You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Shawn Deer <Sh...@entrust.com> on 2011/11/10 20:29:34 UTC

Programmatically updating the keystore Tomcat uses

I have a setup in which an instance of Tomcat 6 is running on a given machine, and another application on the same machine generates or updates the SSL credentials that Tomcat should present.  The credentials are not in JKS format, and so currently I'm exporting them to PKCS#12 and writing them out to a location previously specified in server.xml.  The problem is that since Tomcat only seems to load its credentials at startup, the only way to get the new SSL certificate to be used is to restart Tomcat.

                Is there a programmatic way to change Tomcat's keystore dynamically so that when I want to update the SSL credentials, I can do so without having to restart the service?  I looked at the HTTP11Connector class, and possibly wrapping/replacing that in my setup, but I couldn't see anything that would allow me to override the current keystore.  Even if I could just override the certificate/key used, that'd be fantastic.

Thanks.

Re: Programmatically updating the keystore Tomcat uses

Posted by Konstantin Kolinko <kn...@gmail.com>.

2011/11/10 Shawn Deer <Sh...@entrust.com>:
> I have a setup in which an instance of Tomcat 6 is running on a given machine, and another application on the same machine generates or updates the SSL credentials that Tomcat should present.  The credentials are not in JKS format, and so currently I'm exporting them to PKCS#12 and writing them out to a location previously specified in server.xml.  The problem is that since Tomcat only seems to load its credentials at startup, the only way to get the new SSL certificate to be used is to restart Tomcat.
>
>                Is there a programmatic way to change Tomcat's keystore dynamically so that when I want to update the SSL credentials, I can do so without having to restart the service?  I looked at the HTTP11Connector class, and possibly wrapping/replacing that in my setup, but I couldn't see anything that would allow me to override the current keystore.  Even if I could just override the certificate/key used, that'd be fantastic.

It might worth to try to stop and then start a connector, e.g. through JMX.
You may try with jconsole first without any programming.

(I do not remember whether they are restartable, but it is worth trying).


JMX support is better in Tomcat 7, up to allowing you to create and
configure Tomcat components through JMX.

Also IIRC there might be some hooks in the connector, like using
custom key store provider. YMMV

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org