0

I am in the process of configuring TLS for Tomcat 8.5, Postgres communication using Self signed Certificate.

What would be the best means to provide Certificate, PK (bundled in PKCS12 format) to Tomcat and the CA certificate (root Certificate)?

Tomcat is set up as a Service, hence preferred would be to provide start up VM parameters. I have tried to provide these in Configure Tomcat -> Java Opts

-Djavax.net.ssl.keyStorePassword=changeit
-Djavax.net.ssl.trustStore=D:\test\data\pg_cert\truststore
-Djavax.net.ssl.trustStorePassword=changeit

However Tomcat doesn't seem to load these. If I test this using standalone Java class, then it is able to connect.

I have read somewhere that providing certificate in tomcat startup script could be an option, however to keep the changes minimal in production, this would be last option.

marc_s
  • 732,580
  • 175
  • 1,330
  • 1,459
user4124459
  • 1
  • 2

1 Answers1

0

The JDBC connection must contain the url-parameter:

  • sslmode=verify-ca
  • sslcert=${user.home}/.postgresql/postgresql.crt

    If you use mutual-authentication the Postgres-Server must offer his public key and must hold the client's public key in the Postgres-Server truststore.

    More informations are available on the "Configuring the Client" page.

    I like to warn you: The pki is a complex term and the SSL sessions might span serveral weeks before knowing that the certificate is deactivated by a OCSP. I prefer to pass the password directly to the server start/stop script without storing the password to the filesystem.

    • Grim
    • 1,938
    • 10
    • 56
    • 123
    • 1
      Thanks for the tip Peter.I was able to fix thix this passing SSL parameters in connection String. – user4124459 Jun 19 '19 at 06:59
    • Do you have further problems? I ask only because db-pki is a complex task. – Grim Jun 19 '19 at 07:05
    • ´@Peter Hi, I am again stuck into this Problem, in another project. I have tried importing certificate in custom keystore, truststore as well as providing details in JDBC Connection String. Error : `%% Invalidated: ..SEND TLSv1.2 ALERT: fatal, description = certificate_unknown ..sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target ` PS: This Project uses a wildcard Certificate, inorder to fetch data from a third party. Any hints? – user4124459 Jul 16 '19 at 20:37
    • @user4124459 Invalidated is the session-identifier (SI). "ALERT" is the protocol (yes confusing) sending from the server to the client. The fatal alert occoures on the server-side (db-server). See RFC5246. You will find more details if the db-server debug-logging its TLS work. My guess is that the db-server does not find the client-certificate (or its chain-members) in its truststore. To follow this idea, use the KeyStore Explorer (there might work others but I prefer the KSE). – Grim Jul 16 '19 at 21:04
    • This is weird, with exactly same set of Certificates it works on Project A but not on B. But with sslfactory=org.postgresql.ssl.jdbc4.LibPQFactory in the connection string, it works :) – user4124459 Jul 17 '19 at 13:46
    • 1
      No, I am wierd , That was due to difference in pg-jdbc.jar !! – user4124459 Jul 17 '19 at 14:02
    • Thank you the answer, but it did not help me. I have made a more specific question here: https://stackoverflow.com/questions/58487055/providing-certificates-to-tomcat-jndi-connection-to-postgresql – Árpád Magosányi Oct 21 '19 at 13:12