-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Steven,
On 10/12/18 14:47, Steven Feinstein wrote: > Hi, > > I am using Tomcat 8.0.32 running on Windows 2012 R2 as a Service. > > My application is running under https port 8443 Part of my > application opens an HttpsURLConnection back to the same app A > cert was created for each server and the keystore file updated with > the information. It's worth stopping here to note that Tomcat's keystore and truststore configuration only effect the connections coming into Tomcat.over whatever <Connector> is being configured with those stores. That may help you understand things from here on out... > On my dev server, this all works OK. On my test server, it is > failing with trustAnchors parameter cannot be empty. I understand > this error to basically mean I am not accessing my trustStore > file. > > Our server.xml file does list the keyStore location for port 8443. > It does not contain a trustStore entry (not even sure if that > would work as I did not try it). Trust stores are used by an endpoint to determine whether the other end of the connection is trusted. For most servers, the client is irrelevant: the server is willing to accept requests from anyone. If your clients need client-certificates, you'd have to specify a value for the truststore. For *clients* (those processes making connections to remote web servers), a trust store needs to include either the certificate of the server being contacted OR a certificate that was used to sign any of the certificates that the server presents. Often, you will be contacting a server that has a cert from a well-known CA and the built-in truststore will be sufficient. If you have a self-signed cert on the server or use a little-known CA, then you will have to specify your own trust store and put the appropriate certificate in that store. > The first thing I tried was creating setEnv.bat with java options > for the keystore and trustore locations and passwords. This did > not work which I figured out is because we are running as a > service, so it never gets called. This should actually work. > The next thing i tried was running tomcat8w //ES/Tomcat8. ... unless you are running as a Windows Service. The .BAT files are ignored for the service. Instead, you should run tomcat8w //ES/Tomcat8 : ) > This opened up a window to make entries in a Java tab which > allowed me to enter the locations. I know the keystore was picked > up because I mistyped it and hung my app. Fixing the spelling and > the app stopped hanging. But I still kept getting the error. Good. Well, not good but at least SOMETHING is happening. Can you post exactly that you typed, and where? > I started looking at any difference I could find between the > servers. That is when I noticed that the person who installed the > cert on the dev server placed it in e:\tomcat8\cert. The person > who installed it on the test server placed it in e:\tomcat8\cert3. > > Next, I printed the values of > System.getProperty("javax.net.ssl.trustStore") and > System.getProperty("javax.net.ssl.keyStore"). This resulted in > null for the keystore and e:/tomcat8/cert/mystore for the > trustStore. No filename extension? That's uncommon, but not necessarily a problem. > I went back to tomcat8w and re-entered the values on the test > machine: keystore was now e:/tomcat8/cert3/mystore while > trustStore still showed e:/tomcat8/cert/mystore > > I can't figure out where the trustStore value is coming from. I > searched using a grep tool for mystore and it's only location is > in server.xml in the keystore entry for 8443 and is correct at > e:/tomcat8/cert3/mystore. That won't affect outgoing connections. Also, the keystore won't be used for making outgoing connections unless the remote server requires client-certificate authentication. Does it? > What I have currently done is removed the entries from tomcat8w > (which is really the registry), renamed cert3 to cert, modified > server.xml to also point to cert. Now everything runs fine. > > I can live with this, but I'd like to know why the trustStore > value keeps showing e:/tomcat8/cert and would never show > e:/tomcat8/cert3. You'd have to look around in the configuration utility. There are many boxes, but it should be there somewhere. > Why did it always assume the cert location? I can't find any > entry on my server nor can I even find mystore without a path > (assuming maybe Tomact prepends a default if found without a > path). > > I'd like to klnow how to change the path in case it is ever needed > at a later date - if it is possible at all. > > Does anyone know how Tomcat comes up with the trustStore location? Tomcat itself sets none of this. If it's in the system properties, it's because of some explicit configuration *somewhere*. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlvA/QwACgkQHPApP6U8 pFiYPQ//QvRwwZTPetP2CiXoaexl8PfCUyxUU4OpxHY8CTqWDIcLbllHbCULU5ls xbhyS7K1qyfemzRK7BLt6ToS8gjgM9J+UgoSmv70ot3FIKZL+/g6E6ojHc1ao9sn 33TyxPMNct61vSgvweP3V9Qjg6LzeauzicHP+e0E5raR8159DZ8rccDf5haMuura +84VpQwVYn6F+ajBtIMerNHi/unFsmOyRwooSzMri5KnKmDhSqs5A0PsCMiRWTB9 qKmCvbHoGxSCYb0ePS0cg8ivzesjgKDl9oF4dY+LFfV9t2+j7YhNebMhzQrLKp8L NzpE3pFuuorWruc1JE9OqybWlILqLDlf2KDE/NaSKvJNZIwYYjcLH0iO4919wIHu FnpcC410/gkPodJC11hXftDtgMt0KIQ84yWppqd/n0l4qfwdnq0Lfx7/R0Xv5ztY nvuiJYoozL1hb17ia3oBOqFW8G+7ykuzfrKOq2rwyl2j0pfRc20QAYmebiuMuiDh gQo46DaNImYSRJGy4Rl7S0BXVc2E3YcASOlwujySWu3e8YjI4s3lJqZ2q44iq95t DE1jFalYZVMEO5qwMiYey8uBl/JsUSVti23BWNKa269pfBujXL7gU7YToJdXZ1// LKJaP26KbU8hFjhABceS4tZEcfoadtBwvyfBU+hZw6Eo/wlGGyc= =X3a8 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org