Re: On configuring SSLContextService...

Mon, 15 Aug 2022 06:37:41 -0700

If you'll permit, I want to cap this thread I started off a bit by a) thanking the many who contributed to it and b) summing up the solution I am using based on that help.
Here are the command lines and germane instructions. For localhost below, substitute the DNS name (or, at least, //etc/hosts/ name) of the VM/hardware running Tomcat. Substitute your own password for "changeit" and modify any other details according to need. 


*1. Generate Tomcat a keystore with certificate and key inside plus a 
/subject alternative name/ (SAN)--crucial for the client's use.*
keytool -genkeypair -keyalg RSA -keysize 2048 -validity 365 -dname 
"CN=tomcat" -ext san=dns:localhost -alias tomcat -keystore tomcat.jks 
-storepass changeit -keypass changeit


**2. Inspect**Tomcat's new keystore. You're looking to see the SAN.*
*keytool -list -v -keystore tomcat.jks -storepass changeit
*

3. Configure this keystore in Tomcat's **/conf/server.xml/**via a 
**<Connector port="8443" ... />**definition.*


<Connector port="8443" protocol="HTTP/1.1"
  connectionTimeout="20000"
  scheme="https"
  secure="true"
  SSLEnabled="true">
  <SSLHostConfig>
    <Certificate certificateKeyAlias="tomcat"
      certificateKeystoreFile="/tomcat.jks/"
      certificateKeystorePassword="changeit" />
  </SSLHostConfig>
</Connector>


*4. Get Tomcat's certificate "live." (Tomcat must be running with the 
new certificate.) In addition to getting the certificate, this should 
preserve the crucial SAN from step #1.*

openssl s_client -connect localhost:8443 -showcerts > client.cer


*5. Import that certificate into a keystore (that will be used in the 
client's trust store).*
keytool -importcert -file client.cer -alias tomcat -keystore 
client-truststore.jks -keypass changeit -storepass changeit -noprompt


*6. Verify the client's trust store. Again, you're looking to see the SAN.*
keytool -list -v -keystore client-truststore.jks -storepass changeit



The two artifacts to take away are /tomcat.jks/, for Tomcat's use, and 
/client-truststore.jks/, for the client's use.



In the case of this thread, the "client" in question was Apache NiFi's 
/InvokeHTTP/ and the configuration was done partly in that processor and 
partly in the accompanying /SSLContextService/ (I used 
/StandardRestrictedSSLContextService/). Those configurations looked like 
this:


/InvokeHTTP/:
HTTP URL: https://localhost:8443//servicename/

/SSLContextService/:

Truststore Filename: /client-truststore.jks/          (this must be a 
full path in your filesystem)

Truststore Password: changeit
Truststore Type: JKS
TLS Protocol: TLS




























					Reply via email to