Win a copy of Functional Design and Architecture this week in the Functional programming forum!
  • Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Rob Spoor
  • Tim Cooke
  • Junilu Lacar
Sheriffs:
  • Henry Wong
  • Liutauras Vilda
  • Jeanne Boyarsky
Saloon Keepers:
  • Jesse Silverman
  • Tim Holloway
  • Stephan van Hulst
  • Tim Moores
  • Carey Brown
Bartenders:
  • Al Hobbs
  • Mikalai Zaikin
  • Piet Souris

Coyote or Keystore?

 
Bartender
Posts: 1829
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is Coyote considered a more current way to secure Tomcat than all the (painful) steps to generate a keystore file?

I like that Coyote just refers to the cert files directly.

Thanks,

- mike
 
Marshal
Posts: 3648
516
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Isn't Coyote the HTTP connector part of Tomcat?
 
Mike London
Bartender
Posts: 1829
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My question was whether using Coytoe is a better approach than the manual process of creating a keystore.

Maybe neither approach is better, just two ways of doing the same thing: Implementing the SSL certificate.

Sorry my question was unclear.

Thanks,

-mike
 
Saloon Keeper
Posts: 13244
291
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I still don't understand what you mean. Coyote doesn't implement SSL certificates. It uses an existing SSL implementation to set up a secure connector.

Coyote doesn't store or create key stores. If you use OpenSSL as your SSL implementation, Coyote needs a path to a PEM-encoded key file. If you use JSSE as your SSL implementation, Coyote might use a key store. Either way, YOU are responsible for creating and managing the keys.
 
Ron McLeod
Marshal
Posts: 3648
516
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There should be nothing confidential in the certs, but you do need to protect the private key.  If you don't use a keystore, how would you keep the private key safe?
 
Stephan van Hulst
Saloon Keeper
Posts: 13244
291
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think what Mike means is, if he has a PEM-encoded certificate file, then why should he go through the trouble of converting it into a JKS/PKCS12 certificate file?

Honestly, it doesn't really matter what you use. If you already have a PEM-encoded certificate, good for you. Use it and be done with it.
 
Mike London
Bartender
Posts: 1829
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:I think what Mike means is, if he has a PEM-encoded certificate file, then why should he go through the trouble of converting it into a JKS/PKCS12 certificate file?

Honestly, it doesn't really matter what you use. If you already have a PEM-encoded certificate, good for you. Use it and be done with it.



Thank you! Yes, that's all I was asking.

-- mike
 
Mike London
Bartender
Posts: 1829
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ron McLeod wrote:There should be nothing confidential in the certs, but you do need to protect the private key.  If you don't use a keystore, how would you keep the private key safe?



That is a good point and supports using keystore approach I guess.

Thanks Ron.

-- mike
 
Saloon Keeper
Posts: 24283
167
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You use a keystore if Tomcat is handling SSL/HTTPS itself. You use a Coyote connector if you're using Apache to handle the HTTPS traffic and proxying it to Tomcat.

It's really kind of apples and oranges. In theory, someone could tap into the Coyote data stream and man-in-the-middle between Apache and Tomcat, but that would indicate you're got really rotten internal network security - especially if Tomcat is accessed as a localhost.

On the other hand, the only way for Tomcat to be able to listen directly on port 443 is to either run Tomcat as an administrator (BAD IDEA!) or use a port-forwarder to route incoming traffic from port 443 to port 8443 (or whatever Tomcat's using).

Personally, I prefer neither. I'm using Nginx as my primary external web contact point and it's using HTTP proxying to Tomcat. Coyote uses the AJP protocol, but that's specific to Apache. Since I run all that stuff in my DMZ, there's little difference in security.

So one reason I proxy is to simplify the external contact points for all my back-end servers and apps and have centralized cert management for both Java and non-Java apps..

The other reason is that it's kind of a pain to set up a keystore, since step 1 usually involves taking an Apache cert and key and converting them to a format that the keystore will love.
 
reply
    Bookmark Topic Watch Topic
  • New Topic