You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jon Roberts <jo...@mentata.com> on 2003/09/09 21:49:51 UTC

setting the trust store

I am writing a servlet that connects to remote servers using SSL 
sockets. Although I can create SSL connections to these servers using 
other software, I can't seem to get my servlet to trust the certificate 
in tomcat.

The crux of the problem seems to be that I used a local CA. I import my 
ca certificate into a keystore:

keytool -import -alias myca -keystore /usr/local/tomcat/conf/catrust.jks 
-trustcacerts -file /tmp/cacert.pem

I use a password of "changeit". Then in the tomcat launch script I have:
 
CATALINA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/catrust.jks 
-Djavax.net.ssl.trustStorePassword=changeit"
export CATALINA_OPTS

Yet I still get the following thrown from within my servlet:

java.security.cert.CertificateException: Signature verification failed

What could be causing this to fail? As I said, this certificate and CA 
combination works fine for SSL through non-Java clients.

Thanks in advance for any assistance.

Jon Roberts

Re: Running external processes...

Posted by "Christopher St. John" <ck...@distributopia.com>.

Martin Mauri wrote:

> 
> I'm building a webapp with JSP and I need to run an external shell process
> on Linux...I don't know if this is implemented by the Servlet/JSP API , can
> I call it in the normal way like "System.exec()"?? or it won't worj?
> 

  It depends on the security settings. Out of the box on Tomcat, it
shouldn't be a problem. Will you be administering the servlet container?

  In any case, I'd recommend writing a quick servlet or JSP that
does a System.exec(), just a "hello world" kind of thing, to get the
hang of it. You need to be careful to do things like drain the output
stream from the process, otherwise it might hang. Permissions and
paths can also be a bit tricky, but a quick google for "System.exec()"
ought to get you some informative hits. Keep in mind when you test
that the final deployment environment could be quite different than
your test environment (different user running Tomcat, different paths,
etc)

-cks

Running external processes...

Posted by Martin Mauri <mm...@profesi.com.ar>.

Hi,

I'm building a webapp with JSP and I need to run an external shell process
on Linux...I don't know if this is implemented by the Servlet/JSP API , can
I call it in the normal way like "System.exec()"?? or it won't worj?

thanks!

Martin

Re: setting the trust store

Posted by Jon Roberts <jo...@mentata.com>.

Problem solved. I was using the same dn for the CA cert as for the 
server cert and I think that's where it was failing.

Jon Roberts
www.mentata.com

Jon Roberts wrote:
> I am writing a servlet that connects to remote servers using SSL 
> sockets. Although I can create SSL connections to these servers using 
> other software, I can't seem to get my servlet to trust the certificate 
> in tomcat.
> 
> The crux of the problem seems to be that I used a local CA. I import my 
> ca certificate into a keystore:
> 
> keytool -import -alias myca -keystore /usr/local/tomcat/conf/catrust.jks 
> -trustcacerts -file /tmp/cacert.pem
> 
> I use a password of "changeit". Then in the tomcat launch script I have:
> 
> CATALINA_OPTS="-Djavax.net.ssl.trustStore=/usr/local/tomcat/conf/catrust.jks 
> -Djavax.net.ssl.trustStorePassword=changeit"
> export CATALINA_OPTS
> 
> Yet I still get the following thrown from within my servlet:
> 
> java.security.cert.CertificateException: Signature verification failed
> 
> What could be causing this to fail? As I said, this certificate and CA 
> combination works fine for SSL through non-Java clients.