On 02/21/2013 10:41 PM, Christopher Schultz wrote: > Short of putting it into the "endorsed" directory, you should put it > into CATALINA_BASE/lib, right alongside of your JDBC library.
OK. I sort of figured that, although it feels a bit weird to have a certificate sitting there along with all the JAR files. I suppose there isn't any reason that I couldn't put it in a subdirectory. This would make particular sense if I had more than one certificate (for different database servers). > I'm surprised that the PostgreSQL JDBC driver doesn't offer the > ability to set the trust store for its SSL connections. Not directly. It's interface for customization is, to be generous, limited. > For example, MySQL's Connector/J supports the > "trustCertificateKeyStoreURL" connection property which lets you > specify an alternate trust store > (http://dev.mysql.com/doc/refman/5.0/en/connector-j-reference-configuration-properties.html). > I couldn't find any documentation whatsoever for PostgreSQL's JDBC > driver and the properties it supports. Not even a brief configuration > reference on the website. Shame. The JDBC driver is maintained as a separate project, and it has its own web site -- http://jdbc.postgresql.org. The documentation on customizing its SSL behavior is here: http://jdbc.postgresql.org/documentation/head/ssl-factory.html > Just curious: how do you expect to install your SSLSocketFactory? Funny you should ask. I've spent my spare time over the last few days figuring that out, and here's what I've come up with: <Resource name="myca" auth="Container" type="java.security.cert.X509Certificate" factory="net.selfip.icp.pgssl.TomcatContextX509CertFactory" cert="/usr/share/tomcat/conf/rhev-ca.pem"/> <Resource name="jdbc/postgres/mydb" auth="Container" type="javax.sql.DataSource" driverClassName="org.postgresql.Driver" url="jdbc:postgresql://foo.bar.baz/mydb" username="billme" password="*************" factory="org.apache.commons.dbcp.BasicDataSourceFactory" connectionProperties="ssl=true;sslfactory=net.selfip.icp.pgssl.PgSSLSocketFactory;sslfactoryarg=java:comp/env/myca"/> I had to write the TomcatContextX509CertFactory, which makes the certificate specified by the "cert" attribute available via JNDI. (I'll probably change this to load it a resource, rather than from an absolute file path.) Then I pass the JNDI name of the certificate as the "sslfactoryarg" connection property. I think it's actually a pretty elegant solution to the limitations of the driver. (Although it would be nice if I could include the TomcatContextX509CertFactory and PgSSLSocketFactory classes in my WAR file, rather than having to install them in the main Tomcat library directory. You don't know of a way to do this do you? It seems that nothing within the webapp is visible to the common classloader.) Thanks! -- ======================================================================== Ian Pilcher [email protected] Sometimes there's nothing left to do but crash and burn...or die trying. ======================================================================== --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
