothing to do with Tomcat. Tomcat plays no role in
> >>> out-going TLS connections.
> >>>
> >>> The short answer is rather than using system properties, you
> >>> should set the keystore and truststore programmatically so they
> >>> apply just to the database connections rather than globally.
> >>>
> >>
> >> So after a bit of digging [1,2] I found that this is achieved by
> >> adding the following parameters to the mysql jdbc url in the
> >> resource definition:
> >>
> >> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >>
> >>
> > clientCertificateKeyStorePassword=password
> >> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> >> trustCertificateKeyStorePassword=changeit
> >>
> >> Note that [2] has a couple of errors. A) it specifies
> >> clientCertificateKeyStore[Url|Password] in lieu of trustStore
> >> system property, that should be
> >> trustCertificateKeyStore[Url|Password] B) it specifies specifies
> >> the urls in the form file:path_to_truststore_file, that is also
> >> incorrect it should be file://path_to_truststore_file (which will
> >> give a triple slash if an absolute path is used)
> >>
> >>
> >> [1]
> >> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
> > figuration-properties.html
> >>
> >>
> > [2]
> > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
> > - -ssl.html
> >
> > It might depend upon the version of Connector/J you are using. For
> > example, I have this in my connection URL:
> >
> > '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks'
> >
> > Only a single leading / for an absolute path in my case, and it works
> > as expected.
> >
> > The use of file:// was a historical mistake web browser users made,
> > thinking that // was necessary between the protocol and anything after
> > it. It was never the case, and any software requiring a URL like
> > file:/// should be considered broken.
> >
> > - -chris
>
> So I went back to retest everything to make sure I wasn't going crazy,
> and it turns out that I actually am. It really is working as expected
> without the double slash (and with). I guess I went crosseyed looking
> at the error logs after so many attempts trying to get this working
> initially.
>
> Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: using default cacerts AND custom keystore
Posted by Chris Cheshire <ya...@gmail.com>.
On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz
<ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Chris,
>
> On 2/14/18 3:34 PM, Chris Cheshire wrote:
>> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org>
>> wrote:
>>> On 14/02/18 17:17, Chris Cheshire wrote:
>>>> I am trying to set up my webapp to connect to an external
>>>> database via ssl. The database uses a self-signed certificate.
>>>> I have created a keystore with the self-signed CA and the
>>>> client key & cert. This keystore is configured via JAVA_OPTS in
>>>> setenv.sh
>>>>
>>>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
>>>> \ -Djavax.net.ssl.keyStorePassword=password \
>>>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>>>> -Djavax.net.ssl.trustStorePassword=password"
>>>>
>>>> This allows me to connect to the database without a problem.
>>>> However now I cannot connect to any external web service
>>>> because their certs will no longer validate.
>>>>
>>>> How do I configure tomcat such that the default cacerts is used
>>>> in addition to my self-signed certificates without importing
>>>> those into the default keystore (which is a Bad Idea™)?
>>>
>>> This is nothing to do with Tomcat. Tomcat plays no role in
>>> out-going TLS connections.
>>>
>>> The short answer is rather than using system properties, you
>>> should set the keystore and truststore programmatically so they
>>> apply just to the database connections rather than globally.
>>>
>>
>> So after a bit of digging [1,2] I found that this is achieved by
>> adding the following parameters to the mysql jdbc url in the
>> resource definition:
>>
>> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
>>
>>
> clientCertificateKeyStorePassword=password
>> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
>> trustCertificateKeyStorePassword=changeit
>>
>> Note that [2] has a couple of errors. A) it specifies
>> clientCertificateKeyStore[Url|Password] in lieu of trustStore
>> system property, that should be
>> trustCertificateKeyStore[Url|Password] B) it specifies specifies
>> the urls in the form file:path_to_truststore_file, that is also
>> incorrect it should be file://path_to_truststore_file (which will
>> give a triple slash if an absolute path is used)
>>
>>
>> [1]
>> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
> figuration-properties.html
>>
>>
> [2]
> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
> - -ssl.html
>
> It might depend upon the version of Connector/J you are using. For
> example, I have this in my connection URL:
>
> '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks'
>
> Only a single leading / for an absolute path in my case, and it works
> as expected.
>
> The use of file:// was a historical mistake web browser users made,
> thinking that // was necessary between the protocol and anything after
> it. It was never the case, and any software requiring a URL like
> file:/// should be considered broken.
>
> - -chris
So I went back to retest everything to make sure I wasn't going crazy,
and it turns out that I actually am. It really is working as expected
without the double slash (and with). I guess I went crosseyed looking
at the error logs after so many attempts trying to get this working
initially.
Chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using default cacerts AND custom keystore
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 2/14/18 3:34 PM, Chris Cheshire wrote:
> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org>
> wrote:
>> On 14/02/18 17:17, Chris Cheshire wrote:
>>> I am trying to set up my webapp to connect to an external
>>> database via ssl. The database uses a self-signed certificate.
