File APIs for Java Developers
Manipulate DOC, XLS, PPT, PDF and many others from your application.
http://aspose.com/file-tools
The moose likes Tomcat and the fly likes Configure Tomcat to use a trust store other than cacerts Big Moose Saloon
  Search | Java FAQ | Recent Topics | Flagged Topics | Hot Topics | Zero Replies
Register / Login
JavaRanch » Java Forums » Products » Tomcat
Bookmark "Configure Tomcat to use a trust store other than cacerts" Watch "Configure Tomcat to use a trust store other than cacerts" New topic
Author

Configure Tomcat to use a trust store other than cacerts

Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
I'm running Tomcat 6 on Windows and would like to have Tomcat use a different trust store other than cacerts for Java client web requests. I've tried adding this setting:

-Djavax.net.ssl.trustStore="C:\ca.keystore"

To the registry in key:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java

That doesn't seem to work though. It still uses the JRE cacerts store. Our Java code makes web requests to HTTPS endpoints and I would like to keep the certificates in a key store other than the JRE one because it gets removed when java is uninstalled/updated.

Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

Welcome to the JavaRanch, Andy!

The keystore location is defined via an attribute on the Connector for SSL/TLS.

And actually, unless I've been misled, the default location is the Tomcat user's $HOME/.keystore file. But I always use an explicit location, so I won't guarantee that.


Customer surveys are for companies who didn't pay proper attention to begin with.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Thanks for the welcome

Here is my connector config:

<Connector
port="8443"
protocol="HTTP/1.1"
keyAlias="tomcat"
keystoreFile="C:\.keystore"
keystorePass="changeit"
keystoreType="JKS"
truststoreFile="C:\ca.keystore"
truststorePass="changeit"
truststoreType="JKS"
algorithm="SunX509"
sslProtocol="TLS"
SSLEnabled="true"
scheme="https"
secure="true"
maxThreads="200"
clientAuth="false"
/>

But Tomcat still uses cacerts. I think the truststoreFile is just used to store client certificates from a client using a web browser and only used when clientAuth is set to true. I'm trying to change the one that is used when using a http client such as the apache http client: http://www.java2s.com/Open-Source/Java-Document/Net/Apache-common-HttpClient/org.apache.commons.httpclient.htm .
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

OK, since the basics are so basic, my first reply was just a general advisory. Usually when I do that it's kind of worthless, but it does kind of point out stuff that everyone needs to know.

I'm still not 100% clear I know what you're after, but the 2 most likely interpretations are:

1. You want Tomcat to communicate with some other server. Actually, that would be an application deployed inside Tomcat, since Tomcat doesn't do that. Or alternatively, an appendage to Tomcat such a a Realm using Web Services. In either case, I think that you'd have to provide the alternate keystore as an option to the code. Meaning Apache HttpClient OR java.net, which presumably is the underpinning to Apache HttpClient. Probably java.net, since I know that it does cookie-related stuff automatically and figure certs are in the same general ballpark.

2. You want an external HttpClient to use certificate-based authentication. Actually, Apache HttpClient doesn't matter here, since the protocols are what's critical and what works for HttpClient should work just as well for a web browser.

For case #2, the critical cert needs to be installed in the client. If you're going the full-paranoia both-sides-certified route, as I recall, you also need a server-side cert, but I would be greatly surprised if Tomcat didn't use the same keystore as it does for server-only cert SSL, and that's the keystore you set up in the Connector. However, you MIGHT need to supply an alias for matching to the client-side cert in your request OR in your security realm definition OR (AND/OR?) in the client request itself. At this point, I'd have to RTFM.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9

Tomcat
|---> MyApp
|----------->httpclient ---> request to ---> https://anotherServer/index.html

This doesn't seem to work unless I put the X.509 certificate from 'anotherServer' into %JAVA_HOME%\lib\security\cacerts (the default certificate store installed with JRE).

What I'd like to do is store the certificate from 'anotherServer' in a JKS store other than cacerts. I was hoping there was a way to globally register my alternate key store without modifying code.
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

Your diagram is incorrect. Tomcat isn't going to be making any such requests. I think probably you have this:


You can use JNDI to supply the keystore location to the webapp and that will eliminate the need to make application mods, but the application code is going to have to use the JNDI-supplied data to make its own cert location override for the connections it opens.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Ah, yea I was trying to show that Tomcat cast hosted MyApp and MyApp makes the httpclient request. Sorry for the confusion there. So it sounds like there's no way to make the httpclient request use something other than cacerts by putting something in server.xml or web.xml or the registry... Darn :-(
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

"registry"? What is this "registry" thing of which you speak? My servers don't have anything called a "registry' in them.

Technically, you can define your application cert store location in server.xml ([b]please don't!!!]/b]) and/or in web.xml. That would be the jndi resource definition. The default value would be set in web.xml and you could then override it as needed in the webapp Context definition. Which could be placed in server.xml, but it strongly discouraged these days in favor of an independent context XML file.

