-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Javier,
On 8/28/14, 3:14 PM, Javier Conti wrote: > On 28 August 2014 13:50, Konstantin Kolinko > <knst.koli...@gmail.com> wrote: > >> 2014-08-28 14:46 GMT+04:00 Javier Conti >> <javier.co...@gmail.com>: >>> Hi all, >>> >>> in a Tomcat 7.0.53 container we are running an application >>> which needs to use client certificates to connect to other >>> webservices. This is currently done by configuring a keystore >>> containing keys, certificates and CAs for the JVM (via command >>> line arguments) as follows: >>> >>> -Djavax.net.ssl.keyStore=$keystore_path >>> -Djavax.net.ssl.keyStorePassword=$keystore_password >>> -Djavax.net.ssl.keyStoreType=jks >>> -Djavax.net.ssl.trustStore=$keystore_path >>> -Djavax.net.ssl.trustStorePassword=$keystore_password >>> -Djavax.net.ssl.trustStoreType=jks >>> >>> This configuration works and requires no changes in the >>> application code. However, since we have to pass those command >>> line arguments in the >> startup >>> script somehow (including the password, which can be seen in >>> the running process list), we are considering the various >>> options to "cleanup" the configuration. In particular, we are >>> investigating the possibility to configure all that in the >>> server.xml configuration file. >>> >>> I've found many examples of Tomcat SSL configuration but all >>> deal with configuring the "server side", not the "client side" >>> for applications running inside the container. By the way, for >>> the Connector we're using >> the >>> Native one with OpenSSL (and we could use x509 and RSA for the >>> client >> side >>> too). >>> >>> Has anybody some pointers to documentation or examples? >>> >> >> >> You can configure a KeyStore and TrustStore programmatically, >> without relying on system properties. Tomcat does so in its >> source code (search for "import javax.net.ssl") and tests (e.g. >> test/org.apache.tomcat.util.net.TesterSupport.configureClientSsl()), >> >> but passing those to your HTTP client depends on what client you are >> using and on API of that client. >> >> You are not saying what client implementation you are using. It >> may be better to ask on their mailing lists. >> >> > While this could be feasible, our developers use various APIs and > according to them it would be rather complicated to maintain the > code should the client authentication be performed in it. However, > the current implementation (a cert for the whole JVM) seems to be > sufficient for our use case: we'd just like to take the password > out of the command line arguments, so non privileged users > performing other tasks on the servers wouldn't see it. You can try setting that property in CATALINA_BASE/conf/catalina.properties - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUBemmAAoJEBzwKT+lPKRYhK4P/23OLic/iZ09/gZehsYikxIj 5TyQqIET/IxXG1RylT41/b5Pu/TXAKclheVONoaC8UMjnuVf98W2EQHZTiPqWsp7 9JNb5HlXeRPhrAcjsZxdv2KoFEehnWOJwtnxgOEJ3UviMiPPW+yycXtZYEL7DG5p 1bjXS2SKVuw5BjMH1t7fyMcQJ76ZvZ3BqbzYu1uGTC6Aqyhf2XKwAvaxjphunoRe tXV5/65ou5rRZlPa7ibXrp54qGT0459Jjfb1pZfQwtfbNOA20SZYmGtWNr/jdiFX b/2AgBIQejVRjK8VQRPSnLWSqFmRMqsc2PllmIOWs6DfYXGtz9SNS2dkDSJFc0g8 vCgSv2WaWJ6NtDaNgOYHL+RwWqh/Adt4fo1+tPBWtOtkN2WSU/MjgDA38p8enx3c zkLE86Kpf8Fsm/n42EwGMGGlXkHfA/BEPdumxjuUp4v+mmGqHp0ildJUSb2naDot msHh8BOS4lYlPwOuNoiSij4svrCErisjTqJpvamc4EHdKUnuLmVgae3F2J6rvXhC XbzELHCeWqgzDkq/LVp+MjuPK0bgLmS6lrzs7R9ogR5hj4TjURkaSOXWovGhnO9W euHrgujt/2zZzPai+Z3cTQDhu21m2gvIJDAU/SOjzJRpb2OGG/6gIi/DkX/gOwsn RU0qo70oSvGeX8e9/f5m =Nkaz -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
