Am 22.10.19 um 20:07 schrieb Magosányi Árpád: > Thank you all for the suggestions. > > Based on the documentation, my setup should work: The server certificate > is already processed and accepted (I know that because I could not get > it right at the first try). The driver is supposed to work with a PEM > certificate and a pkcs-8 DER encoded key, and those what I supply to it.
Is your key password protected? Have you tried to remove the password? Felix > > The problem seems to be that the java installation (openjdk-11) does not > have a cryptographic security provider understanding a specific oid. > What I understand is that BouncyCastle have that security provider, and > I should be able to configure it somewhere either in the java setup or > tomcat. > I have already tried in the java setup, but the documented way did not > seem to work. > I have no idea how to configure it in Tomcat datasource, this is why I > have asked here. > The other reason is to see whether anyone have a similar setup: if so, > then someone already dealt with same problem, and I should like to see how. > > It's true that it seems to be a pgjdbc related problem: it does not work > with directly jdbc calls. I am trying to get help from the jdbc guys, > this is why I have an open issue there: > > https://github.com/pgjdbc/pgjdbc/issues/1585 > > > On 10/22/19 6:10 PM, Christopher Schultz wrote: >> Arpad, >> >> On 10/22/19 12:19, logo wrote: >>>>>>> I have the following in context.xml: >>>>>>> >>>>>>> <Resource name="jdbc/users" auth="Container" >>>>>>> type="javax.sql.DataSource" >>>>>>> driverClassName="org.postgresql.Driver" >>>>>>> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&sslmode=verify-ca" >>>>>>> >>>>>>> >>>>>>> username="market" maxTotal="20" maxIdle="10" >>>>>>> maxWaitMillis="-1"/> >>>>>>> >>>>>>> I have this in ~tomcat/.postgresql: >>>>>>> >>>>>>> root@market:/var/lib/tomcat9/.postgresql# ls -lL >>>>>>> total 11 >>>>>>> -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt >>>>>>> -r-------- 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 >>>>>>> -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt >> The documentation for the driver[1] is a little unclear, but it seems >> that you can indeed specify the location of the client certificate >> using sslcert=/path/to/cert and sslkey=/path/to/key connection >> parameters. Their defaults are ${user.home}/.postgresql/postgresql.crt >> and ${user.home}/.postgresql/postgresql.pk8 (and >> ${user.home}/.postgresql/root.crt for the root certificate). >> >> So I think those settings should be working. >> >> Under the notes in [1], it says: >> >> " >> If you are using Java's default mechanism (not LibPQFactory) to create >> the SSL connection you will need to make the server certificate >> available to Java, the first step is to convert it to a form Java >> understands. >> " >> >> I'm not sure what LibPQFactory is, but you may have to convert to >> PKCS12/JKS and use their process to use those certificates. >> >> The documentation suggests that you will need to start your JVM with >> specific system properties to make your connection. IMO this is a >> terrible bug because it means you can't configure these things on a >> per-connection basis. The documentation is also incomplete because >> they only tell you how to configure a trust store (to trust the >> server) and not how to configure the key store (which contains your >> client certificate). The correct system properties to use for a key >> store are: >> >> javax.net.ssl.keyStore (path to keystore) >> javax.net.ssl.keyStorePassword (password for keystore) >> javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.) >> >> At this point, all of your questions should be directed to the >> PostgreSQL community since it's the driver you are having trouble >> configuring. It appears that Tomcat is working as expected and you >> just need help with the driver configuration. >> >> Hope that helps, >> -chris >> >> [1] https://jdbc.postgresql.org/documentation/head/ssl-client.html >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
