You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Christopher Schultz <ch...@christopherschultz.net> on 2018/02/27 22:23:10 UTC
Re: [OT] Tomcat 8.5.X reading cached keystore and password system SSL
configurations
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Hassan,
On 2/27/18 5:04 PM, Hassan Khan wrote:
> On Tue, Feb 27, 2018 at 4:23 PM, Christopher Schultz <
> chris@christopherschultz.net> wrote: On 2/27/18 3:07 PM, Hassan
> Khan wrote:
>>>> I have a issue with system variables that are set to make a
>>>> https connection.
> Making an outgoing connection from a web application? Tomcat has
> zero control over those.
>
>>>> I am setting the following for each https request :
>>>> System.clearProperty("javax.net.ssl.keyStore");
>>>> System.clearProperty("javax.net.ssl.keyStorePassword");
>>>> System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
>>>> System.setProperty("javax.net.ssl.keyStore", "star.*.pfx");
>>>> System.setProperty("javax.net.ssl.keyStorePassword",
>>>> "Pass");
>
> For each request? That's probably not going to work.
>
>> Making a request from the webapp to a Https endpoint.. It is a
>> SOAP request... The code successfully creates a TLSv1.2
>> connection.
Thanks for clarifying that. I'm marking this thread as off-topic
because it doesn't really have anything to do with Tomcat at this
point. That doesn't mean we can't still discuss it...
Changing system properties during runtime often does not give the
expected result. Usually, components that rely on system properties
for configuration read those properties a single time and initialize
themselves. Later changes to those properties generally have no effect.
> Are you trying to change the keystore that Tomcat uses for
> *incoming* connections? If so, Tomcat only reinitializes the SSL
> engine (including all key material) when initially configured, or
> explicitly requested to reconfigure.
>
>> This keystore is what the web-app uses to connect to the Https
>> Endpoint.. This is not a connector that tomcat is listening
>> too.... It is part of the web-app. The webapp has a UI that takes
>> the keystore path and password and uses it to connect to the
>> endpoint as above.
You would be better-off explicitly-configuring the code that is making
the connection, rather than changing system properties. What are you
using to make the outgoing connection? HttpURLConnection? Apache
httpclient? Something else? Any decent library should make it possible
to configure it to use whatever keystore (and truststore) you'd like
it to use for outgoing connections.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqV2k0ACgkQHPApP6U8
pFg0Dw/9G7oN/eUMCI1+Y1kn6BeJ+bIQYmRa7YpjCC9wHNgIQO4eqzdPyUC8lbDe
mX6WvVupHeOtIqRB/H1ZlI0lGm7McWl+q3LBZaxyQ5Y8Okpw1/9SfTXRaa3558To
deYqX0/gy5oVa3rqPXNZWMjShQsSZeMoR5DMF6u7ZcxlgQ4sKV/4Ft3PDIXnyxHE
ukwgzneZnBr/jK1oUGGH4h34otnTUY9RLNNo3Yy3xCWz0HrnL9qF3Op5ShFbjMMm
80xfdHL/MV9SrtvVHgpBePHjcUwxTnKtdMH8ej+qrveeLaXEt9iy3mrC5AVmJSsZ
68yxOhIy4K29Ie30a/CmL2RQqdO2gZbp98zwowRoldoy/rSiR70uA9j3t3PTQMkr
Yvg52EpWI45xnw0ca5aqkUqLX5fIEtlm+Yrl/PNz/ScD/W6GMuvBv4pMBl/E6lIN
Y3xHxsxQ0oOpVq2cez0+hWquW0ZynM+8ZuJUm+s8uiV28yTGIB7jzL+o2F1V2apB
QKoPRyadiNJhHEtHnQNucSPL7nTT0+6vZlAQ5gj8wtdiPELG9AP2xLVNC2YqG4Kr
Mbk+e41Vtm45P1lj3b4RIhoylcVE3HMvUGMWStg/09GGVZwAvUgSbdzW48x7OE3+
jrFgGWJhOvGN7bLFzPCCpIAv0GyF0trqhpsy3QMQGDb4nw5IjEM=
=Z7nQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [OT] Tomcat 8.5.X reading cached keystore and password system SSL configurations
Posted by Hassan Khan <ha...@gmail.com>.
