Hi, You need to set clientAuth="true" in the connector or, for some reason unknown to me (probably something changed in Java from rel. 6/7 on), Tomcat will not enforce the 2 way ssl.
You can see what is going on (certificates exchange) with an ssl debug. Kind Regards, Diego Macca Senior IT Specialist DG-IS/EDA - Executional Domain Applications EUROPEAN CENTRAL BANK Tel.: +49 (69) 1344 6991 E-mail: diego.ma...@ecb.europa.eu www.ecb.europa.eu www.youtube.com/ecbeuro https://twitter.com/ecb -----Original Message----- From: Vinoth Raja [mailto:rbvdvin...@gmail.com] Sent: 15 August 2017 10:50 To: Tomcat Users List Subject: 2 Way SSL integration with Webservices - Inbound connection not trusted Hi, Please advise on the step to resolve the issue encountered in 2way SSL Tomcat version used : apache-tomcat-8.5.15 Java Version used: jdk1.8.0_131 *Problem statement: *Tomcat doesn't trust the inbound connection. We have web application deployed in tomcat and it integrated with web services. 2 way SSL is enabled. Webservice client deployed in Tomcat send the certificate to webservices and it is trusted. Tomcat doesn't trust certificate sent by the webservices. It seems to ignore the client validation and allow the communication. *step followed to implement 2 way SSL from application* We set the keystore and trust store to be used for communication. so it takes the cert from key store for outbound and trust the cert for inbound connections. System.setProperty("javax.net.ssl.trustStoreType", "JKS"); System.setProperty("javax.net.ssl.keyStoreType", "JKS"); System.setProperty("javax.net.ssl.trustStore","TrustStore.jks"); System.setProperty("javax.net.ssl.keyStore","KeyStore.jks"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); System.setProperty("javax.net.ssl.keyStorePassword","changeit"); It sends the certificate for other system to trust but it doesn't trust the incoming connection. Please advise on the configuration to trust the incoming connection. Thanks Vinoth Any e-mail message from the European Central Bank (ECB) is sent in good faith, but shall neither be binding nor construed as constituting a commitment by the ECB except where provided for in a written agreement. This e-mail is intended only for the use of the recipient(s) named above. Any unauthorised disclosure, use or dissemination, either in whole or in part, is prohibited. If you have received this e-mail in error, please notify the sender immediately via e-mail and delete this e-mail from your system. The ECB processes personal data in line with Regulation (EC) No 45/2001 and Decision ECB/2007/1. For any further information you can consult the Data Protection Disclaimer on the ECB webpage. In case of queries, please contact the ECB Data Protection Officer (d...@ecb.europa.eu). You may also contact the European Data Protection Supervisor.