On Sep 19, 2012, at 2:40 AM, marco_strull...@swissre.com wrote: > Hi all, > I have a tomcat 6.0.35 that needs to connect to a remote server using > https, so it is acting as a https client: it means that tomcat must have > the remote server certificate installed. > > The ideal solution I found is to configure the truststore in the > server.xml. > > Please see the following: > > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="keystore/keystore.p12" > keystoreType="pkcs12" > keystorePass="<password>" > truststoreFile="keystore/truststore.p12" > truststoreType="pkcs12" > truststorePass="<password>" > clientAuth="optional" sslProtocol="TLS" /> > > So, I configured the truststore and the server.xml.
This will configure the keystone / truststore used by the Connector. It does not configure the keystone / truststore used by the JVM for making HTTPS client requests. > > After restarting tomcat I got an ssl excetpion > > sun.security.validator.ValidatorException: PKIX path building failed: > sun.security.provider.certpath.SunCertPathBuilderException: unable to find > valid certification path to requested target > > Enabling the property javax.net.debug I could see that tomcat is simply > ignoring the truststore I configured. > > Let me add that I tried also with no luck to change the truststore format > to jks. I add also that the remote server cert is inside the truststore > since I can see it with keytool. > > Do you know why? What else could I check? See explanation above. Here is an example. The trick is to set the "javax.net.ssl.trustStore" and "javax.net.ssl.trustStorePassword" system properties. http://www.exampledepot.com/egs/javax.net.ssl/client.html or you could disable validation all together. Not something you'd want to do for a production site though. http://www.exampledepot.com/egs/javax.net.ssl/TrustAll.html Dan > Regards > > > Marco > > > > > > This e-mail, including attachments, is intended for the person(s) or company > named and may contain confidential and/or legally privileged information. > Unauthorized disclosure, copying or use of this information may be unlawful > and is prohibited. If you are not the intended recipient, please delete this > message and notify the sender. > All incoming and outgoing e-mail messages are stored in the Swiss Re > Electronic Message Repository. > If you do not wish the retention of potentially private e-mails by Swiss Re, > we strongly advise you not to use the Swiss Re e-mail account for any > private, non-business related communications. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org