-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Chris,
On 2/14/18 3:34 PM, Chris Cheshire wrote: > On Wed, Feb 14, 2018 at 12:30 PM, Mark Thomas <ma...@apache.org> > wrote: >> On 14/02/18 17:17, Chris Cheshire wrote: >>> I am trying to set up my webapp to connect to an external >>> database via ssl. The database uses a self-signed certificate. >>> I have created a keystore with the self-signed CA and the >>> client key & cert. This keystore is configured via JAVA_OPTS in >>> setenv.sh >>> >>> JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks >>> \ -Djavax.net.ssl.keyStorePassword=password \ >>> -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ >>> -Djavax.net.ssl.trustStorePassword=password" >>> >>> This allows me to connect to the database without a problem. >>> However now I cannot connect to any external web service >>> because their certs will no longer validate. >>> >>> How do I configure tomcat such that the default cacerts is used >>> in addition to my self-signed certificates without importing >>> those into the default keystore (which is a Bad Idea™)? >> >> This is nothing to do with Tomcat. Tomcat plays no role in >> out-going TLS connections. >> >> The short answer is rather than using system properties, you >> should set the keystore and truststore programmatically so they >> apply just to the database connections rather than globally. >> > > So after a bit of digging [1,2] I found that this is achieved by > adding the following parameters to the mysql jdbc url in the > resource definition: > > clientCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > > clientCertificateKeyStorePassword=password > trustCertificateKeyStoreUrl=file://${catalina.base}/conf/mysql.jks > trustCertificateKeyStorePassword=changeit > > Note that [2] has a couple of errors. A) it specifies > clientCertificateKeyStore[Url|Password] in lieu of trustStore > system property, that should be > trustCertificateKeyStore[Url|Password] B) it specifies specifies > the urls in the form file:path_to_truststore_file, that is also > incorrect it should be file://path_to_truststore_file (which will > give a triple slash if an absolute path is used) > > > [1] > https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-con figuration-properties.html > > [2] https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using - -ssl.html It might depend upon the version of Connector/J you are using. For example, I have this in my connection URL: '...&trustCertificateKeyStoreUrl=file:/etc/mysql/mysql.jks' Only a single leading / for an absolute path in my case, and it works as expected. The use of file:// was a historical mistake web browser users made, thinking that // was necessary between the protocol and anything after it. It was never the case, and any software requiring a URL like file:/// should be considered broken. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlqHLOUACgkQHPApP6U8 pFiChA//XG5SJL66UWaSOdTELykxG6lHvoCqg/HKiN9i+sRH5kfyjWg1Yn4gUh4d psLFHvINo3lWpfchY+CJ76xSIq6NKXfAOXohxfYJUgXSGr6reRPj1dFMhAbsE0XW y8dzlilT6G8vWVFgYe3zwTEVQv30Rn+yc5mo4lspt2BR3Mw9YmiJL9l1z0Fj83+6 Bgaeq+oLXbO6x1QfFxWcDi5jdlkKUyTcbTuoRGUvCSMm6TfB7+lEcs2JKZSxw2hw c62iR8cPwkQElBfhL08GMsbO2ay/hpPDIzajxW/iMiX6g3V1QkaNQnj3dTSoUegC 59OSxg9KCXSfMe7SydSYBH5SE8ruElseFh7cn4PUuCLY0vaFlJEf+iaviJMxXsTS Ysj3YdfG5mCHxnFlNHKHz5tYv7wRs6ruhmYTxvQob73hgJyIxtUfCcn7XiwBOvey xpCxfuBNv91B8VAkDxGf2bk4XK+YRrrCK/1FZDXGrcqGfDRocE5UwbaajkBojZva aZceEm7nzYS8dYL4NQTj8gLwWyyYe96h9xF1muQhDvYGp7qdNle+C9sUf/jzS6KP 5VV+wOMxBtyXA2624xh+1iL2kcdDE7A9nPOPdBZgnBfr+OH9lG7YACr/aNLCNfJs 6EoNn8GNZSNL8CaPLb8LpvfcN69t04cblKUul0Fidq8VtVfOsxk= =rMes -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org