0

In conf/server.xml I wrote the following text:

<Connector port="8443" SSLEnabled="true" maxHttpHeaderSize="8192" 
    maxThreads="150" minSpareThreads="25" maxSpareThreads="200"
    enableLookups="false" disableUploadTimeout="true"         
    acceptCount="100" scheme="https" secure="true"
     clientAuth="false" sslProtocol="TLS"
     keystoreFile="keyStore" keystorePass="password" keystoreType="JKS"
     keyAlias="tomcat"/>

And next I need to use the content of keyStore in the code (in servlet on the server side).

I tried this:

 System.getProperty("javax.net.ssl.keyStore")

But it returns the name of keyStore.

So is it any way to get the content of keyStore? Or maybe I should make another configuration of server?

(My next step is extracting private and public keys from keyStore and using them for JWT)

Adey
  • 1,846
  • 1
  • 10
  • 18

1 Answers1

0

I guess you should be able to get the parameters values through ServerFactory.getServer().findServices()[0].findConnectors()[0] or org.apache.tomee.loader.TomcatHelper.getServer() (depending on your version of Tomcat - see this question), and then use them to open the keystore as usual (KeyStore.getInstance(...).load(...)).

But I would recommend you use another keystore + key, in a dedicated configuration for your JWT needs, so that :

  • your code isn't tightly coupled to Tomcat (= portability)
  • your ops don't need to care about your apps specific needs (and/or will not be willing to update their standard SSL keystore used on all their tomcat servers)
  • you are not using the same keys for encryption (SSL) and authorization (JWT). Making an attacker's life a bit harder is always good.

If you don't have a configuration file in your app, and don't want to add one, then you could simply expect a system property to be defined with a path to the keystore. For example start Tomcat with -Djwt.keystore=<keystore location> on the command line.

lbndev
  • 781
  • 6
  • 14