springssltomcatssl-certificatetruststore

Tomcat [9.0.26] - Invoking secure service - TrustStore vs KeyStore Configuration Difference & Issues

Tomcat SSL configuration is a heavily queried area in our stackoverflow forums - but still, I feel the least understood despite the supposedly ease of setup that Tomcat claims!

I am using Tomcat 9.0.26 and am having to consume a third party (https) webservice. There started my trouble :).

  1. First was my blissfull ignorance & Tomcat documentation piling it up. I was trying to setup keystoreFile. Only after a few attempts realized the difference between keystore & truststore. In simple terms, keystore is required if you wish your application deployed on your tomcat server to be served over secure HTTPS protocol. TrustStore is required when you wish to consume another secure HTTPs webservice by storing the certificates in your trust store. The default tomcat SSL documentation leads you into keystore and not truststore.

  2. So moved on to setup the truststore

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
     maxThreads="150" scheme="https" secure="true"
     truststoreFile="C:\cert\myCert.p12" truststorePass="mypass" truststoreType="PKCS12" 
     clientAuth="false" sslProtocol="TLS+SSLV3" />

  1. Learnt that SSLConfig element has come into being, but Tomcat 9 still supports the old configuration defined above. My attempts at using SSLConfig were not fruitful as well and this portion seems sparingly documented.

  2. I could not use the runtime parameters as some other service fail with below parameters.

-Djavax.net.ssl.trustStore=C:\cert\myCert.p12 -Djavax.net.ssl.trustStorePassword=mypass -Djavax.net.ssl.trustStoreType=PKCS12

Need help with pointers on what I could try to fix this issue as the above attempts have still not been successful.

Solution

  • Finally resolved the issue. The above understanding of trust store was correct. However during SSL Handshake, my server needs to exchange a client authentication "key". This is where the same certificate store had to be setup as keyStore as well and post that all is working!!

    -Djavax.net.ssl.trustStore=C:\cert\myCert.p12 -Djavax.net.ssl.trustStorePassword=mypass -Djavax.net.ssl.trustStoreType=PKCS12 -Djavax.net.ssl.keyStore=C:\cert\myCert.p12 -Djavax.net.ssl.keyStorePassword=mypass