On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in setenv.sh
>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.keyStorePassword=password \
>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.
So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource
Note that  has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)
Hope this helps someone else that happens to read the archives.
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org