• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Ron McLeod
  • Paul Clapham
  • Jeanne Boyarsky
  • Bear Bibeault
Sheriffs:
  • Rob Spoor
  • Henry Wong
  • Liutauras Vilda
Saloon Keepers:
  • Tim Moores
  • Carey Brown
  • Stephan van Hulst
  • Tim Holloway
  • Piet Souris
Bartenders:
  • Frits Walraven
  • Himai Minh
  • Jj Roberts

Coyote or Keystore?

 
Bartender
Posts: 1803
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Is Coyote considered a more current way to secure Tomcat than all the (painful) steps to generate a keystore file?

I like that Coyote just refers to the cert files directly.

Thanks,

- mike
 
Marshal
Posts: 3457
493
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Isn't Coyote the HTTP connector part of Tomcat?
 
Mike London
Bartender
Posts: 1803
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
My question was whether using Coytoe is a better approach than the manual process of creating a keystore.

Maybe neither approach is better, just two ways of doing the same thing: Implementing the SSL certificate.

Sorry my question was unclear.

Thanks,

-mike
 
Saloon Keeper
Posts: 12809
278
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I still don't understand what you mean. Coyote doesn't implement SSL certificates. It uses an existing SSL implementation to set up a secure connector.

Coyote doesn't store or create key stores. If you use OpenSSL as your SSL implementation, Coyote needs a path to a PEM-encoded key file. If you use JSSE as your SSL implementation, Coyote might use a key store. Either way, YOU are responsible for creating and managing the keys.
 
Ron McLeod
Marshal
Posts: 3457
493
Android Eclipse IDE TypeScript Redhat MicroProfile Quarkus Java Linux
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
There should be nothing confidential in the certs, but you do need to protect the private key.  If you don't use a keystore, how would you keep the private key safe?
 
Stephan van Hulst
Saloon Keeper
Posts: 12809
278
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I think what Mike means is, if he has a PEM-encoded certificate file, then why should he go through the trouble of converting it into a JKS/PKCS12 certificate file?

Honestly, it doesn't really matter what you use. If you already have a PEM-encoded certificate, good for you. Use it and be done with it.
 
Mike London
Bartender
Posts: 1803
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Stephan van Hulst wrote:I think what Mike means is, if he has a PEM-encoded certificate file, then why should he go through the trouble of converting it into a JKS/PKCS12 certificate file?

Honestly, it doesn't really matter what you use. If you already have a PEM-encoded certificate, good for you. Use it and be done with it.



Thank you! Yes, that's all I was asking.

-- mike
 
Mike London
Bartender
Posts: 1803
17
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Ron McLeod wrote:There should be nothing confidential in the certs, but you do need to protect the private key.  If you don't use a keystore, how would you keep the private key safe?



That is a good point and supports using keystore approach I guess.

Thanks Ron.

-- mike
 
Saloon Keeper
Posts: 23409
159
Android Eclipse IDE Tomcat Server Redhat Java Linux
  • Likes 1
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You use a keystore if Tomcat is handling SSL/HTTPS itself. You use a Coyote connector if you're using Apache to handle the HTTPS traffic and proxying it to Tomcat.

It's really kind of apples and oranges. In theory, someone could tap into the Coyote data stream and man-in-the-middle between Apache and Tomcat, but that would indicate you're got really rotten internal network security - especially if Tomcat is accessed as a localhost.

On the other hand, the only way for Tomcat to be able to listen directly on port 443 is to either run Tomcat as an administrator (BAD IDEA!) or use a port-forwarder to route incoming traffic from port 443 to port 8443 (or whatever Tomcat's using).

Personally, I prefer neither. I'm using Nginx as my primary external web contact point and it's using HTTP proxying to Tomcat. Coyote uses the AJP protocol, but that's specific to Apache. Since I run all that stuff in my DMZ, there's little difference in security.

So one reason I proxy is to simplify the external contact points for all my back-end servers and apps and have centralized cert management for both Java and non-Java apps..

The other reason is that it's kind of a pain to set up a keystore, since step 1 usually involves taking an Apache cert and key and converting them to a format that the keystore will love.
 
I can't beleive you just said that. Now I need to calm down with this tiny ad:
SKIP - a book about connecting industrious people with elderly land owners
https://coderanch.com/t/skip-book
reply
    Bookmark Topic Watch Topic
  • New Topic