1

I would like to set custom truststore for my application. I would like to use System.setProperty(). Set in tomcat is not an option.

All the configurations seems to be good, but it doesn't work. I use Spring boot 2.0.6, with external tomcat.

I tried different places to configure, like in Bean's Postconstruct, just before SpringApplication.run. Here is my most recent code:

 static {
    System.setProperty("javax.net.debug", "all");
    System.setProperty("javax.net.ssl.trustStore", "/opt/grtc8/profiles/appconf/insurance/https-trust.p12"); 
    System.setProperty("javax.net.ssl.trustStorePassword", "xys");
    System.setProperty("javax.net.ssl.trustStoreType", "PKCS12");
 }

@Override
protected SpringApplicationBuilder configure(SpringApplicationBuilder application) {
    return application.sources(InsuranceCalculatorApplication.class);
}

public static void main(String[] args){

    SpringApplication.run(InsuranceCalculatorApplication.class, args);
}

I have a cert exception, it seems, that it not reading the file, or something.

I'm using Tomcat 8.5.

Zoltán Raffai
  • 127
  • 1
  • 10

1 Answers1

4

Setting system properties in your Java code is a rather dubious practice. The problem is that it will only if you can ensure that the code that sets the properties is (always) run before the code that uses the properties.

In this case, the properties are being used when the SSL provider is initialized. This is most likely triggered by some static initialization that happens before your static block is executed.

There are a couple of ways to deal with this:

  1. Set the properties from the command line using -D options. Depending on your requirements, you may be able to do a bit of "launch-time" magic to choose the trust store; e.g. with a wrapper script or a custom launcher app.

  2. Loading the default trust store, etc for your JVM in Java code rather than relying on the properties. For example: Load java trust store at runtime - after jvm have been launched?.

    Getting this approach to work with Tomcat could be tricky ... assuming that you want to do this for Tomcat's server side.

  3. Apparently, it is possible to replace the default Tomcat Connector if you are using SpringBoot; see Spring Boot - replace default embedded Tomcat connector. That might give you a "way in".

But I think that the pragmatic solution is the first one. Change the rules :-)

Stephen C
  • 698,415
  • 94
  • 811
  • 1,216
  • Thanks! It's not allowed to use the -D options, from external source. – Zoltán Raffai Jan 25 '19 at 12:26
  • Is the there any chance that the spring boot server.ssl. property settings work here as well? As I know its only for the embeeded tomcat. – Zoltán Raffai Jan 25 '19 at 18:24
  • One other thing, that I'm using oauth2 authentication and I need this values before application startup cause I must reach the token_key endpoint of the auth server through https. – Zoltán Raffai Jan 25 '19 at 22:56
  • Setting these properties via `System.setProperty()` does work, so it can't be an initialization order issue. I have dozens or hundreds of test cases and `main()` procedures that do it. – user207421 Jan 26 '19 at 07:22