Re: using default cacerts AND custom keystore
anything related to SSL, key stores, trust stores, X509 certificates, etc will do that to you! On Mon, Feb 19, 2018 at 9:16 AM, Chris Cheshire wrote: > On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz > wrote: > > -BEGIN PGP SIGNED MESSAGE- > > Hash: SHA256 > > > > Chris, > > > > On 2/14/18 3:34 PM, Chris Cheshire wrote: > >> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas > >> wrote: > >>> On 14/02/18 17:17, Chris Cheshire wrote: > I am trying to set up my webapp to connect to an external > database via ssl. The database uses a self-signed certificate. > I have created a keystore with the self-signed CA and the > client key & cert. This keystore is configured via JAVA_OPTS in > setenv.sh > > JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks > \ -Djavax.net.ssl.keyStorePassword=password \ > -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.trustStorePassword=password" > > This allows me to connect to the database without a problem. > However now I cannot connect to any external web service > because their certs will no longer validate. > > How do I configure tomcat such that the default cacerts is used > in addition to my self-signed certificates without importing > those into the default keystore (which is a Bad Idea™)? > >>> > >>> This is nothing to do with Tomcat. Tomcat plays no role in > >>> out-going TLS connections. > >>> > >>> The short answer is rather than using system properties, you > >>> should set the keystore and truststore programmatically so they > >>> apply just to the database connections rather than globally. > >>> > >> > >> So after a bit of digging [1,2] I found that this is achieved by > >> adding the following parameters to the mysql jdbc url in the > >> resource definition: > >> > >> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > >> > >> > > clientCertificateKeyStorePassword=password > >> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > >> trustCertificateKeyStorePassword=changeit > >> > >> Note that [2] has a couple of errors. A) it specifies > >> clientCertificateKeyStore[Url|Password] in lieu of trustStore > >> system property, that should be > >> trustCertificateKeyStore[Url|Password] B) it specifies specifies > >> the urls in the form file:path_to_truststore_file, that is also > >> incorrect it should be file://path_to_truststore_file (which will > >> give a triple slash if an absolute path is used) > >> > >> > >> [1] > >> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con > > figuration-properties.html > >> > >> > > [2] > > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using > > - -ssl.html > > > > It might depend upon the version of Connector/J you are using. For > > example, I have this in my connection URL: > > > > '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks' > > > > Only a single leading / for an absolute path in my case, and it works > > as expected. > > > > The use of file:// was a historical mistake web browser users made, > > thinking that // was necessary between the protocol and anything after > > it. It was never the case, and any software requiring a URL like > > file:/// should be considered broken. > > > > - -chris > > So I went back to retest everything to make sure I wasn't going crazy, > and it turns out that I actually am. It really is working as expected > without the double slash (and with). I guess I went crosseyed looking > at the error logs after so many attempts trying to get this working > initially. > > Chris > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: using default cacerts AND custom keystore
On Fri, Feb 16, 2018 at 2:11 PM, Christopher Schultz wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Chris, > > On 2/14/18 3:34 PM, Chris Cheshire wrote: >> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas >> wrote: >>> On 14/02/18 17:17, Chris Cheshire wrote: I am trying to set up my webapp to connect to an external database via ssl. The database uses a self-signed certificate. I have created a keystore with the self-signed CA and the client key & cert. This keystore is configured via JAVA_OPTS in setenv.sh JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ -Djavax.net.ssl.keyStorePassword=password \ -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ -Djavax.net.ssl.trustStorePassword=password" This allows me to connect to the database without a problem. However now I cannot connect to any external web service because their certs will no longer validate. How do I configure tomcat such that the default cacerts is used in addition to my self-signed certificates without importing those into the default keystore (which is a Bad Idea™)? >>> >>> This is nothing to do with Tomcat. Tomcat plays no role in >>> out-going TLS connections. >>> >>> The short answer is rather than using system properties, you >>> should set the keystore and truststore programmatically so they >>> apply just to the database connections rather than globally. >>> >> >> So after a bit of digging [1,2] I found that this is achieved by >> adding the following parameters to the mysql jdbc url in the >> resource definition: >> >> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks >> >> > clientCertificateKeyStorePassword=password >> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks >> trustCertificateKeyStorePassword=changeit >> >> Note that [2] has a couple of errors. A) it specifies >> clientCertificateKeyStore[Url|Password] in lieu of trustStore >> system property, that should be >> trustCertificateKeyStore[Url|Password] B) it specifies specifies >> the urls in the form file:path_to_truststore_file, that is also >> incorrect it should be file://path_to_truststore_file (which will >> give a triple slash if an absolute path is used) >> >> >> [1] >> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con > figuration-properties.html >> >> > [2] > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using > - -ssl.html > > It might depend upon the version of Connector/J you are using. For > example, I have this in my connection URL: > > '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks' > > Only a single leading / for an absolute path in my case, and it works > as expected. > > The use of file:// was a historical mistake web browser users made, > thinking that // was necessary between the protocol and anything after > it. It was never the case, and any software requiring a URL like > file:/// should be considered broken. > > - -chris So I went back to retest everything to make sure I wasn't going crazy, and it turns out that I actually am. It really is working as expected without the double slash (and with). I guess I went crosseyed looking at the error logs after so many attempts trying to get this working initially. Chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using default cacerts AND custom keystore
