Insert key-store implementation into Tomcat Connector

[Mark Boon <mb...@vmware.com>]

In the Tomcat TLS Connecter configuration, there’s the trustManagerClassName that can be set to a Java implementation of the X509TrustManager interface. There’s also a configuration called keystoreFile from which it will read the certificate-key pair to set up the SSL connection. I was wondering if there’s also a way to configure a class that will provide the SSL certificate? My company would like to plug in their own mechanism to store and retrieve certificates, rather than the Java Key Store.

I have seen references to a keystoreProvider, but I have been unable to find anything that provides an example how that is to be used, so I’m not sure that serves for what I’m looking for.

Any pointer to how that could be accomplished would be highly appreciated.

Mark Boon

Re: Insert key-store implementation into Tomcat Connector

[Mark Boon <mb...@vmware.com>]

Thank you for the information.

Mark Boon

On 5/2/18, 3:35 AM, "Mark Thomas" <ma...@apache.org> wrote:

    On 02/05/18 01:48, Mark Boon wrote:
    > In the Tomcat TLS Connecter configuration, there’s the trustManagerClassName that can be set to a Java implementation of the X509TrustManager interface. There’s also a configuration called keystoreFile from which it will read the certificate-key pair to set up the SSL connection. I was wondering if there’s also a way to configure a class that will provide the SSL certificate? My company would like to plug in their own mechanism to store and retrieve certificates, rather than the Java Key Store.
    > 
    > I have seen references to a keystoreProvider, but I have been unable to find anything that provides an example how that is to be used, so I’m not sure that serves for what I’m looking for.
    > 
    > Any pointer to how that could be accomplished would be highly appreciated.
    
    Writing a custom Keystore provider would be the most portable solution.
    
    https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.oracle.com_javase_8_docs_technotes_guides_security_crypto_HowToImplAProvider.html&d=DwIDaQ&c=uilaK90D4TOVoH58JNXRgQ&r=_kwXikaSZUUarF811P_o9Q&m=8HmxxPHbEVv5mWXdTWFydzyBxICcZhOKruAGLF3F5xU&s=Y4hc81hr--crgkyPquO5rADDFJ-2uJTEv3oC6WtbCKU&e=
    
    has some pointers.
    
    Mark
    
    ---------------------------------------------------------------------
    To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
    For additional commands, e-mail: users-help@tomcat.apache.org
    
    


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Insert key-store implementation into Tomcat Connector

[Mark Thomas <ma...@apache.org>]

On 02/05/18 01:48, Mark Boon wrote:
> In the Tomcat TLS Connecter configuration, there’s the trustManagerClassName that can be set to a Java implementation of the X509TrustManager interface. There’s also a configuration called keystoreFile from which it will read the certificate-key pair to set up the SSL connection. I was wondering if there’s also a way to configure a class that will provide the SSL certificate? My company would like to plug in their own mechanism to store and retrieve certificates, rather than the Java Key Store.
> 
> I have seen references to a keystoreProvider, but I have been unable to find anything that provides an example how that is to be used, so I’m not sure that serves for what I’m looking for.
> 
> Any pointer to how that could be accomplished would be highly appreciated.

Writing a custom Keystore provider would be the most portable solution.

https://docs.oracle.com/javase/8/docs/technotes/guides/security/crypto/HowToImplAProvider.html

has some pointers.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org