Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Configure Tomcat to use a trust store other than cacerts

I'm running Tomcat 6 on Windows and would like to have Tomcat use a different trust store other than cacerts for Java client web requests. I've tried adding this setting:

-Djavax.net.ssl.trustStore="C:\ca.keystore"

To the registry in key:

 HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java

That doesn't seem to work though. It still uses the JRE cacerts store. Our Java code makes web requests to HTTPS endpoints and I would like to keep the certificates in a key store other than the JRE one because it gets removed when java is uninstalled/updated.

like image 453
Andy Arismendi Avatar asked Mar 02 '11 00:03

Andy Arismendi


People also ask

Does Tomcat use cacerts?

But Tomcat still uses cacerts. I think the truststoreFile is just used to store client certificates from a client using a web browser and only used when clientAuth is set to true.

Where is Tomcat trust store?

Tomcat truststores are used to validate client certificates. On the Ubuntu OS, by default Tomcat uses the "cacerts" file as the CA trust store. The file is located in the /etc/ssl/certs/java/ folder with a link to the file in $JAVA_HOME/lib/security/cacerts.

Is cacerts a keystore or truststore?

'cacerts' is a truststore. A trust store is used to authenticate peers. A keystore is used to authenticate yourself.

What is the difference between a keystore and a truststore?

Keystore is used to store private key and identity certificates that a specific program should present to both parties (server or client) for verification. Truststore is used to store certificates from Certified Authorities (CA) that verify the certificate presented by the server in SSL connection.


1 Answers

Turns out I was missing trustStorePassword. Here is the solution:

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Apache Software Foundation\Procrun 2.0\Tomcat6\Parameters\Java 

-Djavax.net.ssl.trustStore="C:\ca.keystore" 
-Djavax.net.ssl.trustStorePassword="password"

Update: There seems to be some confusion in some of the comments here between what this setting and truststoreFile from server.xml do. I created a blog entry to explain the problem (in great detail) and how this solution addresses it and why the changing server.xml does not.

like image 196
Andy Arismendi Avatar answered Sep 21 '22 21:09

Andy Arismendi