On 2 September 2014 18:00, Christopher Schultz <ch...@christopherschultz.net > wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Javier, > > On 8/28/14, 3:14 PM, Javier Conti wrote: > > On 28 August 2014 13:50, Konstantin Kolinko > > <knst.koli...@gmail.com> wrote: > > > >> 2014-08-28 14:46 GMT+04:00 Javier Conti > >> <javier.co...@gmail.com>: > >>> Hi all, > >>> > >>> in a Tomcat 7.0.53 container we are running an application > >>> which needs to use client certificates to connect to other > >>> webservices. This is currently done by configuring a keystore > >>> containing keys, certificates and CAs for the JVM (via command > >>> line arguments) as follows: > >>> > >>> -Djavax.net.ssl.keyStore=$keystore_path > >>> -Djavax.net.ssl.keyStorePassword=$keystore_password > >>> -Djavax.net.ssl.keyStoreType=jks > >>> -Djavax.net.ssl.trustStore=$keystore_path > >>> -Djavax.net.ssl.trustStorePassword=$keystore_password > >>> -Djavax.net.ssl.trustStoreType=jks > >>> > >>> This configuration works and requires no changes in the > >>> application code. However, since we have to pass those command > >>> line arguments in the > >> startup > >>> script somehow (including the password, which can be seen in > >>> the running process list), we are considering the various > >>> options to "cleanup" the configuration. In particular, we are > >>> investigating the possibility to configure all that in the > >>> server.xml configuration file. > >>> > >>> I've found many examples of Tomcat SSL configuration but all > >>> deal with configuring the "server side", not the "client side" > >>> for applications running inside the container. By the way, for > >>> the Connector we're using > >> the > >>> Native one with OpenSSL (and we could use x509 and RSA for the > >>> client > >> side > >>> too). > >>> > >>> Has anybody some pointers to documentation or examples? > >>> > >> > >> > >> You can configure a KeyStore and TrustStore programmatically, > >> without relying on system properties. Tomcat does so in its > >> source code (search for "import javax.net.ssl") and tests (e.g. > >> test/org.apache.tomcat.util.net.TesterSupport.configureClientSsl()), > >> > >> > but passing those to your HTTP client depends on what client you are > >> using and on API of that client. > >> > >> You are not saying what client implementation you are using. It > >> may be better to ask on their mailing lists. > >> > >> > > While this could be feasible, our developers use various APIs and > > according to them it would be rather complicated to maintain the > > code should the client authentication be performed in it. However, > > the current implementation (a cert for the whole JVM) seems to be > > sufficient for our use case: we'd just like to take the password > > out of the command line arguments, so non privileged users > > performing other tasks on the servers wouldn't see it. > > You can try setting that property in > CATALINA_BASE/conf/catalina.properties > Hi Chris, we had some problems in moving most configurations in the catalina.properties file, but in the end it worked. This was exactly what we needed: now the secrets are at least in a file not readable by (almost) anyone and the process list doesn't show them either. Thanks, Javier > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1 > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJUBemmAAoJEBzwKT+lPKRYhK4P/23OLic/iZ09/gZehsYikxIj > 5TyQqIET/IxXG1RylT41/b5Pu/TXAKclheVONoaC8UMjnuVf98W2EQHZTiPqWsp7 > 9JNb5HlXeRPhrAcjsZxdv2KoFEehnWOJwtnxgOEJ3UviMiPPW+yycXtZYEL7DG5p > 1bjXS2SKVuw5BjMH1t7fyMcQJ76ZvZ3BqbzYu1uGTC6Aqyhf2XKwAvaxjphunoRe > tXV5/65ou5rRZlPa7ibXrp54qGT0459Jjfb1pZfQwtfbNOA20SZYmGtWNr/jdiFX > b/2AgBIQejVRjK8VQRPSnLWSqFmRMqsc2PllmIOWs6DfYXGtz9SNS2dkDSJFc0g8 > vCgSv2WaWJ6NtDaNgOYHL+RwWqh/Adt4fo1+tPBWtOtkN2WSU/MjgDA38p8enx3c > zkLE86Kpf8Fsm/n42EwGMGGlXkHfA/BEPdumxjuUp4v+mmGqHp0ildJUSb2naDot > msHh8BOS4lYlPwOuNoiSij4svrCErisjTqJpvamc4EHdKUnuLmVgae3F2J6rvXhC > XbzELHCeWqgzDkq/LVp+MjuPK0bgLmS6lrzs7R9ogR5hj4TjURkaSOXWovGhnO9W > euHrgujt/2zZzPai+Z3cTQDhu21m2gvIJDAU/SOjzJRpb2OGG/6gIi/DkX/gOwsn > RU0qo70oSvGeX8e9/f5m > =Nkaz > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
