You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jon Roberts <jo...@mentata.com> on 2003/09/09 21:49:51 UTC
setting the trust store
I am writing a servlet that connects to remote servers using SSL
sockets. Although I can create SSL connections to these servers using
other software, I can't seem to get my servlet to trust the certificate
in tomcat.
The crux of the problem seems to be that I used a local CA. I import my
ca certificate into a keystore:
keytool -import -alias myca -keystore /usr/local/tomcat/conf/catrust.jks
-trustcacerts -file /tmp/cacert.pem
I use a password of "changeit". Then in the tomcat launch script I have:
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/catrust.jks
-Djavax.net.ssl.trustStorePassword=changeit"
export CATALINA_OPTS
Yet I still get the following thrown from within my servlet:
java.security.cert.CertificateException: Signature verification failed
What could be causing this to fail? As I said, this certificate and CA
combination works fine for SSL through non-Java clients.
Thanks in advance for any assistance.
Jon Roberts
Re: Running external processes...
Posted by "Christopher St. John" <ck...@distributopia.com>.
Martin Mauri wrote:
>
> I'm building a webapp with JSP and I need to run an external shell process
> on Linux...I don't know if this is implemented by the Servlet/JSP API , can
> I call it in the normal way like "System.exec()"?? or it won't worj?
>
It depends on the security settings. Out of the box on Tomcat, it
shouldn't be a problem. Will you be administering the servlet container?
In any case, I'd recommend writing a quick servlet or JSP that
does a System.exec(), just a "hello world" kind of thing, to get the
hang of it. You need to be careful to do things like drain the output
stream from the process, otherwise it might hang. Permissions and
paths can also be a bit tricky, but a quick google for "System.exec()"
ought to get you some informative hits. Keep in mind when you test
that the final deployment environment could be quite different than
your test environment (different user running Tomcat, different paths,
etc)
-cks
Running external processes...
Posted by Martin Mauri <mm...@profesi.com.ar>.
Hi,
I'm building a webapp with JSP and I need to run an external shell process
on Linux...I don't know if this is implemented by the Servlet/JSP API , can
I call it in the normal way like "System.exec()"?? or it won't worj?
thanks!
Martin
Re: setting the trust store
Posted by Jon Roberts <jo...@mentata.com>.
Problem solved. I was using the same dn for the CA cert as for the
server cert and I think that's where it was failing.
Jon Roberts
www.mentata.com
Jon Roberts wrote:
> I am writing a servlet that connects to remote servers using SSL
> sockets. Although I can create SSL connections to these servers using
> other software, I can't seem to get my servlet to trust the certificate
> in tomcat.
>
> The crux of the problem seems to be that I used a local CA. I import my
> ca certificate into a keystore:
>
> keytool -import -alias myca -keystore /usr/local/tomcat/conf/catrust.jks
> -trustcacerts -file /tmp/cacert.pem
>
> I use a password of "changeit". Then in the tomcat launch script I have:
>
> CATALINA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/catrust.jks
> -Djavax.net.ssl.trustStorePassword=changeit"
> export CATALINA_OPTS
>
> Yet I still get the following thrown from within my servlet:
>
> java.security.cert.CertificateException: Signature verification failed
>
> What could be causing this to fail? As I said, this certificate and CA
> combination works fine for SSL through non-Java clients.