On 6/2/22 16:06, Rob Sargent wrote:
I'm starting both the server and the client with both key and trust.
Does that bite?
I would avoid giving access to the key to anything that doesn't
absolutely need it. Usually, only the server needs access to the key.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Back from vacation but none the wiser for having visited Harvard!
I have my environment working again but not with supplying both keystore
and truststore to both the server and the client. Clearly scrogged
somewhere
My server gets the locations from a properties file and uses
Connector connector = new Connector();
connector.setPort(tcport);
connector.setSecure(true);
addBaseConnectorConfig(connector);
connectorSetTest(connector, "SSLEnabled", "true");
connectorSetTest(connector, "sslProtocol", "TLS");
connectorSetTest(connector, "keyAlias",
System.getProperty("SGSSRVR_keystoreAlias"));
connectorSetTest(connector, "keystorePass",
System.getProperty("SGSSRVR_keystorePwd"));
connectorSetTest(connector, "keystoreFile",
keyFile.getAbsolutePath());
connectorSetTest(connector, "keystoreType",
System.getProperty("SGSSRVR_storeType"));
and here we can see I don't actually use truststore.... so that puts the
lie to have my claim.
The clients get them from command line -D properties
defvs += F"
-Djavax.net.ssl.keyStore=/ppr/certs/sgs10.0.2.118.p12
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.keyStorePassword=changeit"
defvs += F" -Djavax.net.ssl.trustStore=/ppr/certs/fullca.p12
-Djavax.net.ssl.trustStoreType=PKCS12
-Djavax.net.ssl.trustStorePassword=changeit"
But as I said "It's working" so I'm likely to let sleeping dogs lie.
rjs