On 14/02/18 17:17, Chris Cheshire wrote: > I am trying to set up my webapp to connect to an external database via > ssl. The database uses a self-signed certificate. I have created a > keystore with the self-signed CA and the client key & cert. This > keystore is configured via JAVA_OPTS in setenv.sh > > JAVA_OPTS="-Djavax.net.ssl.keyStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.keyStorePassword=password \ > -Djavax.net.ssl.trustStore=$CATALINA_BASE/conf/mysql.jks \ > -Djavax.net.ssl.trustStorePassword=password" > > This allows me to connect to the database without a problem. However > now I cannot connect to any external web service because their certs > will no longer validate. > > How do I configure tomcat such that the default cacerts is used in > addition to my self-signed certificates without importing those into > the default keystore (which is a Bad Idea™)?
This is nothing to do with Tomcat. Tomcat plays no role in out-going TLS connections. The short answer is rather than using system properties, you should set the keystore and truststore programmatically so they apply just to the database connections rather than globally. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
