You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ma...@swissre.com on 2012/09/19 08:40:29 UTC
configured truststore ignored by tomcat
Hi all,
I have a tomcat 6.0.35 that needs to connect to a remote server using
https, so it is acting as a https client: it means that tomcat must have
the remote server certificate installed.
The ideal solution I found is to configure the truststore in the
server.xml.
Please see the following:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="keystore/keystore.p12"
keystoreType="pkcs12"
keystorePass="<password>"
truststoreFile="keystore/truststore.p12"
truststoreType="pkcs12"
truststorePass="<password>"
clientAuth="optional" sslProtocol="TLS" />
So, I configured the truststore and the server.xml.
After restarting tomcat I got an ssl excetpion
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
Enabling the property javax.net.debug I could see that tomcat is simply
ignoring the truststore I configured.
Let me add that I tried also with no luck to change the truststore format
to jks. I add also that the remote server cert is inside the truststore
since I can see it with keytool.
Do you know why? What else could I check?
Regards
Marco
This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information.
Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.
Re: configured truststore ignored by tomcat
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Dan,
On 9/19/12 10:33 AM, Daniel Mikusa wrote:
> On Sep 19, 2012, at 2:40 AM, Marco_Strullato@swissre.com wrote:
>
>> Hi all, I have a tomcat 6.0.35 that needs to connect to a remote
>> server using https, so it is acting as a https client: it means
>> that tomcat must have the remote server certificate installed.
>>
>> The ideal solution I found is to configure the truststore in the
>> server.xml.
>>
>> Please see the following:
>>
>> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>> maxThreads="150" scheme="https" secure="true"
>> keystoreFile="keystore/keystore.p12" keystoreType="pkcs12"
>> keystorePass="<password>"
>> truststoreFile="keystore/truststore.p12" truststoreType="pkcs12"
>> truststorePass="<password>" clientAuth="optional"
>> sslProtocol="TLS" />
>>
>> So, I configured the truststore and the server.xml.
>
> This will configure the keystone / truststore used by the
> Connector. It does not configure the keystone / truststore used by
> the JVM for making HTTPS client requests.
+1
>> After restarting tomcat I got an ssl excetpion
>>
>> sun.security.validator.ValidatorException: PKIX path building
>> failed:
>> sun.security.provider.certpath.SunCertPathBuilderException:
>> unable to find valid certification path to requested target
>>
>> Enabling the property javax.net.debug I could see that tomcat is
>> simply ignoring the truststore I configured.
>>
>> Let me add that I tried also with no luck to change the
>> truststore format to jks. I add also that the remote server cert
>> is inside the truststore since I can see it with keytool.
>>
>> Do you know why? What else could I check?
>
> See explanation above. Here is an example. The trick is to set
> the "javax.net.ssl.trustStore" and
> "javax.net.ssl.trustStorePassword" system properties.
>
> http://www.exampledepot.com/egs/javax.net.ssl/client.html
>
> or you could disable validation all together. Not something you'd
> want to do for a production site though.
>
> http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
Better yet, configure the library (httpclient?) directly to use the
truststore of your choosing: there's no need to set the trust store
for the entire JVM (also, it makes your application more configurable
IMO).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBbJmkACgkQ9CaO5/Lv0PB6xgCgrdgSV/77X+gmULLUI6lugmqC
m6MAnjW6wKyU643y/gpTGSZ4VaRyW9dV
=Ih1h
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: configured truststore ignored by tomcat
Posted by Daniel Mikusa <dm...@vmware.com>.
On Sep 19, 2012, at 2:40 AM, Marco_Strullato@swissre.com wrote:
> Hi all,
> I have a tomcat 6.0.35 that needs to connect to a remote server using
> https, so it is acting as a https client: it means that tomcat must have
> the remote server certificate installed.
>
> The ideal solution I found is to configure the truststore in the
> server.xml.
>
> Please see the following:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="keystore/keystore.p12"
> keystoreType="pkcs12"
> keystorePass="<password>"
> truststoreFile="keystore/truststore.p12"
> truststoreType="pkcs12"
> truststorePass="<password>"
> clientAuth="optional" sslProtocol="TLS" />
>
> So, I configured the truststore and the server.xml.
This will configure the keystone / truststore used by the Connector. It does not configure the keystone / truststore used by the JVM for making HTTPS client requests.
>
> After restarting tomcat I got an ssl excetpion
>
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>
> Enabling the property javax.net.debug I could see that tomcat is simply
> ignoring the truststore I configured.
>
> Let me add that I tried also with no luck to change the truststore format
> to jks. I add also that the remote server cert is inside the truststore
> since I can see it with keytool.
>
> Do you know why? What else could I check?
See explanation above. Here is an example. The trick is to set the "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" system properties.
http://www.exampledepot.com/egs/javax.net.ssl/client.html
or you could disable validation all together. Not something you'd want to do for a production site though.
http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html
Dan
> Regards
>
>
> Marco
>
>
>
>
>
> This e-mail, including attachments, is intended for the person(s) or company named and may contain confidential and/or legally privileged information.
> Unauthorized disclosure, copying or use of this information may be unlawful and is prohibited. If you are not the intended recipient, please delete this message and notify the sender.
> All incoming and outgoing e-mail messages are stored in the Swiss Re Electronic Message Repository.
> If you do not wish the retention of potentially private e-mails by Swiss Re, we strongly advise you not to use the Swiss Re e-mail account for any private, non-business related communications.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org