将外部服务器的自签名证书添加到Tomcat的受信任证书
我的Tomcat需要连接到另一个网络服务器(位于 https://foreign.example.com ) )使用SSL(TLS)。
My Tomcat needs to connect to another web server (at https://foreign.example.com) using SSL (TLS).
foreign.example.com有一个自签名证书,我相信。当然,我的Tomcat默认不是 - 所以我必须告诉它。一种方法是:
foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:
$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore
$JRE/lib/security/cacerts
/ em>:我的Tomcat允许SSL连接。
This works: My Tomcat allows the SSL connection.
但是,我不喜欢这样做:它导入证书进入我的Java安装的信任键。我不想说:在我的机器上运行Java的每个应用程序都应该信任该证书。只有Tomcat(或运行Tomcat的用户)应该信任它。
However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.
所以我试着将它导入到tomcat用户的密钥库中,〜/。 keystore ,并使用以下属性设置Tomcat的< Connector> :
So I tried importing it into the tomcat-user's keystore at ~/.keystore, and setting up Tomcat's <Connector> with these attributes:
keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"
然而,这根本不工作(我相信,这只是为我的Tomcat的服务器证书,而不是为外国服务器的服务器证书)
However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)
我尝试了同样的 truststoreFile / truststorePass 属性,但他们没有' t工作。 (属性记录在 http://tomcat.apache.org/tomcat-6.0-doc/ config / http.html )
I tried the same with the truststoreFile/truststorePass attributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
有一种方法可以使用外部服务器的服务器证书设置Tomcat,也可以添加一些命令行参数到 java 这使得我的密钥库(和密钥库密码)可用于JVM实例?
Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to java which makes my keystore (and keystore passphrase) available to the JVM instance?
JBoss(基于Tomcat)可以使用以下cmd参数运行。 cacerts文件(或者您想要命名的)必须包含端点的cert。
JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.
-Djavax.net.ssl.trustStore = C:\Applications\jboss-as\server\default\conf\cacerts
-Djavax.net.ssl.trustStorePassword = changeit
-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit
因此,这也应该适用于Tomcat。
Therefor this should also work for Tomcat.