Thank you all for the suggestions. Based on the documentation, my setup should work: The server certificate is already processed and accepted (I know that because I could not get it right at the first try). The driver is supposed to work with a PEM certificate and a pkcs-8 DER encoded key, and those what I supply to it.
The problem seems to be that the java installation (openjdk-11) does not have a cryptographic security provider understanding a specific oid. What I understand is that BouncyCastle have that security provider, and I should be able to configure it somewhere either in the java setup or tomcat. I have already tried in the java setup, but the documented way did not seem to work. I have no idea how to configure it in Tomcat datasource, this is why I have asked here. The other reason is to see whether anyone have a similar setup: if so, then someone already dealt with same problem, and I should like to see how. It's true that it seems to be a pgjdbc related problem: it does not work with directly jdbc calls. I am trying to get help from the jdbc guys, this is why I have an open issue there: https://github.com/pgjdbc/pgjdbc/issues/1585 On 10/22/19 6:10 PM, Christopher Schultz wrote: > Arpad, > > On 10/22/19 12:19, logo wrote: >>>>>> I have the following in context.xml: >>>>>> >>>>>> <Resource name="jdbc/users" auth="Container" >>>>>> type="javax.sql.DataSource" >>>>>> driverClassName="org.postgresql.Driver" >>>>>> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=true&sslmode=verify-ca" >>>>>> >>>>>> >>>>>> username="market" maxTotal="20" maxIdle="10" >>>>>> maxWaitMillis="-1"/> >>>>>> >>>>>> I have this in ~tomcat/.postgresql: >>>>>> >>>>>> root@market:/var/lib/tomcat9/.postgresql# ls -lL >>>>>> total 11 >>>>>> -rw-r--r-- 1 root root 4597 Oct 21 12:49 postgresql.crt >>>>>> -r-------- 1 tomcat root 1329 Oct 21 17:40 postgresql.pk8 >>>>>> -rw-r--r-- 1 root root 1493 Oct 21 12:49 root.crt > > The documentation for the driver[1] is a little unclear, but it seems > that you can indeed specify the location of the client certificate > using sslcert=/path/to/cert and sslkey=/path/to/key connection > parameters. Their defaults are ${user.home}/.postgresql/postgresql.crt > and ${user.home}/.postgresql/postgresql.pk8 (and > ${user.home}/.postgresql/root.crt for the root certificate). > > So I think those settings should be working. > > Under the notes in [1], it says: > > " > If you are using Java's default mechanism (not LibPQFactory) to create > the SSL connection you will need to make the server certificate > available to Java, the first step is to convert it to a form Java > understands. > " > > I'm not sure what LibPQFactory is, but you may have to convert to > PKCS12/JKS and use their process to use those certificates. > > The documentation suggests that you will need to start your JVM with > specific system properties to make your connection. IMO this is a > terrible bug because it means you can't configure these things on a > per-connection basis. The documentation is also incomplete because > they only tell you how to configure a trust store (to trust the > server) and not how to configure the key store (which contains your > client certificate). The correct system properties to use for a key > store are: > > javax.net.ssl.keyStore (path to keystore) > javax.net.ssl.keyStorePassword (password for keystore) > javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, JKS, etc.) > > At this point, all of your questions should be directed to the > PostgreSQL community since it's the driver you are having trouble > configuring. It appears that Tomcat is working as expected and you > just need help with the driver configuration. > > Hope that helps, > -chris > > [1] https://jdbc.postgresql.org/documentation/head/ssl-client.html > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org