Win a copy of Re-engineering Legacy Software this week in the Refactoring forum
or Docker in Action in the Agile forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

HTTPS Client Connection to Tomcat

 
clive jordan
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Hi Guys,

I'm trying to implement a simple HTTPS command-line client and rapidly realize I don't fully understand the whole SSL mechanism and how it interacts with the underlying OS.

I am using JSDK 1.5 so have jsse.jar installed. This is really more a question about using keytool and certificates so please bear with me.

In order to enable HTTPS on tomcat, I did this:

keytool -genkey -alias tomcat -keyalg RSA

My understanding is that this generates a self-signed certificate in the .keystore file in my home directory. Tomcat is using the defauly passwords so after enabling the SSL connector and restarting Tomcat, it comes up ok.

So the default tomcat implementation uses the certificate in the .keystore file in the home directory under which the tomcat user has been installed.

If I point a webrowser at a servlet I have running on tomcat (using https on default port 8443), I get prompted whether I want to accept the certificate and then and then can access the servlet ok. So I believe tomcat is setup ok.

The client I am using uses an HttpsURLConnection but I found it uses a different keystore, one in ${JAVA_HOME}/jre/lib/securitycacerts.

So am I right in thinking I need to put the certificate in this file ? If so, I used:

keytool -export -class tomcat -file tomcat.cert

To export the certifuicate from my default .keystore file. Then I need to import it into the cacerts file:

keytool -import -alias tomcat -keystore ${JAVA_HOME}/jre/lib/securitycacerts -file tomcat.cert

Could someone confirm that this is the correct procedure or am I talking out of my hat here ??

Thanks,
Clive
 
Lewin Chan
Ranch Hand
Posts: 214
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Can people talk out of their hat?

Yes, using HttpsURLConnection you will probably use the cacerts keystore, this is because by default, a java ssl client will attempt to verify the identity of the server i.e. check that it trusts the server's certificate. In this specific instance, you have a self-signed cert, so you have to physically import that cert into ca certs. If you got your certificate signed by verisign or another CA, then you wouldn't need to do this.

Alternatively, as we know HttpsURLConnection probably uses the SSLSession/SSLContext, you could bypass this by writing your own TrustManager implementation and doing SSLContext.getInstance().init(null, mytrustmanager, null).

Your trust manager implemention could just return true for every method.
 
clive jordan
Ranch Hand
Posts: 39
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
Thanks very much for the reply, I just wanted to check I understood things correctly. I have looked at some examples of using TrustManagers to accept
everything, but altough I could have cut and pasted the code, I frankly did not understand it. I may revisit that when I have a better understanding of things :-)

Thanks again,
CLive
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic