问题
I am in the process of configuring TLS for Tomcat 8.5, Postgres communication using Self signed Certificate.
What would be the best means to provide Certificate, PK (bundled in PKCS12 format) to Tomcat and the CA certificate (root Certificate)?
Tomcat is set up as a Service, hence preferred would be to provide start up VM parameters. I have tried to provide these in Configure Tomcat -> Java Opts
-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=D:\test\data\pg_cert\truststore
-Djavax.net.ssl.trustStorePassword=changeit
However Tomcat doesn't seem to load these. If I test this using standalone Java class, then it is able to connect.
I have read somewhere that providing certificate in tomcat startup script could be an option, however to keep the changes minimal in production, this would be last option.
回答1:
The JDBC connection must contain the url-parameter:
If you use mutual-authentication the Postgres-Server must offer his public key and must hold the client's public key in the Postgres-Server truststore.
More informations are available on the "Configuring the Client" page.
I like to warn you: The pki is a complex term and the SSL sessions might span serveral weeks before knowing that the certificate is deactivated by a OCSP. I prefer to pass the password directly to the server start/stop script without storing the password to the filesystem.
来源:https://stackoverflow.com/questions/56638796/providing-certificates-to-tomcat-for-postgres-connection