Tomcat access configured by KeyStore and TrustStore

I have a web application running in Tomcat that calls a web service call on another system. I need to secure this call with SSL and client authentication. The Tomcat I am hosting is already configured correctly with an environment-specific trust store and keystore, so I need to use those stores to provide my own invocation. This is where I am stuck.

How can I find the keystore and truststore that Tomcat is configured with to make my own SSL challenge? Or is it better to generate a properly configured SSLContext or SSLSocketFactory with these values?

Things I've tried:

  • I've tried using SSLContext.getDefault (). It doesn't seem to be installed.

  • I tried using the System properties:

    System.getProperty( "");
    System.getProperty( "");

But this seems like a fragile solution as Tomcat does not need to be configured using system properties. In one of the test environments, the trust store information was set, but the key store variables were not. They are defined in Tomcat server.xml.

Is there some easy way to do this that I don't notice about?


This question is similar and one of the answers indicates that SSL can be handled by OpenSSL \ APR, so any solution here will largely depend on how Tomcat is configured. Assuming JSSE, the solutions look like this:

  • Make sure Tomcat is configured using system properties.
  • Save repositories in a predefined location on the server.
  • A pack of your own copies of shops in your war.

For the first two, you need to make sure your security policy allows you to access these files.

Are they really best practices for what I am trying to do?


source to share

1 answer

I think, among other things, you are mixing inbound and outbound SSL connections. Server.xml contains incoming SSL settings.

When using outbound SSL in Java, * and * must be explicitly set when Tomcat starts. Remember that by default the keystore can only contain one private key, unless you code your own keyboard manager.

The more well-known webservice libraries use the standard HTTP libraries that use HTTPConnection / HTTPSConnection or Jakatta HTTPClient and present the client certificate from the keystore if the server requests it. You don't need to create your own SSLContext.

If you are completing incoming Webservice calls then I would use an Apache HTTP server with SSL and client authentication if needed.



All Articles