-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Chris,
On 2/14/18 3:34 PM, Chris Cheshire wrote:
> On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org>
> wrote:
>> On 14/02/18 17:17, Chris Cheshire wrote:
>>> I am trying to set up my webapp to connect to an external
>>> database via ssl. The database uses a self-signed certificate.
>>> I have created a keystore with the self-signed CA and the
>>> client key & cert. This keystore is configured via JAVA_OPTS in
>>> setenv.sh
>>>
>>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks
>>> \ -Djavax.net.ssl.keyStorePassword=password \
>>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \
>>> -Djavax.net.ssl.trustStorePassword=password"
>>>
>>> This allows me to connect to the database without a problem.
>>> However now I cannot connect to any external web service
>>> because their certs will no longer validate.
>>>
>>> How do I configure tomcat such that the default cacerts is used
>>> in addition to my self-signed certificates without importing
>>> those into the default keystore (which is a Bad Idea™)?
>>
>> This is nothing to do with Tomcat. Tomcat plays no role in
>> out-going TLS connections.
>>
>> The short answer is rather than using system properties, you
>> should set the keystore and truststore programmatically so they
>> apply just to the database connections rather than globally.
>>
>
> So after a bit of digging [1,2] I found that this is achieved by
> adding the following parameters to the mysql jdbc url in the
> resource definition:
>
> clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
>
>
clientCertificateKeyStorePassword=password
> trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks
> trustCertificateKeyStorePassword=changeit
>
> Note that [2] has a couple of errors. A) it specifies
> clientCertificateKeyStore[Url|Password] in lieu of trustStore
> system property, that should be
> trustCertificateKeyStore[Url|Password] B) it specifies specifies
> the urls in the form file:path_to_truststore_file, that is also
> incorrect it should be file://path_to_truststore_file (which will
> give a triple slash if an absolute path is used)
>
>
> [1]
> https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con
figuration-properties.html
>
>
[2]
https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using
- -ssl.html
It might depend upon the version of Connector/J you are using. For
example, I have this in my connection URL:
'...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks'
Only a single leading / for an absolute path in my case, and it works
as expected.
The use of file:// was a historical mistake web browser users made,
thinking that // was necessary between the protocol and anything after
it. It was never the case, and any software requiring a URL like
file:/// should be considered broken.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqHLOUACgkQHPApP6U8
pFiChA//XG5SJL66UWaSOdTELykxG6lHvoCqg/HKiN9i+sRH5kfyjWg1Yn4gUh4d
psLFHvINo3lWpfchY+CJ76xSIq6NKXfAOXohxfYJUgXSGr6reRPj1dFMhAbsE0XW
y8dzlilT6G8vWVFgYe3zwTEVQv30Rn+yc5mo4lspt2BR3Mw9YmiJL9l1z0Fj83+6
Bgaeq+oLXbO6x1QfFxWcDi5jdlkKUyTcbTuoRGUvCSMm6TfB7+lEcs2JKZSxw2hw
c62iR8cPwkQElBfhL08GMsbO2ay/hpPDIzajxW/iMiX6g3V1QkaNQnj3dTSoUegC
59OSxg9KCXSfMe7SydSYBH5SE8ruElseFh7cn4PUuCLY0vaFlJEf+iaviJMxXsTS
Ysj3YdfG5mCHxnFlNHKHz5tYv7wRs6ruhmYTxvQob73hgJyIxtUfCcn7XiwBOvey
xpCxfuBNv91B8VAkDxGf2bk4XK+YRrrCK/1FZDXGrcqGfDRocE5UwbaajkBojZva
aZceEm7nzYS8dYL4NQTj8gLwWyyYe96h9xF1muQhDvYGp7qdNle+C9sUf/jzS6KP
5VV+wOMxBtyXA2624xh+1iL2kcdDE7A9nPOPdBZgnBfr+OH9lG7YACr/aNLCNfJs
6EoNn8GNZSNL8CaPLb8LpvfcN69t04cblKUul0Fidq8VtVfOsxk=
=rMes
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
