On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org> wrote:
> On 14/02/18 17:17, Chris Cheshire wrote:
>> I am trying to set up my webapp to connect to an external database via
>> ssl. The database uses a self-signed certificate. I have created a
>> keystore with the self-signed CA and the client key & cert. This
>> keystore is configured via JAVA_OPTS in setenv.sh
>>
>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.keyStorePassword=password \
>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>> -Djavax.net.ssl.trustStorePassword=password"
>>
>> This allows me to connect to the database without a problem. However
>> now I cannot connect to any external web service because their certs
>> will no longer validate.
>>
>> How do I configure tomcat such that the default cacerts is used in
>> addition to my self-signed certificates without importing those into
>> the default keystore (which is a Bad Idea™)?
>
> This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS
> connections.
>
> The short answer is rather than using system properties, you should set
> the keystore and truststore programmatically so they apply just to the
> database connections rather than globally.
>
So after a bit of digging [1,2] I found that this is achieved by
adding the following parameters to the mysql jdbc url in the resource
definition:
clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
clientCertificateKeyStorePassword=password
trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
trustCertificateKeyStorePassword=changeit
Note that [2] has a couple of errors.
A) it specifies clientCertificateKeyStore[Url|Password] in lieu of
trustStore system property, that should be
trustCertificateKeyStore[Url|Password]
B) it specifies specifies the urls in the form
file:path_to_truststore_file, that is also incorrect it should be
file://path_to_truststore_file (which will give a triple slash if an
absolute path is used)
[1]
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-configuration-properties.html
[2]
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
Hope this helps someone else that happens to read the archives.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