>>> I have created a keystore with the self-signed CA and the
>>> client key & cert. This keystore is configured via JAVA_OPTS in
>>> setenv.sh
>>>
>>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
>>> \ -Djavax.net.ssl.keyStorePassword=password \
>>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>>> -Djavax.net.ssl.trustStorePassword=password"
>>>
>>> This allows me to connect to the database without a problem.
>>> However now I cannot connect to any external web service
>>> because their certs will no longer validate.
>>>
>>> How do I configure tomcat such that the default cacerts is used
>>> in addition to my self-signed certificates without importing
>>> those into the default keystore (which is a Bad Idea™)?
>>
>> This is nothing to do with Tomcat. Tomcat plays no role in
>> out-going TLS connections.
>>
>> The short answer is rather than using system properties, you
>> should set the keystore and truststore programmatically so they
>> apply just to the database connections rather than globally.
>>
>
> So after a bit of digging [1,2] I found that this is achieved by
> adding the following parameters to the mysql jdbc url in the
> resource definition:
>
> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
>
>
clientCertificateKeyStorePassword=password
> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> trustCertificateKeyStorePassword=changeit
>
> Note that [2] has a couple of errors. A) it specifies
> clientCertificateKeyStore[Url|Password] in lieu of trustStore
> system property, that should be
> trustCertificateKeyStore[Url|Password] B) it specifies specifies
> the urls in the form file:path_to_truststore_file, that is also
> incorrect it should be file://path_to_truststore_file (which will
> give a triple slash if an absolute path is used)
>
>
> [1]
> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
figuration-properties.html
>
>
[2]
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
- -ssl.html
It might depend upon the version of Connector/J you are using. For
example, I have this in my connection URL:
'...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks'
Only a single leading / for an absolute path in my case, and it works
as expected.
The use of file:// was a historical mistake web browser users made,
thinking that // was necessary between the protocol and anything after
it. It was never the case, and any software requiring a URL like
file:/// should be considered broken.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqHLOUACgkQHPApP6U8
pFiChA//XG5SJL66UWaSOdTELykxG6lHvoCqg/HKiN9i+sRH5kfyjWg1Yn4gUh4d
psLFHvINo3lWpfchY+CJ76xSIq6NKXfAOXohxfYJUgXSGr6reRPj1dFMhAbsE0XW
y8dzlilT6G8vWVFgYe3zwTEVQv30Rn+yc5mo4lspt2BR3Mw9YmiJL9l1z0Fj83+6
Bgaeq+oLXbO6x1QfFxWcDi5jdlkKUyTcbTuoRGUvCSMm6TfB7+lEcs2JKZSxw2hw
c62iR8cPwkQElBfhL08GMsbO2ay/hpPDIzajxW/iMiX6g3V1QkaNQnj3dTSoUegC
59OSxg9KCXSfMe7SydSYBH5SE8ruElseFh7cn4PUuCLY0vaFlJEf+iaviJMxXsTS
Ysj3YdfG5mCHxnFlNHKHz5tYv7wRs6ruhmYTxvQob73hgJyIxtUfCcn7XiwBOvey
xpCxfuBNv91B8VAkDxGf2bk4XK+YRrrCK/1FZDXGrcqGfDRocE5UwbaajkBojZva
aZceEm7nzYS8dYL4NQTj8gLwWyyYe96h9xF1muQhDvYGp7qdNle+C9sUf/jzS6KP
5VV+wOMxBtyXA2624xh+1iL2kcdDE7A9nPOPdBZgnBfr+OH9lG7YACr/aNLCNfJs
6EoNn8GNZSNL8CaPLb8LpvfcN69t04cblKUul0Fidq8VtVfOsxk=
=rMes
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using default cacerts AND custom keystore
Posted by Chris Cheshire <ya...@gmail.com>.
On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in setenv.sh
>>
>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.keyStorePassword=password \
>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.trustStorePassword=password"
>>
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>>
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
>
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> connections.
>
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.
>
So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource
definition:
clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
clientCertificateKeyStorePassword=password
trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
trustCertificateKeyStorePassword=changeit
Note that [2] has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
trustCertificateKeyStore[Url|Password]
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)
[1] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
[2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
Hope this helps someone else that happens to read the archives.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: using default cacerts AND custom keystore
Posted by Mark Thomas <ma...@apache.org>.
On 14/02/18 17:17, Chris Cheshire wrote:
> I am trying to set up my webapp to connect to an external database via
> ssl. The database uses a self-signed certificate. I have created a
> keystore with the self-signed CA and the client key & cert. This
> keystore is configured via JAVA_OPTS in setenv.sh
>
> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
> -Djavax.net.ssl.keyStorePassword=password \
> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
> -Djavax.net.ssl.trustStorePassword=password"
>
> This allows me to connect to the database without a problem. However
> now I cannot connect to any external web service because their certs
> will no longer validate.
>
> How do I configure tomcat such that the default cacerts is used in
> addition to my self-signed certificates without importing those into
> the default keystore (which is a Bad Idea™)?
This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
connections.
The short answer is rather than using system properties, you should set
the keystore and truststore programmatically so they apply just to the
database connections rather than globally.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org