Hello, I hope this is the right forum to take my question. I found a very interesting problem with Tomcat 5.5.23, that not appears in Tomcat 5.5.17 (boundled with NetBeans 5.5.1). Imagine, that your web application acts as web-service server, and web service client, too. You need SSL client certificate authentication both for server and cliens side. So, you need two keys, one for the SSL connector, and one for the web-service client. Put the case that you cannot package two keys in one keystore. The tomcat.keystore.jks contains the server key for the server side, configured in server.xml in the SSL HTTP/1.1 Connector section, like this:
<Connector ... scheme="https" secure="true" clientAuth="false" sslProtocol="TLS" keystorePass="tomcat.keystore.pass" keystoreFile="tomcat.keystore.jks" /> The keystore.jks contains the client key for the client side, configured with command line parameters: -Djavax.net.ssl.keyStore=keystore.jks -Djavax.net.ssl.keyStorePassword=keystore.pass In this case, the Tomcat cannot open the tomcat.keystore.jks file, the error message is: java.io.IOException: Keystore was tampered with, or password was incorrect So lets see the Bug 38774 (http://issues.apache.org/bugzilla/show_bug.cgi?id=38774), and the source code of the the org.apache.tomcat.util.net.jsse.JSSESocketFactory class and the getKeystorePassword() method. protected String getKeystorePassword() { String keyPass = (String)attributes.get("keypass"); if (keyPass == null) { keyPass = defaultKeyPass; } String keystorePass = (String)attributes.get("keystorePass"); if (keystorePass == null) { // Bugzilla 38774: http://issues.apache.org/bugzilla/show_bug.cgi?id=38774 keystorePass = System.getProperty("javax.net.ssl.keyStorePassword"); if (keystorePass == null ) { keystorePass = keyPass; } } return keystorePass; } It tries to get the keystorePass attribute (this is null, because the keystorePass attribute come from the server.xml as "keypass" property), then tries to get the system property. And if both are null, gets the keypass property - this is the good one. So, the Tomcat tries to open the tomcat.keystore.jks file with keystore.pass password, which is the password (set as command line parameter) of the keystore.jks file. So I think the right way to check the system property in the last step, when the keystorePass and the keyPass are both null. protected String getKeystorePassword() { String keyPass = (String)attributes.get("keypass"); if (keyPass == null) { keyPass = defaultKeyPass; } String keystorePass = (String)attributes.get("keystorePass"); if (keystorePass == null) { keystorePass = keyPass; if (keystorePass == null ) { // Bugzilla 38774: http://issues.apache.org/bugzilla/show_bug.cgi?id=38774 keystorePass = System.getProperty("javax.net.ssl.keyStorePassword"); } } return keystorePass; } My application works with this patch. Istvan Viczian --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
