Hi there,
I'm having trouble with an interesting problem.
I have a keystore and a truststore setup, both as pkcs12 stores. I'm
telling tomcat about the keystore by something like the following code
(I actually do it in spring, and so I've translated it into plain java
code here for simplicity)
connector.setAttribute("keystoreFile", "c:\tomcatEmbedded\keystore.p12");
connector.setAttribute("keystorePass", "secret");
connector.setAttribute("keystoreType", "PKCS12");
and similarly to setup the trust store, I'm doing the following:
connector.setAttribute("truststoreFile",
"c:\tomcatEmbedded\truststore.p12");
connector.setAttribute("truststorePass", "secret");
connector.setAttribute("truststoreType", "PKCS12");
The problem I have here is that Tomcat (I suspect it's not tomcat, but
something in J2SE, or the way tomcat uses JSSE, or even the way I've got
my env setup - I'll explain in a minute) loves the keystore, but is a
right snob about the truststore. It simply refuses to acknowledge its
existence.
Actually, I've lied - I have setup a different type of truststore. It's
a JKS store, and when I use the following code to initialise the
truststore, things start to work again:
connector.setAttribute("truststoreFile",
"c:\tomcatEmbedded\truststore.jks");
connector.setAttribute("truststorePass", "changeit");
connector.setAttribute("truststoreType", "JKS");
they key point here is that intitialising the truststore as a PKCS12
store simply does not work.
Some more information: if I set a system property as such:
-Djavax.net.debug=all, I can actually see the trusted certificates being
loaded up as tomcat starts up. I mean, I can see all the certs in the
trust store being loaded up when it's a JKS store. When its a PKCS12
store, it ignores them. Very rude.
Further, if I set the trust store through the javax.net.ssl.trustStore*
properties (JKS or PKCS12), things go a bit wrong with a message like
"java.io.IOException: DerInputStream.getLength(): length Tag=109" - I
don't know what the hell this means, but from what I have been able to
glean from a bit of googling, this happens because of the Tomcat
classloader hierarchy - I think. Which is probably why we have the
setAttribute() method on the connector.
I'm initerested in knowing if anyone has had a similar problem /
experience, and knows of any way I can use a PKCS12 store as a trust store.
I'm using Java 1.5.0_03, Tomcat 5.5.9 embedded.
Many thanks,
Nigel
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
