java 将外部服务器的自签名证书添加到我的 Tomcat 的可信证书中
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/6497183/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Adding a foreign server's self-signed certificate to the trusted certificates of my Tomcat
提问by Chris Lercher
My Tomcat needs to connect to anotherweb server (at https://foreign.example.com) using SSL (TLS).
我的 Tomcat 需要使用 SSL (TLS)连接到另一个Web 服务器(位于https://foreign.example.com)。
foreign.example.com has a self-signed certificate, which I trust. Of course, my Tomcat does not by default - so I have to tell it. One way to do this is:
Foreign.example.com 有一个我信任的自签名证书。当然,我的 Tomcat 默认没有 - 所以我必须告诉它。一种方法是:
$JRE/bin/keytool -import -alias my -file ssl-cert-myselfsigned.cer -keystore
$JRE/lib/security/cacerts
This works: My Tomcat allows the SSL connection.
这有效:我的 Tomcat 允许 SSL 连接。
However, I don't like to do it this way: It imports the certificate into the trusted keys of my Java installation. I don't want to say: "Every application that runs Java on my machine should trust that certificate". Only Tomcat (or the user that runs Tomcat) should trust it.
但是,我不喜欢这样做:它将证书导入到我的 Java 安装的受信任密钥中。我不想说:“在我的机器上运行 Java 的每个应用程序都应该信任该证书”。只有 Tomcat(或运行 Tomcat 的用户)应该信任它。
So I tried importing it into the tomcat-user's keystore at ~/.keystore, and setting up Tomcat's <Connector>with these attributes:
所以我尝试将它导入到 tomcat-user 的密钥库中~/.keystore,并<Connector>使用以下属性设置 Tomcat :
keystoreFile="${user.home}/.keystore"
keystorePass="thePassphraseICreatedTheKeystoreWith"
However, that doesn't work at all (I believe, this is only for the server certificate of my Tomcat, not for server certificates of foreign servers, right?)
但是,这根本行不通(我相信,这仅适用于我的Tomcat的服务器证书,而不适用于外国服务器的服务器证书,对吗?)
I tried the same with the truststoreFile/truststorePassattributes, but they didn't work either. (The attributes are documented at http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
我对truststoreFile/truststorePass属性进行了相同的尝试,但它们也不起作用。(属性记录在http://tomcat.apache.org/tomcat-6.0-doc/config/http.html)
Is there a way to set up Tomcat with the foreign server's server cert, or maybe to add some command line parameters to javawhich makes my keystore (and keystore passphrase) available to the JVM instance?
有没有办法用外部服务器的服务器证书设置 Tomcat,或者添加一些命令行参数java,使我的密钥库(和密钥库密码)可用于 JVM 实例?
采纳答案by rit
JBoss (which is based on Tomcat) can be run with the following cmd arguments. The cacerts file (or however you would like to name it) must contain the cert of the endpoint.
JBoss(基于 Tomcat)可以使用以下 cmd 参数运行。cacerts 文件(或您想命名的任何文件)必须包含端点的证书。
-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit
-Djavax.net.ssl.trustStore=C:\Applications\jboss-as\server\default\conf\cacerts -Djavax.net.ssl.trustStorePassword=changeit
Therefor this should also work for Tomcat.
因此,这也适用于 Tomcat。
回答by sweetfa
An alternative approach is to add it to the SSL connector in tomcat in your tomcat server.xml file. Specifically you need to set the truststoreFile properties to enable trust of certificates from other servers.
另一种方法是将它添加到 tomcat server.xml 文件中的 tomcat 中的 SSL 连接器。具体来说,您需要设置 truststoreFile 属性以启用来自其他服务器的证书的信任。
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" keystorePass="changeit"
truststoreFile="../../../deploy/tomcat/config/ssl/keystore.jks" truststorePass="changeit"/>
