File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
The moose likes Sockets and Internet Protocols and the fly likes HTTPS Client Connection to Tomcat Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login

Win a copy of Head First Android this week in the Android forum!
JavaRanch » Java Forums » Java » Sockets and Internet Protocols
Bookmark "HTTPS Client Connection to Tomcat" Watch "HTTPS Client Connection to Tomcat" New topic

HTTPS Client Connection to Tomcat

clive jordan
Ranch Hand

Joined: Apr 27, 2005
Posts: 39
Hi Guys,

I'm trying to implement a simple HTTPS command-line client and rapidly realize I don't fully understand the whole SSL mechanism and how it interacts with the underlying OS.

I am using JSDK 1.5 so have jsse.jar installed. This is really more a question about using keytool and certificates so please bear with me.

In order to enable HTTPS on tomcat, I did this:

keytool -genkey -alias tomcat -keyalg RSA

My understanding is that this generates a self-signed certificate in the .keystore file in my home directory. Tomcat is using the defauly passwords so after enabling the SSL connector and restarting Tomcat, it comes up ok.

So the default tomcat implementation uses the certificate in the .keystore file in the home directory under which the tomcat user has been installed.

If I point a webrowser at a servlet I have running on tomcat (using https on default port 8443), I get prompted whether I want to accept the certificate and then and then can access the servlet ok. So I believe tomcat is setup ok.

The client I am using uses an HttpsURLConnection but I found it uses a different keystore, one in ${JAVA_HOME}/jre/lib/securitycacerts.

So am I right in thinking I need to put the certificate in this file ? If so, I used:

keytool -export -class tomcat -file tomcat.cert

To export the certifuicate from my default .keystore file. Then I need to import it into the cacerts file:

keytool -import -alias tomcat -keystore ${JAVA_HOME}/jre/lib/securitycacerts -file tomcat.cert

Could someone confirm that this is the correct procedure or am I talking out of my hat here ??

Lewin Chan
Ranch Hand

Joined: Oct 10, 2001
Posts: 214
Can people talk out of their hat?

Yes, using HttpsURLConnection you will probably use the cacerts keystore, this is because by default, a java ssl client will attempt to verify the identity of the server i.e. check that it trusts the server's certificate. In this specific instance, you have a self-signed cert, so you have to physically import that cert into ca certs. If you got your certificate signed by verisign or another CA, then you wouldn't need to do this.

Alternatively, as we know HttpsURLConnection probably uses the SSLSession/SSLContext, you could bypass this by writing your own TrustManager implementation and doing SSLContext.getInstance().init(null, mytrustmanager, null).

Your trust manager implemention could just return true for every method.

I have no java certifications. This makes me a bad programmer. Ignore my post.
clive jordan
Ranch Hand

Joined: Apr 27, 2005
Posts: 39
Thanks very much for the reply, I just wanted to check I understood things correctly. I have looked at some examples of using TrustManagers to accept
everything, but altough I could have cut and pasted the code, I frankly did not understand it. I may revisit that when I have a better understanding of things :-)

Thanks again,
I agree. Here's the link:
subject: HTTPS Client Connection to Tomcat
It's not a secret anymore!