Thanks a lot for the explanation... You'r right.. Appreciate it
On Tue, Feb 27, 2018 at 5:23 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> Hassan,
>
> On 2/27/18 5:04 PM, Hassan Khan wrote:
> > On Tue, Feb 27, 2018 at 4:23 PM, Christopher Schultz <
> > chris@christopherschultz.net> wrote: On 2/27/18 3:07 PM, Hassan
> > Khan wrote:
> >>>> I have a issue with system variables that are set to make a
> >>>> https connection.
> > Making an outgoing connection from a web application? Tomcat has
> > zero control over those.
> >
> >>>> I am setting the following for each https request :
> >>>> System.clearProperty("javax.net.ssl.keyStore");
> >>>> System.clearProperty("javax.net.ssl.keyStorePassword");
> >>>> System.setProperty("javax.net.ssl.keyStoreType", "PKCS12");
> >>>> System.setProperty("javax.net.ssl.keyStore", "star.*.pfx");
> >>>> System.setProperty("javax.net.ssl.keyStorePassword",
> >>>> "Pass");
> >
> > For each request? That's probably not going to work.
> >
> >> Making a request from the webapp to a Https endpoint.. It is a
> >> SOAP request... The code successfully creates a TLSv1.2
> >> connection.
>
> Thanks for clarifying that. I'm marking this thread as off-topic
> because it doesn't really have anything to do with Tomcat at this
> point. That doesn't mean we can't still discuss it...
>
> Changing system properties during runtime often does not give the
> expected result. Usually, components that rely on system properties
> for configuration read those properties a single time and initialize
> themselves. Later changes to those properties generally have no effect.
>
> > Are you trying to change the keystore that Tomcat uses for
> > *incoming* connections? If so, Tomcat only reinitializes the SSL
> > engine (including all key material) when initially configured, or
> > explicitly requested to reconfigure.
> >
> >> This keystore is what the web-app uses to connect to the Https
> >> Endpoint.. This is not a connector that tomcat is listening
> >> too.... It is part of the web-app. The webapp has a UI that takes
> >> the keystore path and password and uses it to connect to the
> >> endpoint as above.
>
> You would be better-off explicitly-configuring the code that is making
> the connection, rather than changing system properties. What are you
> using to make the outgoing connection? HttpURLConnection? Apache
> httpclient? Something else? Any decent library should make it possible
> to configure it to use whatever keystore (and truststore) you'd like
> it to use for outgoing connections.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqV2k0ACgkQHPApP6U8
> pFg0Dw/9G7oN/eUMCI1+Y1kn6BeJ+bIQYmRa7YpjCC9wHNgIQO4eqzdPyUC8lbDe
> mX6WvVupHeOtIqRB/H1ZlI0lGm7McWl+q3LBZaxyQ5Y8Okpw1/9SfTXRaa3558To
> deYqX0/gy5oVa3rqPXNZWMjShQsSZeMoR5DMF6u7ZcxlgQ4sKV/4Ft3PDIXnyxHE
> ukwgzneZnBr/jK1oUGGH4h34otnTUY9RLNNo3Yy3xCWz0HrnL9qF3Op5ShFbjMMm
> 80xfdHL/MV9SrtvVHgpBePHjcUwxTnKtdMH8ej+qrveeLaXEt9iy3mrC5AVmJSsZ
> 68yxOhIy4K29Ie30a/CmL2RQqdO2gZbp98zwowRoldoy/rSiR70uA9j3t3PTQMkr
> Yvg52EpWI45xnw0ca5aqkUqLX5fIEtlm+Yrl/PNz/ScD/W6GMuvBv4pMBl/E6lIN
> Y3xHxsxQ0oOpVq2cez0+hWquW0ZynM+8ZuJUm+s8uiV28yTGIB7jzL+o2F1V2apB
> QKoPRyadiNJhHEtHnQNucSPL7nTT0+6vZlAQ5gj8wtdiPELG9AP2xLVNC2YqG4Kr
> Mbk+e41Vtm45P1lj3b4RIhoylcVE3HMvUGMWStg/09GGVZwAvUgSbdzW48x7OE3+
> jrFgGWJhOvGN7bLFzPCCpIAv0GyF0trqhpsy3QMQGDb4nw5IjEM=
> =Z7nQ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Hassan Khan