Hi,
I am using Tomcat 8.0.32 running on Windows 2012 R2 as a Service.
My application is running under https port 8443
Part of my application opens an HttpsURLConnection back to the same app
A cert was created for each server and the keystore file updated with the
information.
On my dev server, this all works OK. On my test server, it is failing with
trustAnchors parameter cannot be empty. I understand this error to basically
mean I am not accessing my trustStore file.
Our server.xml file does list the keyStore location for port 8443. It does not
contain a trustStore entry (not even sure if that would work as I did not try
it).
The first thing I tried was creating setEnv.bat with java options for the
keystore and trustore locations and passwords. This did not work which I
figured out is because we are running as a service, so it never gets called.
The next thing i tried was running tomcat8w //ES/Tomcat8. This opened up a
window to make entries in a Java tab which allowed me to enter the locations.
I know the keystore was picked up because I mistyped it and hung my app.
Fixing the spelling and the app stopped hanging. But I still kept getting the
error.
I started looking at any difference I could find between the servers. That is
when I noticed that the person who installed the cert on the dev server placed
it in e:\tomcat8\cert. The person who installed it on the test server placed
it in e:\tomcat8\cert3.
Next, I printed the values of System.getProperty("javax.net.ssl.trustStore")
and System.getProperty("javax.net.ssl.keyStore").
This resulted in null for the keystore and e:/tomcat8/cert/mystore for the
trustStore.
I went back to tomcat8w and re-entered the values on the test machine:
keystore was now e:/tomcat8/cert3/mystore while trustStore still showed
e:/tomcat8/cert/mystore
I can't figure out where the trustStore value is coming from. I searched using
a grep tool for mystore and it's only location is in server.xml in the keystore
entry for 8443 and is correct at e:/tomcat8/cert3/mystore.
What I have currently done is removed the entries from tomcat8w (which is
really the registry), renamed cert3 to cert, modified server.xml to also point
to cert. Now everything runs fine.
I can live with this, but I'd like to know why the trustStore value keeps
showing e:/tomcat8/cert and would never show e:/tomcat8/cert3. Why did it
always assume the cert location? I can't find any entry on my server nor can I
even find mystore without a path (assuming maybe Tomact prepends a default if
found without a path).
I'd like to klnow how to change the path in case it is ever needed at a later
date - if it is possible at all.
Does anyone know how Tomcat comes up with the trustStore location?
Thanks,
Steve
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
