Configure Truststore in Tomcat

Question

I have a Java servlet currently running on Tomcat 7 (Windows) and it connects to a SQL Server database. I now need to encrypt this connection and I have a public Key SSL certificate in a keystore. But apparently I have to configure a system property for a "Truststore" and have the truststore set to the keystore.

The keystore location is C:\SSLKeys\appkeystore.key and from what I have found I have to set the Truststore up with the following;

Djavax.net.ssl.trustStore=C:\SSLKeys\appkeystore.key
Djavax.net.ssl.trustStorePassword=appkeystorePassword

But how do I set these please? I have tried it in the command line but that doesn't seem to work. I don't want to hard code these in the Java as I need them to be configurable.

Can these be set in the Catalina.bat file in Tomcat? If so where in the file do I put the command?

Answer 1

For tomcat 9 truststore can be added in server.xml as follows

<Connector port="<portOnWhichHttpsToBeEnabled>" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS"
               sslEnabledProtocols="TLSv1.2"
               keystoreFile="KEYSTORE_PATH"
               keystorePass="KEYSTORE_PWD"
               truststoreFile="TRUSTSTORE_PATH"
               truststorePass="TRUSTSTORE_PWD"
               URIEncoding="UTF-8"/>

Note: clientAuth must be set to true

For tomcat 10 and above, it can be added as follows

Step 1: Add the keystore as follows in server.xml

<Connector port="<portOnWhichHttpsToBeEnabled>" SSLEnabled="true" protocol="org.apache.coyote.http11.Http11NioProtocol"
               sslImplementationName="org.apache.tomcat.util.net.openssl.OpenSSLImplementation"
               maxThreads="150" scheme="https" secure="true"
              >
      <SSLHostConfig>
        <Certificate
            certificateKeyAlias="KEYSTORE_ALIAS"
            certificateKeystoreFile=""KEYSTORE_PATH""
            certificateKeystorePassword="KEYSTORE_PWD"
            type="RSA"
        />
      </SSLHostConfig>
    </Connector>

Step 2: then add trust store as follows in setenv.sh

export JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=TRUSTORE_PATH -Djavax.net.ssl.trustStorePassword=TRUSTSTORE_PWD" 

In tomcat logs you can find that the trust store is loaded as follows

org.apache.tomcat.util.net.AbstractEndpoint.logCertificate Connector [https-openssl-nio-<portOnWhichHttpsToBeEnabled>], TLS virtual host [_default_], certificate type [RSA] configured from keystore [KEYSTORE_PATH] using alias [KEYSTORE_ALIAS] with trust store [TRUSTORE_PATH]

Answer 2

You need to change server.xml file for this. You can find it in conf/ directory.

First uncomment these lines:

<!--
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
-->

and then change it something like this

<Connector SSLEnabled           ="true"
           acceptCount          ="100"
           clientAuth           ="false"
           disableUploadTimeout ="true"
           enableLookups        ="false"
           maxThreads           ="25"
           port                 ="8443"
           keystoreFile         ="C:\SSLKeys\appkeystore.key"
           keystorePass         ="password"
           protocol             ="org.apache.coyote.http11.Http11NioProtocol"
           scheme               ="https"
           secure               ="true"
           sslProtocol          ="TLS"
/>

Answer 3

I think I may have found how, or at least one way of doing this. Someone please tell me if there is a better way of processing this. In the Tomcat\bin folder, where the catalina.bat file is I created a setenv.bat file and in there I declared the two Java option properties for;

set JAVA_OPTS="-Djavax.net.ssl.trustStore=C:\path\to\keystore.key" "-Djavax.net.ssl.trustStorePassword=************"

Apparently when Tomcat is started it initiates the catalina.bat file and the catalina.bat file determines if a setenv.bat file exists and if so runs this file to set the Java options.

Again someone please correct me if I am wrong and advise of any better way of doing this. Although apparently where Tomcat is set up as a Windows service the options above are input through the tomcatXw.exe to initiate the Tomcat console and the Java tab is selected.

Answer 4

The recommended answer only works for Tomcat deployed in Windows, I found that the below works for me in Linux server:

TOMDOGEDIRECTORY/bin/setenv.sh [You need to create this file yourself]

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=/opt/meh_tuststove.jks" 
JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStorePassword=muchsecure" 
export JAVA_OPTS

Answer 5

Incase anybody else is having this question, here is what I did:
1. Navigate to \tomcatDirectory\bin\
2. Edit the catalina.sh/bat depending on you machine.
3. Add these properties to the JAVA_OPTS property

JAVA_OPTS="$JAVA_OPTS -Djavax.net.ssl.trustStore=$CATALINA_HOME/certificates/truststore.ks -Djavax.net.ssl.trustStorePassword=truststorePassword -server"

This will essentially tell tomcat to use the specified truststore instead of the default cacerts truststore which tomcat loads if it does not find any truststore specified in the system properties.

Also, I have noticed that it is possible to define the truststore in tomcat's main configuration file server.xml. All you have to do is set these properties in the connector property.

<Connector port="8443" maxThreads="500"
           server="Apache"
           scheme="https" secure="true" SSLEnabled="true" acceptCount="500"
           keystoreFile="/apps/content/certificates/keystore.ks" keystorePass="keystorepass"
           truststoreFile="/apps/content/certificates/truststore.ks" truststorePass="truststorePassword"/>

Try it out, Hope it helps!