Hi Chris, You were right. The issue was with the code our vendor supplied for the Tomcat client webapp making outbound HTTPS connections. This was not correctly overriding classes with the result that the truststore and keystore environment settings were being completely ignored.
Thanks for your patience with this. It seems our vendor was not paying enough attention to log files and had me convinced that the issue was on our side. Your findings reiterating that it had to be something else helped me a lot. Thanks, Diarmuid On 2 Sep 2015 13:56, "Christopher Schultz" <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Diarmuid, > > (Marking as OT because this is not a Tomcat issue.) > > On 9/1/15 5:34 PM, dmccrthy wrote: > > Sorry for the ambiguity, we're using scenario (b), outgoing client > > connections. The server cert is signed by GeoTrust but we don't > > have the full CA chain in the truststore, only the server cert. > > Okay, then you need to do the following: > > 1. Put your client key + signed certificate into your keystore > 2. Put the server's cert (or GeoTrust's top-level CA cert and any > intermediate certs that you might need) into your truststore > 3. Configure your HTTP client to use the above keystore and trust store > (or really just pull the client key+cert and configure them with > the HTTP client... a keystore is not strictly necessary but it > sometimes makes everything a bit easier if the HTTP client library > can work with the keystore instead of individual Java objects) > > That should be all you need to do. If your HTTP client library can > detect the system properties you've already set, then that's great. If > it can't, you'll need to use actual Java code to configure it properly. > > If the above doesn't work, please provide stack traces when you get > errors. Since OpenSSL s_client works, your client key+cert are working > and you just need to get the configuration of your own client right. > > - -chris > -----BEGIN PGP SIGNATURE----- > Comment: GPGTools - http://gpgtools.org > > iQIcBAEBCAAGBQJV5vHSAAoJEBzwKT+lPKRYnGYP/0s5tT+8vNQW4EaNquYLU94R > 5VcbiPQRARJ/Q8bkTSPKFUALU6+l7wIhrEdVTNa4RgmHYEYn08F9/9mdre0ydOpv > 1LJF1D6fjQeKvmbD3vLCfxad4YepurzD2gIhcQ38lcXPh0lGoANfFRaklX+jggRb > oQ+B4z89cTC3+HELckUqbftUjoSs1vbaogcbQo7jXL1z+Iwe0510A4ijud5sDkUe > xdFdU8PA3w9VbNMGAwtxYmvKEtwg3zzm45rvUafCHHbfQgXk9MTM+rl+dlxDdEpM > J7Rmt2j84dnl/uAQdVMEoN9ELf8KoSd36BiIgT1Yn2U08GFu1UUCkiKfPvc69jvp > beeHma6iZFdxYnPkbZcinKdXAuqlm+n6k8IMSkuN+iLP6wzoeI9hdWTJYi21pdrb > 43Leh7xk41QLhRiySB7M55YVk/H13ZJHHQvNm1zTwaRutuwyKvb9t8srZ/a7eEe0 > FZVyB4soRLoLco2KzYHboYhyCsLjgP30MzmJwLqAUm2JU8rAWLhpwXFLrPt0rURn > NNybVH+Nle2FXJ8SQkYo3PjzFwQlIRMnxhcAkl/i3GWG5QH5QirXAgJ2AI5UEj+t > 3TIKEZKe3eAm6u0CNXoux8iVgkTDZHmqp/WtHr0nwIUMYaN7KOGWsm4wGAvBOg/O > 6uNejioO4Kcu4/ZrVe8p > =vCLy > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >