Configure Truststore in Tomcat

Question

I have a Java servlet currently running on Tomcat 7 (Windows) and it connects to a SQL Server database. I now need to encrypt this connection and I have a public Key SSL ce

Answer 1

I think I may have found how, or at least one way of doing this. Someone please tell me if there is a better way of processing this. In the Tomcat\bin folder, where the catalina.bat file is I created a setenv.bat file and in there I declared the two Java option properties for;

set JAVA_OPTS="-Djavax.net.ssl.trustStore=C:\path\to\keystore.key" "-Djavax.net.ssl.trustStorePassword=************"

Apparently when Tomcat is started it initiates the catalina.bat file and the catalina.bat file determines if a setenv.bat file exists and if so runs this file to set the Java options.

Again someone please correct me if I am wrong and advise of any better way of doing this. Although apparently where Tomcat is set up as a Windows service the options above are input through the tomcatXw.exe to initiate the Tomcat console and the Java tab is selected.

Answer 2

You need to change server.xml file for this. You can find it in conf/ directory.

First uncomment these lines:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->

and then change it something like this

<Connector SSLEnabled="true" acceptCount="100" clientAuth="false"
    disableUploadTimeout="true" enableLookups="false" maxThreads="25"
    port="8443" keystoreFile="C:\SSLKeys\appkeystore.key" keystorePass="password"
    protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https"
    secure="true" sslProtocol="TLS" />

Answer 3

The recommended answer only works for Tomcat deployed in Windows, I found that the below works for me in Linux server:

TOMDOGEDIRECTORY/bin/setenv.sh [You need to create this file yourself]

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/opt/meh_tuststove.jks" 
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=muchsecure" 
export JAVA_OPTS

Answer 4

Incase anybody else is having this question, here is what I did:
1. Navigate to \tomcatDirectory\bin\
2. Edit the catalina.sh/bat depending on you machine.
3. Add these properties to the JAVA_OPTS property

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=truststorePassword -server"

This will essentially tell tomcat to use the specified truststore instead of the default cacerts truststore which tomcat loads if it does not find any truststore specified in the system properties.

Also, I have noticed that it is possible to define the truststore in tomcat's main configuration file server.xml. All you have to do is set these properties in the connector property.

<Connector port="8443" maxThreads="500"
           server="Apache"
           scheme="https" secure="true" SSLEnabled="true" acceptCount="500"
           keystoreFile="/apps/content/certificates/keystore.ks" keystorePass="keystorepass"
           truststoreFile="/apps/content/certificates/truststore.ks" truststorePass="truststorePassword"/>

Try it out, Hope it helps!