Arpad,
On 10/22/19 12:19, logo wrote:
I have the following in context.xml:
<Resource name="jdbc/users" auth="Container"
type="javax.sql.DataSource"
driverClassName="org.postgresql.Driver"
url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&sslmode=verify-ca"
username="market" maxTotal="20" maxIdle="10"
maxWaitMillis="-1"/>
I have this in ~tomcat/.postgresql:
root@market:/var/lib/tomcat9/.postgresql# ls -lL
total 11
-rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt
-r-------- 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8
-rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt
The documentation for the driver[1] is a little unclear, but it seems
that you can indeed specify the location of the client certificate using
sslcert=/path/to/cert and sslkey=/path/to/key connection parameters.
Their defaults are ${user.home}/.postgresql/postgresql.crt and
${user.home}/.postgresql/postgresql.pk8 (and
${user.home}/.postgresql/root.crt for the root certificate).
So I think those settings should be working.
Under the notes in [1], it says:
"
If you are using Java's default mechanism (not LibPQFactory) to create
the SSL connection you will need to make the server certificate
available to Java, the first step is to convert it to a form Java
understands.
"
I'm not sure what LibPQFactory is, but you may have to convert to
PKCS12/JKS and use their process to use those certificates.
The documentation suggests that you will need to start your JVM with
specific system properties to make your connection. IMO this is a
terrible bug because it means you can't configure these things on a
per-connection basis. The documentation is also incomplete because they
only tell you how to configure a trust store (to trust the server) and
not how to configure the key store (which contains your client
certificate). The correct system properties to use for a key store are:
javax.net.ssl.keyStore (path to keystore)
javax.net.ssl.keyStorePassword (password for keystore)
javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.)
At this point, all of your questions should be directed to the
PostgreSQL community since it's the driver you are having trouble
configuring. It appears that Tomcat is working as expected and you just
need help with the driver configuration.
Hope that helps,
-chris
[1] https://jdbc.postgresql.org/documentation/head/ssl-client.html
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
