On Tue, Jun 5, 2018 at 11:07 AM, Christopher Schultz <ch...@christopherschultz.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > Will, > > On 6/5/18 10:37 AM, Will Nordmeyer wrote: >> I'm trying to configure an SSL Oracle connection. I'm running on >> CentOS7 (for my DB Server and my Web Server). >> >> Tomcat 7.0.76-6 from the CentOS Repository, httpd 2.4.6-80 from >> the CentOS Repository on the Web Server Oracle 12.2.0.1 on the >> Database Server >> >> I'm setting up the datasource in my web.xml - the 1521 port >> connection works fine. I change to 2484 and made the other >> following parameters (javax.net.ssl.trustStore parameters): > > Tomcat doesn't configure JNDI DataSources in web.xml. What component > are you configuring, here? > My Data Source. It has worked for years as a 1521 based connection configured in the web.xml. I have the entire data source configuration below. Configured as 1521 without the additional parameters of trustStore, trustStoreType & trustStorePassword.
>> <context-param> <param-name>type</param-name> >> <param-value>SIMPLE</param-value> </context-param> <context-param> >> <param-name>datasource</param-name> >> <param-value>mydatasource</param-value> </context-param> >> <context-param> <param-name>driver</param-name> >> <param-value>oracle.jdbc.OracleDriver</param-value> >> </context-param> <context-param> <param-name>url</param-name> <!-- >> <param-value>jdbc:oracle:thin:@myserver.mydomain.com:1521:mydatasource > </param-value> >> >> > - --> >> <param-value>jdbc:oracle:thin:@(DESCRIPTION= >> (ADDRESS=(PROTOCOL=TCPS)(PORT=2484)(HOST=myserver.mydomain.com))(CONNE > CT_DATA=(SERVICE_NAME=mydatasource.myserver.mydomain.com)))</param-value >> >> >> > </context-param> >> <context-param> <param-name>javax.net.ssl.trustStore</param-name> >> <param-value>/usr/share/tomcat/conf/TrustStore.JKS</param-value> >> </context-param> <context-param> >> <param-name>javax.net.ssl.trustStoreType</param-name> >> <param-value>JKS</param-value> </context-param> <context-param> >> <param-name>javax.net.ssl.trustStorePassword</param-name> >> <param-value>mypassword</param-value> </context-param> > > This looks like you are trying to configure system properties from > within web.xml. > >> <context-param> <param-name>username</param-name> >> <param-value>myuser</param-value> </context-param> <context-param> >> <param-name>mydbpass</param-name> >> <param-value>apso11</param-value> </context-param> >> >> >> It fails with the following error: >> >> May 22 12:12:00 myserver server: Caused by: >> sun.security.validator.ValidatorException: PKIX path building >> failed: sun.security.provider.certpath.SunCertPathBuilderException: >> unable to find valid certification path to requested target > > Your truststore is probably being ignored. > But why? >> the TrustStore.JKS is in that directory. >> >> If I move the jafax.net.ssl.trustStore parameters to the JAVA_OPTS >> line, in the startup, then it works. >> >> >> JAVA_OPTS="-Xms1024m -Xmx2048m >> -Djavax.net.ssl.trustStore=/usr/share/tomcat/conf/TrustStore.JKS >> -Djjavax.net.ssl.trustStoreType=JKS >> -Djavax.net.ssl.trustStorePassword=mypassword" > > Yes, that's because these are system properties and not > servlet-context init-params which don't affect system properties. > > I'd recommend against setting a JVM-wide trust store. It's cleaner and > safer if you configure each (type of) connection separately. > > - -chris Chris - that's why I'm here. :) Why are my parameters that are set specifically for the connection being ignored. The non-SSL version of this connection has worked in my web.xml for years. It doesn't show up as a data source when I run Probe or other management interfaces, but it works for the application. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