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Chris, On 2/14/18 3:34 PM, Chris Cheshire wrote: > On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas > wrote: >> On 14/02/18 17:17, Chris Cheshire wrote: >>> I am trying to set up my webapp to connect to an external >>> database via ssl. The database uses a self-signed certificate. >>> I have created a keystore with the self-signed CA and the >>> client key & cert. This keystore is configured via JAVA_OPTS in >>> setenv.sh >>> >>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks >>> \ -Djavax.net.ssl.keyStorePassword=password \ >>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ >>> -Djavax.net.ssl.trustStorePassword=password" >>> >>> This allows me to connect to the database without a problem. >>> However now I cannot connect to any external web service >>> because their certs will no longer validate. >>> >>> How do I configure tomcat such that the default cacerts is used >>> in addition to my self-signed certificates without importing >>> those into the default keystore (which is a Bad Idea™)? >> >> This is nothing to do with Tomcat. Tomcat plays no role in >> out-going TLS connections. >> >> The short answer is rather than using system properties, you >> should set the keystore and truststore programmatically so they >> apply just to the database connections rather than globally. >> > > So after a bit of digging [1,2] I found that this is achieved by > adding the following parameters to the mysql jdbc url in the > resource definition: > > clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > > clientCertificateKeyStorePassword=password > trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > trustCertificateKeyStorePassword=changeit > > Note that [2] has a couple of errors. A) it specifies > clientCertificateKeyStore[Url|Password] in lieu of trustStore > system property, that should be > trustCertificateKeyStore[Url|Password] B) it specifies specifies > the urls in the form file:path_to_truststore_file, that is also > incorrect it should be file://path_to_truststore_file (which will > give a triple slash if an absolute path is used) > > > [1] > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con figuration-properties.html > > [2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using - -ssl.html It might depend upon the version of Connector/J you are using. For example, I have this in my connection URL: '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks' Only a single leading / for an absolute path in my case, and it works as expected. The use of file:// was a historical mistake web browser users made, thinking that // was necessary between the protocol and anything after it. It was never the case, and any software requiring a URL like file:/// should be considered broken. - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqHLOUACgkQHPApP6U8 pFiChA//XG5SJL66UWaSOdTELykxG6lHvoCqg/HKiN9i+sRH5kfyjWg1Yn4gUh4d psLFHvINo3lWpfchY+CJ76xSIq6NKXfAOXohxfYJUgXSGr6reRPj1dFMhAbsE0XW y8dzlilT6G8vWVFgYe3zwTEVQv30Rn+yc5mo4lspt2BR3Mw9YmiJL9l1z0Fj83+6 Bgaeq+oLXbO6x1QfFxWcDi5jdlkKUyTcbTuoRGUvCSMm6TfB7+lEcs2JKZSxw2hw c62iR8cPwkQElBfhL08GMsbO2ay/hpPDIzajxW/iMiX6g3V1QkaNQnj3dTSoUegC 59OSxg9KCXSfMe7SydSYBH5SE8ruElseFh7cn4PUuCLY0vaFlJEf+iaviJMxXsTS Ysj3YdfG5mCHxnFlNHKHz5tYv7wRs6ruhmYTxvQob73hgJyIxtUfCcn7XiwBOvey xpCxfuBNv91B8VAkDxGf2bk4XK+YRrrCK/1FZDXGrcqGfDRocE5UwbaajkBojZva aZceEm7nzYS8dYL4NQTj8gLwWyyYe96h9xF1muQhDvYGp7qdNle+C9sUf/jzS6KP 5VV+wOMxBtyXA2624xh+1iL2kcdDE7A9nPOPdBZgnBfr+OH9lG7YACr/aNLCNfJs 6EoNn8GNZSNL8CaPLb8LpvfcN69t04cblKUul0Fidq8VtVfOsxk= =rMes -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using default cacerts AND custom keystore
On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas wrote: > On 14/02/18 17:17, Chris Cheshire wrote: >> I am trying to set up my webapp to connect to an external database via >> ssl. The database uses a self-signed certificate. I have created a >> keystore with the self-signed CA and the client key & cert. This >> keystore is configured via JAVA_OPTS in setenv.sh >> >> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ >> -Djavax.net.ssl.keyStorePassword=password \ >> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ >> -Djavax.net.ssl.trustStorePassword=password" >> >> This allows me to connect to the database without a problem. However >> now I cannot connect to any external web service because their certs >> will no longer validate. >> >> How do I configure tomcat such that the default cacerts is used in >> addition to my self-signed certificates without importing those into >> the default keystore (which is a Bad Idea™)? > > This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS > connections. > > The short answer is rather than using system properties, you should set > the keystore and truststore programmatically so they apply just to the > database connections rather than globally. > So after a bit of digging [1,2] I found that this is achieved by adding the following parameters to the mysql jdbc url in the resource definition: clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks clientCertificateKeyStorePassword=password trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks trustCertificateKeyStorePassword=changeit Note that [2] has a couple of errors. A) it specifies clientCertificateKeyStore[Url|Password] in lieu of trustStore system property, that should be trustCertificateKeyStore[Url|Password] B) it specifies specifies the urls in the form file:path_to_truststore_file, that is also incorrect it should be file://path_to_truststore_file (which will give a triple slash if an absolute path is used) [1] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html [2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html Hope this helps someone else that happens to read the archives. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: using default cacerts AND custom keystore
On 14/02/18 17:17, Chris Cheshire wrote: > I am trying to set up my webapp to connect to an external database via > ssl. The database uses a self-signed certificate. I have created a > keystore with the self-signed CA and the client key & cert. This > keystore is configured via JAVA_OPTS in setenv.sh > > JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.keyStorePassword=password \ > -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.trustStorePassword=password" > > This allows me to connect to the database without a problem. However > now I cannot connect to any external web service because their certs > will no longer validate. > > How do I configure tomcat such that the default cacerts is used in > addition to my self-signed certificates without importing those into > the default keystore (which is a Bad Idea™)? This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS connections. The short answer is rather than using system properties, you should set the keystore and truststore programmatically so they apply just to the database connections rather than globally. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org