However, Tomcat itself neither knows nor cares what sort of silly outbound server requests any of its webapps makes, whether HTTP, FTP, LDAP, JMS, RMI or whatever. So it's up to the webapp itself to set up the environment for its own specialized configuration. JNDI can help, but it will require application logic to take the information from the JNDI directory service and set the appropriate interface property.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Ah thanks Tim, I'll need to research JNDI a bit more, I'm not too familiar with it.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Tim, it looks like this does the trick:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java

-Djavax.net.ssl.trustStore="C:\ca.keystore"
-Djavax.net.ssl.trustStorePassword="password"

I had it wrong... was using keyStore when I should of been using trustStore. So close!

This registry key is setup with the Windows service installer version.

Reference: http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html
Tim Holloway
Saloon Keeper

Joined: Jun 25, 2001
Posts: 16145
    
  21

OK. Normally, rather than using the Windows Registry, it's preferable to put those items in a TOMCAT_HOME\bin\setenv.bat file. Java apps in general should have nothing to do with the Registry, since it's not "write once/run anywhere" (to say nothing of being a major pain in the fundament). However, when launching as a Windows Service, the registry might be the only option.
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
It looks that way. The Tomcat windows service installer (http://mirror.cc.columbia.edu/pub/software/apache/tomcat/tomcat-6/v6.0.32/bin/apache-tomcat-6.0.32.exe) installs tomcat6.exe in CATALINA_HOME\bin. The Windows service points to it as the executable with //RS /Tomcat6 as the command line arguments. My guess is that this is a boot strapper which sets up the Tomcat java process with parameters defined in that registry key.
Dave Tredinnick
Greenhorn

Joined: Apr 26, 2011
Posts: 2
Well i have been reading manuals, how-to, readme, blogs and forums at OpenSSL, Apache and Sun Java but i had to come to coderanch to find the crucial information suppllied by a "Greenhorn"

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java

-Djavax.net.ssl.trustStore="C:\ca.keystore"
-Djavax.net.ssl.trustStorePassword="password"

The second and third lines are available elsewhere but i have been unable to find any documentation that refers to Tomcat looking in the registry for its settings.

Thank you so much coderanch and Andy Arismendi in particular.

Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Dave I'm glad this helped you. I definitely agree that there seems to be a lack of documentation on this topic. It would be great if this was covered here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html .

Dave Tredinnick
Greenhorn

Joined: Apr 26, 2011
Posts: 2
Andy, this did more than help me - it saved me from the asylum ;)

It seems that the Tomcat documenters and many others (even on this site) have not considered the possibility that a client application on Tomcat, when run as a windows service, would need to trust a certificate when Tomcat is not configured for SSL.

Thanks to you i was able to have a relaxing weekend without thinking that i had lost my marbles
Charanya Rajagopalan
Greenhorn

Joined: Jun 28, 2011
Posts: 2

Thanks, this was very helpful!!

I wanted to mention - You dont have to update the Registry directly. Just open the Configure Tomcat exe (tomcat6w.exe) under Tomcat/bin (only if you have installed Tomcat as a Service). Use the Java tab (Java options box) to set the truststore & truststorepassword properties - They will directly get saved into the Registry.
Esmond Pitt
Greenhorn

Joined: Jan 08, 2012
Posts: 1
The following working server.xml element disproves every contention made here by the OP. It has a Connector element with a truststoreFile= attribute and a clientAuth="false" attribute ; it has no reliance on the Registry or the default JDK truststore; and it works. The Registry entries described by the OP are not required; they are another mechanism to the same end.



I suspect the real problem here was the backslash in the filename.
Paul Clapham
Bartender

Joined: Oct 14, 2005
Posts: 18675
    
    8

Welcome to the Ranch, Esmond Pitt!
Andy Arismendi
Greenhorn

Joined: Mar 02, 2011
Posts: 9
Esmond, your connector is for an SSL connection between the browser and Tomcat. This wasn't what I was looking for. The problem I was trying to solve was a connection between the webapp and a remote (https) website.

My blog post about this documents what I was trying to achieve in great detail. If you noticed in my blog post i'm using a regular HTTP connector to demonstrate the problem.

http://andyarismendi.blogspot.com/2012/01/changing-tomcats-ca-trust-keystore-file.html

The registry is only needed for the version of Tomcat that uses the Windows installer. If you use the one with the batch script the parameters would be specified in the batch script.

Nicola Farina
Greenhorn

Joined: Jan 23, 2013
Posts: 1

Hi
I have the same problem...
but I have no ca.keystore file on my windows (2008 server R2) machine .. (or, at least, I can't find it )
I've googled, looked in the mmc->certificates snap in but haven't found a specific file location
seems a registry thing .....
thanks for any tip :-)
bye
Nicola

Andy Arismendi wrote:Tim, it looks like this does the trick:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java

-Djavax.net.ssl.trustStore="C:\ca.keystore"
-Djavax.net.ssl.trustStorePassword="password"

I had it wrong... was using keyStore when I should of been using trustStore. So close!

This registry key is setup with the Windows service installer version.

Reference: http://fusesource.com/docs/broker/5.3/security/SSL-SysProps.html
 
I agree. Here's the link: http://aspose.com/file-tools
 
subject: Configure Tomcat to use a trust store other than cacerts