• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

Public SSL Key with Tomcat

 
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi All,

I am slowly getting to the bottom of applying SSL throughout my project but am stuck in the current situation.

Project is a Java servlet running on Windows. Java 1.6 and Tomcat 7

My Java servlet connects to both an Oracle database (running on Unix) and a SQL Server database. We have a keystore set up successfully on the servlets' server with root, intermediate certificates etc that encrypt the connection to Oracle. The server team maintaining the server hosting the SQL Server database have supplied me with an SSL certificate. I am assuming it is a public key certificate.

I am trying to apply this certificate to encrypt the network traffic to the SQL Server database. I have attempted to import the certificate into the keystore mentioned above using the Java keytool but this does not work so I deleted the certificate from the keystore again. I found the URL below which I have followed to install the certificate through MMC but cannot find how to now force Tomcat to encrypt the network traffic.

http://support.microsoft.com/kb/316898

Can someone please tell me what I am missing here please? There is loads of guidance on setting up keystores with root and intermediate certificates etc, but I cannot find any guidance on waht to do in Tomcat to use a single provided SSL certificate. Do I use the Java cacerts file and import the certificate in there?

Thanks in advance

Regards

AJF
 
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
The keystore is used for Tomcat operating as a server for web clients.

What you want is to support Tomcat operating as a client to your databases.

There's no real standard for doing that, unfortunately. Every database server does it differently. Much differently. When they do it at all.

This paper should help in setting up a JDBC connection pool for SSL Oracle when using the thin driver:

http://www.oracle.com/technetwork/database/enterprise-edition/wp-oracle-jdbc-thin-ssl-130128.pdf

At a quick glance, I got the impression that you more or less set up the Oracle server for SSL and the thin driver automatically detects it and operates accordingly.

SQL Server gets its marching orders from the jdbl URL: http://technet.microsoft.com/en-us/library/bb879949.aspx

As does, incidentally, MySQL, which I haven't supplied a URL since it's not been asked for.

Note that whether any of these will accept a client-side SSL certificate is another matter. I'm not even sure whether the usual SSL mechanisms for cert support apply, and doubly-so in the case of Windows. For Linux, if they did, they'd be stored under the tomcat user's ".ssh" directory, not as part of Tomcat.
 
A Farroll
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Hi Tim Holloway,

Thanks for your response.

Yes. Thats a good description of what I need to do. Have Tomcat be the Client for a SSL connection to a SQL Server database. Is this possible?

The Oracle connections are all encrypting okay so not an Oracle problem but maybe a JDBC problem. The JDBC JAR we are using for connection to the SQL Server database is "sqljdbc-1.2.0.jar".

I have attempted adding the certificate trhough the MMC and amending SQL Server Configuration Manager by, right clicking the "SQL Native Clinet Configuration" and selecting to "Force Protocol Encryption". I have attempted addining the certificate to the set up keystore (using both -import and -importcert) but this was unsuccessful. I have imported the certificate into Javas keystore of;

%JAVA_HOME%\lib\security\cacerts

But this too was unsuccessful.

I have followed the guidance on several websites such as;

http://technet.microsoft.com/en-us/library/bb879943.aspx

http://social.msdn.microsoft.com/Forums/sqlserver/en-US/fc97060a-4993-4109-ad35-de1277d9f4f1/error-17835-when-client-computers-connect-to-the-sql-server-2005-ssl-certificate-problem?forum=sqlsecurity

http://technet.microsoft.com/en-us/library/ms191192.aspx

http://technet.microsoft.com/en-us/library/ms181035.aspx

But so far nothing works. Please can someone help.

Thanks in advance

AJFarroll
 
Tim Holloway
Saloon Keeper
Posts: 27762
196
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I recommend that you cobble up a stand-alone Java application that attempts to make an encrypted connection the way you want to.

If you can get that to work, making it work within a Tomcat database connection pool should be relatively easy.

SQL Server has a number of channels available for client/server communication and the JDBC one (port 1443) isn't enabled by default. I am unclear whether the SQL Server jdbc driver supports encrypted transport or not. You might want to check out the open-source JDBC SQL Server client on SourceForge, however. I was using it several years back because at the time it handled transactions better than the Microsoft-supplied SQL Server JDBC driver.
 
A Farroll
Ranch Hand
Posts: 43
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I may have a little progress on this. In the Tomcat context.xml file I amended the relevant JNDI resource tag to have the "URL" parameter to include this integratedSecurity=true;encrypt=true;trustServerCertificate=true.

Now when I attempt a web request using SoapUI I get an empty tag returned in the SoapUI response, but the Tomcat outputs states; com.microsoft.sqlserver.jdbc.AuthenticationJNI
WARNING: Failed to load the sqljdbc_auth.dll

and

org.hibernate.exception.GenericJDBCException: Cannot open connection

It is as if it now only needs to find and use the correct SSL certificate. Is this correct and if so what do I do now.

Regards

AJFarroll
 
reply
    Bookmark Topic Watch Topic
  • New Topic