You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ian Pilcher <ar...@gmail.com> on 2013/02/19 21:19:39 UTC
Where to put resources required by library class
I am writing a custom SSLSocketFactory for use with the PostgreSQL JDBC
driver. This custom factory will allow the administrator to specify the
CA certificate used to validate the PostgreSQL server's SSL certificate,
on a per-datasource basis.
Assuming that my SSLSocketFactory will be installed as a library (in
$CATALINA_HOME/lib), what is the proper place in the Tomcat directory
hierarchy to put the CA certificate(s) that it uses?
Thanks!
--
========================================================================
Ian Pilcher arequipeno@gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to put resources required by library class
Posted by Ian Pilcher <ar...@gmail.com>.
On 02/21/2013 10:41 PM, Christopher Schultz wrote:
> Short of putting it into the "endorsed" directory, you should put it
> into CATALINA_BASE/lib, right alongside of your JDBC library.
OK. I sort of figured that, although it feels a bit weird to have a
certificate sitting there along with all the JAR files. I suppose there
isn't any reason that I couldn't put it in a subdirectory. This would
make particular sense if I had more than one certificate (for different
database servers).
> I'm surprised that the PostgreSQL JDBC driver doesn't offer the
> ability to set the trust store for its SSL connections.
Not directly. It's interface for customization is, to be generous,
limited.
> For example, MySQL's Connector/J supports the
> "trustCertificateKeyStoreURL" connection property which lets you
> specify an alternate trust store
> (http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html).
> I couldn't find any documentation whatsoever for PostgreSQL's JDBC
> driver and the properties it supports. Not even a brief configuration
> reference on the website. Shame.
The JDBC driver is maintained as a separate project, and it has its
own web site -- http://jdbc.postgresql.org. The documentation on
customizing its SSL behavior is here:
http://jdbc.postgresql.org/documentation/head/ssl-factory.html
> Just curious: how do you expect to install your SSLSocketFactory?
Funny you should ask. I've spent my spare time over the last few days
figuring that out, and here's what I've come up with:
<Resource name="myca" auth="Container"
type="java.security.cert.X509Certificate"
factory="net.selfip.icp.pgssl.TomcatContextX509CertFactory"
cert="/usr/share/tomcat/conf/rhev-ca.pem"/>
<Resource name="jdbc/postgres/mydb" auth="Container"
type="javax.sql.DataSource"
driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://foo.bar.baz/mydb"
username="billme" password="*************"
factory="org.apache.commons.dbcp.BasicDataSourceFactory"
connectionProperties="ssl=true;sslfactory=net.selfip.icp.pgssl.PgSSLSocketFactory;sslfactoryarg=java:comp/env/myca"/>
I had to write the TomcatContextX509CertFactory, which makes the
certificate specified by the "cert" attribute available via JNDI. (I'll
probably change this to load it a resource, rather than from an absolute
file path.) Then I pass the JNDI name of the certificate as the
"sslfactoryarg" connection property.
I think it's actually a pretty elegant solution to the limitations of
the driver. (Although it would be nice if I could include the
TomcatContextX509CertFactory and PgSSLSocketFactory classes in my WAR
file, rather than having to install them in the main Tomcat library
directory. You don't know of a way to do this do you? It seems that
nothing within the webapp is visible to the common classloader.)
Thanks!
--
========================================================================
Ian Pilcher arequipeno@gmail.com
Sometimes there's nothing left to do but crash and burn...or die trying.
========================================================================
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Where to put resources required by library class
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Ian,
On 2/19/13 3:19 PM, Ian Pilcher wrote:
> I am writing a custom SSLSocketFactory for use with the PostgreSQL
> JDBC driver. This custom factory will allow the administrator to
> specify the CA certificate used to validate the PostgreSQL server's
> SSL certificate, on a per-datasource basis.
>
> Assuming that my SSLSocketFactory will be installed as a library
> (in $CATALINA_HOME/lib), what is the proper place in the Tomcat
> directory hierarchy to put the CA certificate(s) that it uses?
Short of putting it into the "endorsed" directory, you should put it
into CATALINA_BASE/lib, right alongside of your JDBC library.
I'm surprised that the PostgreSQL JDBC driver doesn't offer the
ability to set the trust store for its SSL connections.
For example, MySQL's Connector/J supports the
"trustCertificateKeyStoreURL" connection property which lets you
specify an alternate trust store
(http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html).
I couldn't find any documentation whatsoever for PostgreSQL's JDBC
driver and the properties it supports. Not even a brief configuration
reference on the website. Shame.
Perhaps the proper documentation can be found within the download package.
Just curious: how do you expect to install your SSLSocketFactory?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEAREIAAYFAlEm9wUACgkQ9CaO5/Lv0PAEsgCgrBGC9oWmJtP4Bn76uOK187GR
k08An0ciczgDZMpbdwods9sokjERq58x
=+qvk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org