问题
I have a web app running in Tomcat that is making a web service call to another system. I need to secure this call with SSL and client authentication. The Tomcat I'm hosted in is already properly configured with a truststore and keystore specific to the environment, so I need to use those stores to secure my own call. This is where I'm stuck.
How can I locate the keystore and truststore that Tomcat is configured with to make my own SSL call? Or better, generate a properly configured SSLContext or SSLSocketFactory with those values?
Things I've tried:
I tried relying on the SSLContext.getDefault(). That doesn't appear to be set.
I tried relying on System properties:
System.getProperty("javax.net.ssl.trustStore"); System.getProperty("javax.net.ssl.trustStorePassword"); System.getProperty("javax.net.ssl.trustStoreType"); System.getProperty( "javax.net.ssl.keyStore"); System.getProperty( "javax.net.ssl.keyStorePassword"); System.getProperty("javax.net.ssl.keyStoreType");
But this appears to be a brittle solution as Tomcat doesn't have to be configured with system properties. In one of the test environments, the trust store information is set, but the keystore variables aren't. They're defined in Tomcat's server.xml.
Is there some simple way to do this that I'm overlooking?
Updated:
This question is similar and one of the answers points out that SSL could be handled by OpenSSL\APR, so any solution here will depend heavily on the way Tomcat is configured. Assuming JSSE, the solutions appear to be:
- Ensure Tomcat is configured through system properties.
- Have the stores live at a predefined location on the server.
- Package your own copies of the stores in your war.
For the first two above, you'd have to ensure the security policy allows access to those files.
Are these really the best practices for what I'm trying to do?
回答1:
I think amongst other things you're confusing inbound and outbound SSL connectivity. Server.xml contains inbound SSL settings.
When using outbound SSL in Java, javax.net.ssl.trustStore* and javax.net.ssl.keyStore* should be explicitly set in Tomcat's startup. Remember, by default the keystore can only contain one private key unless you code your own keymanager.
Most well known webservice libraries use standard HTTP libraries which use HTTPConnection/HTTPSConnection or Jakatta HTTPClient and will present a client cert from the keystore if requested by the server. You shouldn't need to create your own SSLContext.
If you're terminating inbound Webservice calls then I would use Apache HTTP Server with SSL and client auth if required.
Edit for clarity: The keystore specified by javax.net.ssl.keyStore can contain more that one private key/cert pair, but you will not be able to use the additional private keys/cert UNLESS you write your own KeyManager. This can be a problem when you're terminating inbound SSL connections in Tomcat - you will need a private key/cert for external inbound connections and another private key/cert for outbound connections.
来源:https://stackoverflow.com/questions/9772597/make-ssl-client-call-in-tomcat-using-tomcats-keystore