-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Felix,
On 10/26/19 16:37, Felix Schumacher wrote: > > Am 22.10.19 um 20:07 schrieb Magosányi Árpád: >> Thank you all for the suggestions. >> >> Based on the documentation, my setup should work: The server >> certificate is already processed and accepted (I know that >> because I could not get it right at the first try). The driver is >> supposed to work with a PEM certificate and a pkcs-8 DER encoded >> key, and those what I supply to it. > > Is your key password protected? Have you tried to remove the > password? This was essentially resolved. The OP just didn't circle back to us. If you look at the PR, it turns out that openssl changed behavior and used a different encryption algorithm to encrypt the private key. The pgsql JDBC driver has limited support for reading keys. So basically, you have to make sure that openssl uses the deprecated encryption strategy. I'm looking at maybe providing a patch to their project, if only to allow them to read something other than a binary DER key file. Yuck. It's the only product I've ever seen that can ONLY take a binary file and not e.g. PEM, keystore, whatever. Weird that they have a Java product that can't use a Java keystore for its keys. - -chris >> The problem seems to be that the java installation (openjdk-11) >> does not have a cryptographic security provider understanding a >> specific oid. What I understand is that BouncyCastle have that >> security provider, and I should be able to configure it somewhere >> either in the java setup or tomcat. I have already tried in the >> java setup, but the documented way did not seem to work. I have >> no idea how to configure it in Tomcat datasource, this is why I >> have asked here. The other reason is to see whether anyone have a >> similar setup: if so, then someone already dealt with same >> problem, and I should like to see how. >> >> It's true that it seems to be a pgjdbc related problem: it does >> not work with directly jdbc calls. I am trying to get help from >> the jdbc guys, this is why I have an open issue there: >> >> https://github.com/pgjdbc/pgjdbc/issues/1585 >> >> >> On 10/22/19 6:10 PM, Christopher Schultz wrote: >>> Arpad, >>> >>> On 10/22/19 12:19, logo wrote: >>>>>>>> I have the following in context.xml: >>>>>>>> >>>>>>>> <Resource name="jdbc/users" auth="Container" >>>>>>>> type="javax.sql.DataSource" >>>>>>>> driverClassName="org.postgresql.Driver" >>>>>>>> url="jdbc:postgresql://infra.kodekonveyor.com:5432/users?ssl=tr ue&sslmode=verify-ca" >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> username="market" maxTotal="20" maxIdle="10" >>>>>>>> maxWaitMillis="-1"/> >>>>>>>> >>>>>>>> I have this in ~tomcat/.postgresql: >>>>>>>> >>>>>>>> root@market:/var/lib/tomcat9/.postgresql# ls -lL >>>>>>>> total 11 -rw-r--r-- 1 root root 4597 Oct 21 12:49 >>>>>>>> postgresql.crt -r-------- 1 tomcat root 1329 Oct 21 >>>>>>>> 17:40 postgresql.pk8 -rw-r--r-- 1 root root 1493 >>>>>>>> Oct 21 12:49 root.crt >>> The documentation for the driver[1] is a little unclear, but it >>> seems that you can indeed specify the location of the client >>> certificate using sslcert=/path/to/cert and sslkey=/path/to/key >>> connection parameters. Their defaults are >>> ${user.home}/.postgresql/postgresql.crt and >>> ${user.home}/.postgresql/postgresql.pk8 (and >>> ${user.home}/.postgresql/root.crt for the root certificate). >>> >>> So I think those settings should be working. >>> >>> Under the notes in [1], it says: >>> >>> " If you are using Java's default mechanism (not LibPQFactory) >>> to create the SSL connection you will need to make the server >>> certificate available to Java, the first step is to convert it >>> to a form Java understands. " >>> >>> I'm not sure what LibPQFactory is, but you may have to convert >>> to PKCS12/JKS and use their process to use those certificates. >>> >>> The documentation suggests that you will need to start your JVM >>> with specific system properties to make your connection. IMO >>> this is a terrible bug because it means you can't configure >>> these things on a per-connection basis. The documentation is >>> also incomplete because they only tell you how to configure a >>> trust store (to trust the server) and not how to configure the >>> key store (which contains your client certificate). The correct >>> system properties to use for a key store are: >>> >>> javax.net.ssl.keyStore (path to keystore) >>> javax.net.ssl.keyStorePassword (password for keystore) >>> javax.net.ssl.keyStoreType (type of keystore, PKCS12, JCEKS, >>> JKS, etc.) >>> >>> At this point, all of your questions should be directed to the >>> PostgreSQL community since it's the driver you are having >>> trouble configuring. It appears that Tomcat is working as >>> expected and you just need help with the driver configuration. >>> >>> Hope that helps, -chris >>> >>> [1] >>> https://jdbc.postgresql.org/documentation/head/ssl-client.html >>> >>> -------------------------------------------------------------------- - - >>> >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >> >> --------------------------------------------------------------------- >> >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl20sjYACgkQHPApP6U8 pFguxhAAl0hb8+Jzu70oLAw97BctPjlIWcl8qsXMHa4EEYHN9odbSM70FQlgPC3o faWei6c3QJrvoFrjr5nJ9hUT1Wcu2wWQ892iyDoW9OG18OpoAT5DrAADmrJP24j1 +HyGiSIUX/15F04+cgARaTG2+ImyJ/Vl9aCPntm3crBS3xLEzX01sggKlkh8sx7O iae7zVgcCNHOcnd11Ng8wDSQ0x6/xxdQrTmbWV2g9gsgC156Pd/FAO7P1bV5Uo4X K3aBSj0msRCMYoCwphymqudGHATmN8lsKuvDuxHw9RBxdnXustIyWXAq1g8S/9AS eSJsa5bIfyfKpeCC7mcYxCbL/mfgCZ73GqPNTgyaZL2JmB/5aJQ1zGgdDQGS8do0 M3HG+V5TEIfY7W4GAkCC/wd74hOF1TLy/fgWZA53m7jjzBzzXfiiuopR2aki0N3E R5ZitT/3LNUkuUbzZpefsn9AlBr+AAoqRO0BlF8vS6D3HixbHj1C7rz/Tfc68+Mm jZ2u8kzUzwaM2j66ozwWKnc3epjkXgSDYGUGFCeONe7oVPyMiZluDhzVyehV4KUD NEYNjCByvfvF5NKPQ3MzGdXmvAnGSYlgbc9j85TC5/uJgE2iuyQPuGbGXlHL9ZDd f9HNxajh8+CBmyda/5wjTOleClvJr/ERFbpKUDnwcI8cIDZOwVg= =6UKy -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
