My Tomcat needs to connect to another web server (at https://foreign.example.com) using SSL (TLS).
我的Tomcat需要使用SSL(TLS)连接到另一个Web服务器(https://foreign.example.com)。
foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:
foreign.example.com有一个自签名证书,我相信。当然,我的Tomcat默认不会 - 所以我必须告诉它。一种方法是:
$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore
$JRE/lib/security/cacerts
This works: My Tomcat allows the SSL connection.
这有效:我的Tomcat允许SSL连接。
However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.
但是,我不喜欢这样做:它将证书导入我的Java安装的可信密钥。我不想说:“我的机器上运行Java的每个应用程序都应该信任该证书”。只有Tomcat(或运行Tomcat的用户)才应该信任它。
So I tried importing it into the tomcat-user's keystore at ~/.keystore, and setting up Tomcat's <Connector> with these attributes:
所以我尝试将它导入〜/ .keystore中的tomcat-user的密钥库,并使用以下属性设置Tomcat的
keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"
However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)
但是,这根本不起作用(我相信,这仅适用于我的Tomcat的服务器证书,而不适用于外部服务器的服务器证书,对吧?)
I tried the same with the truststoreFile/truststorePass attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
我尝试使用truststoreFile / truststorePass属性,但它们也不起作用。 (这些属性记录在http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java which makes my keystore (and keystore passphrase) available to the JVM instance?
有没有办法用外部服务器的服务器证书设置Tomcat,或者可能向java添加一些命令行参数,这使得我的密钥库(和密钥库密码)可用于JVM实例?
2 个解决方案
#1
7
JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.
JBoss(基于Tomcat)可以使用以下cmd参数运行。 cacerts文件(或者您想要命名它)必须包含端点的证书。
-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit
Therefor this should also work for Tomcat.
因此,这也适用于Tomcat。
#2
0
An alternative approach is to add it to the SSL connector in tomcat in your tomcat server.xml file. Specifically you need to set the truststoreFile properties to enable trust of certificates from other servers.
另一种方法是将其添加到tomcat server.xml文件中tomcat中的SSL连接器。具体而言,您需要设置truststoreFile属性以启用对来自其他服务器的证书的信任。
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" keystorePass="changeit"
truststoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" truststorePass="changeit"/>
#1
7
JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.
JBoss(基于Tomcat)可以使用以下cmd参数运行。 cacerts文件(或者您想要命名它)必须包含端点的证书。
-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit
Therefor this should also work for Tomcat.
因此,这也适用于Tomcat。
#2
0
An alternative approach is to add it to the SSL connector in tomcat in your tomcat server.xml file. Specifically you need to set the truststoreFile properties to enable trust of certificates from other servers.
另一种方法是将其添加到tomcat server.xml文件中tomcat中的SSL连接器。具体而言,您需要设置truststoreFile属性以启用对来自其他服务器的证书的信任。
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" keystorePass="changeit"
truststoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" truststorePass="changeit"/>