Two-way SSL communication with Tomcat

Question

A provider our system works with has given us a certificate named MM_Base64.cer. Our keystore is mitkeystore. We are using our keystore like this:

<Connector port="8443" protocol="org.apache.coyote.http11.Http11NioProtocol"
              maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
              clientAuth="false" sslProtocol="TLS" keystoreFile="path\mitkeystore" keystorePass="ourpass" />

We imported their key into our JDK and JVM like this:

keytool -import -file "path\MM_Base64.cer" -keystore "C:\Program Files\Java\jre7\lib\security\cacerts"

Still, handshake problem occurs.

I am looking at this question. It looks complicated. Is our issue as complicated as theirs? Is there an easy way to get our system to work with the provider's system?

Answer 1

I agree with Borys Zibrov about truststore. https://www.mulesoft.com/tcat/tomcat-ssl is a good link for ssl setup.

Apart from the point about truststore, I noticed that you are importing the certificate into the jdk's keystore but using your custom keystore(mitkeystore) as keystoreFile. Is there a reason why you didnt load it into mitkeystore? (This should actually be a comment but i don't have sufficient reputation so bear with me.)

Answer 2

I might be wrong on that one, but I think that you have to import provider's certificate into trust store. See here for the description of keystore vs trustore. Then you have to point tomcat to the trust store file in the http connector config block inside your server.xml.

The idea is that when SSL handshake occurs you provider presents its certificate and to know if it could be trusted or not tomcat uses truststore to find information on that certificate or certification authorities.