-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Will,
On 6/5/18 10:37 AM, Will Nordmeyer wrote: > I'm trying to configure an SSL Oracle connection. I'm running on > CentOS7 (for my DB Server and my Web Server). > > Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80 from > the CentOS Repository on the Web Server Oracle 12.2.0.1 on the > Database Server > > I'm setting up the datasource in my web.xml - the 1521 port > connection works fine. I change to 2484 and made the other > following parameters (javax.net.ssl.trustStore parameters): Tomcat doesn't configure JNDI DataSources in web.xml. What component are you configuring, here? > <context-param> <param-name>type</param-name> > <param-value>SIMPLE</param-value> </context-param> <context-param> > <param-name>datasource</param-name> > <param-value>mydatasource</param-value> </context-param> > <context-param> <param-name>driver</param-name> > <param-value>oracle.jdbc.OracleDriver</param-value> > </context-param> <context-param> <param-name>url</param-name> <!-- > <param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource </param-value> > > - --> > <param-value>jdbc:oracle:thin:@(DESCRIPTION= > (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNE CT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value > > > </context-param> > <context-param> <param-name>javax.net.ssl.trustStore</param-name> > <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value> > </context-param> <context-param> > <param-name>javax.net.ssl.trustStoreType</param-name> > <param-value>JKS</param-value> </context-param> <context-param> > <param-name>javax.net.ssl.trustStorePassword</param-name> > <param-value>mypassword</param-value> </context-param> This looks like you are trying to configure system properties from within web.xml. > <context-param> <param-name>username</param-name> > <param-value>myuser</param-value> </context-param> <context-param> > <param-name>mydbpass</param-name> > <param-value>apso11</param-value> </context-param> > > > It fails with the following error: > > May 22 12:12:00 myserver server: Caused by: > sun.security.validator.ValidatorException: PKIX path building > failed: sun.security.provider.certpath.SunCertPathBuilderException: > unable to find valid certification path to requested target Your truststore is probably being ignored. > the TrustStore.JKS is in that directory. > > If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS > line, in the startup, then it works. > > > JAVA_OPTS="-Xms1024m -Xmx2048m > -Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS > -Djjavax.net.ssl.trustStoreType=JKS > -Djavax.net.ssl.trustStorePassword=mypassword" Yes, that's because these are system properties and not servlet-context init-params which don't affect system properties. I'd recommend against setting a JVM-wide trust store. It's cleaner and safer if you configure each (type of) connection separately. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsWpxUACgkQHPApP6U8 pFg+NA/7BNXqcvqu+pQAdr9aa7eQH7ifR8Uq/Mv0ncccuSGMVBns12HPfdfF+uhX Vj3WowLMKg7qBMpWgKRmXw57mXJBM9yCj0uSBPP8jIRqlE0isJsmvTaL9A07CnvP 91YVZyRdMamgBxVNZu1AkCW3rYIn5Az/7t+Ch2yFclcbYpTT0m+TDodPSkxfk6E0 mhUEwoc/ZtKu5ylL403qFnW8vS4frpExIYHotjiIx7G2tke2N3hKoNMsnDvaplRo MVcEYbMoXZXR5+KG06VKoyynAGaETPWmR/1B3DlfOCEvgm03vvZW/9r0OOgzqVa7 w64+6L/2ikt2aZEKS1zIV5HvGSOZYM2Vv/XgHbRPdROQwi0suRTvEwtFw7TC23h5 GDRih65kDU6WvDR2bMagdMW8grh7jDG1b4wUB1HtEyNqLM201ynuv+bkfLfiHENK lHaRASYWUVlycM74V9F62OADIyyepwY6LB701pc2dSaQls500ez6hJOcQ8Bo+I01 QRDp+88v/kMiHWAktWoYDTapVsuMFHGIxe/p7PjRHDhq3kqSDsFsdTY6AJPc4yq6 3KfgaFibioRm9aHfV8uKiFd1eeXuTv9gCchW8JdOCgghXn3o2YoO8hw66U3MHIVZ 9X8ePICJm5AWQXbfJ1RGSmnxX2zAqrVokyWDd/s0fQw4DZoa5r4= =k0H5 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org