-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Will,

On 6/5/18 10:37 AM, Will Nordmeyer wrote:
> I'm trying to configure an SSL Oracle connection.  I'm running on 
> CentOS7 (for my DB Server and my Web Server).
> 
> Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80  from
> the CentOS Repository on the Web Server Oracle 12.2.0.1 on the
> Database Server
> 
> I'm setting up the datasource in my web.xml - the 1521 port
> connection works fine.  I change to 2484 and made the other
> following parameters (javax.net.ssl.trustStore parameters):

Tomcat doesn't configure JNDI DataSources in web.xml. What component
are you configuring, here?

> <context-param> <param-name>type</param-name> 
> <param-value>SIMPLE</param-value> </context-param> <context-param> 
> <param-name>datasource</param-name> 
> <param-value>mydatasource</param-value> </context-param> 
> <context-param> <param-name>driver</param-name> 
> <param-value>oracle.jdbc.OracleDriver</param-value> 
> </context-param> <context-param> <param-name>url</param-name> <!-- 
> <param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource
</param-value>
>
> 
- -->
> <param-value>jdbc:oracle:thin:@(DESCRIPTION= 
> (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNE
CT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value
>
>
> 
</context-param>
> <context-param> <param-name>javax.net.ssl.trustStore</param-name> 
> <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value> 
> </context-param> <context-param> 
> <param-name>javax.net.ssl.trustStoreType</param-name> 
> <param-value>JKS</param-value> </context-param> <context-param> 
> <param-name>javax.net.ssl.trustStorePassword</param-name> 
> <param-value>mypassword</param-value> </context-param>

This looks like you are trying to configure system properties from
within web.xml.

> <context-param> <param-name>username</param-name> 
> <param-value>myuser</param-value> </context-param> <context-param> 
> <param-name>mydbpass</param-name> 
> <param-value>apso11</param-value> </context-param>
> 
> 
> It fails with the following error:
> 
> May 22 12:12:00 myserver server: Caused by: 
> sun.security.validator.ValidatorException: PKIX path building
> failed: sun.security.provider.certpath.SunCertPathBuilderException:
> unable to find valid certification path to requested target

Your truststore is probably being ignored.

> the TrustStore.JKS is in that directory.
> 
> If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS 
> line, in the startup, then it works.
> 
> 
> JAVA_OPTS="-Xms1024m -Xmx2048m 
> -Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS 
> -Djjavax.net.ssl.trustStoreType=JKS 
> -Djavax.net.ssl.trustStorePassword=mypassword"

Yes, that's because these are system properties and not
servlet-context init-params which don't affect system properties.

I'd recommend against setting a JVM-wide trust store. It's cleaner and
safer if you configure each (type of) connection separately.

- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlsWpxUACgkQHPApP6U8
pFg+NA/7BNXqcvqu+pQAdr9aa7eQH7ifR8Uq/Mv0ncccuSGMVBns12HPfdfF+uhX
Vj3WowLMKg7qBMpWgKRmXw57mXJBM9yCj0uSBPP8jIRqlE0isJsmvTaL9A07CnvP
91YVZyRdMamgBxVNZu1AkCW3rYIn5Az/7t+Ch2yFclcbYpTT0m+TDodPSkxfk6E0
mhUEwoc/ZtKu5ylL403qFnW8vS4frpExIYHotjiIx7G2tke2N3hKoNMsnDvaplRo
MVcEYbMoXZXR5+KG06VKoyynAGaETPWmR/1B3DlfOCEvgm03vvZW/9r0OOgzqVa7
w64+6L/2ikt2aZEKS1zIV5HvGSOZYM2Vv/XgHbRPdROQwi0suRTvEwtFw7TC23h5
GDRih65kDU6WvDR2bMagdMW8grh7jDG1b4wUB1HtEyNqLM201ynuv+bkfLfiHENK
lHaRASYWUVlycM74V9F62OADIyyepwY6LB701pc2dSaQls500ez6hJOcQ8Bo+I01
QRDp+88v/kMiHWAktWoYDTapVsuMFHGIxe/p7PjRHDhq3kqSDsFsdTY6AJPc4yq6
3KfgaFibioRm9aHfV8uKiFd1eeXuTv9gCchW8JdOCgghXn3o2YoO8hw66U3MHIVZ
9X8ePICJm5AWQXbfJ1RGSmnxX2zAqrVokyWDd/s0fQw4DZoa5r4=
=k0H5
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to