-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Dan,
On 9/19/12 10:33 AM, Daniel Mikusa wrote: > On Sep 19, 2012, at 2:40 AM, marco_strull...@swissre.com wrote: > >> Hi all, I have a tomcat 6.0.35 that needs to connect to a remote >> server using https, so it is acting as a https client: it means >> that tomcat must have the remote server certificate installed. >> >> The ideal solution I found is to configure the truststore in the >> server.xml. >> >> Please see the following: >> >> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" >> maxThreads="150" scheme="https" secure="true" >> keystoreFile="keystore/keystore.p12" keystoreType="pkcs12" >> keystorePass="<password>" >> truststoreFile="keystore/truststore.p12" truststoreType="pkcs12" >> truststorePass="<password>" clientAuth="optional" >> sslProtocol="TLS" /> >> >> So, I configured the truststore and the server.xml. > > This will configure the keystone / truststore used by the > Connector. It does not configure the keystone / truststore used by > the JVM for making HTTPS client requests. +1 >> After restarting tomcat I got an ssl excetpion >> >> sun.security.validator.ValidatorException: PKIX path building >> failed: >> sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target >> >> Enabling the property javax.net.debug I could see that tomcat is >> simply ignoring the truststore I configured. >> >> Let me add that I tried also with no luck to change the >> truststore format to jks. I add also that the remote server cert >> is inside the truststore since I can see it with keytool. >> >> Do you know why? What else could I check? > > See explanation above. Here is an example. The trick is to set > the "javax.net.ssl.trustStore" and > "javax.net.ssl.trustStorePassword" system properties. > > http://www.exampledepot.com/egs/javax.net.ssl/client.html > > or you could disable validation all together. Not something you'd > want to do for a production site though. > > http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html Better yet, configure the library (httpclient?) directly to use the truststore of your choosing: there's no need to set the trust store for the entire JVM (also, it makes your application more configurable IMO). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBbJmkACgkQ9CaO5/Lv0PB6xgCgrdgSV/77X+gmULLUI6lugmqC m6MAnjW6wKyU643y/gpTGSZ4VaRyW9dV =Ih1h -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org