I've a tomcat instance with many webapps. Some of them require their own independent keystore to call an external Web Service over SSL. So far the only way I've found to use the provided keystore is using:
System.setProperty("javax.net.ssl.trustStore", "mykeystore.jks");
System.setProperty("javax.net.ssl.trustStorePassword","mypwd");
But the problem with this way is that the scope of the system properties is per java process, (tomcat shares the same JVM for all the webapps) and this would affect all the other webapps. Right?
How can I use a specific keystore per every webapp in my tomcat instance and keep it limited to the specific Web Service call?
It might matter that I'm using Axis(1) WS clients.
I'm not very familiar with Axis, but there should be a way to configure a keystore or truststore in Axis, for the HTTP client it is using for your web service calls.
Configuring the keystore on Tomcat level is not the way to go, as you found out already.
Related
I'm running two applications on my tomcat sevrer (one is in spring boot, second is in angular which uses the first one) now I want to enable https connections to both of my applications. I have generated the following files:
MyDomain.cer
MyDomain.key
MyDomain.csr
Now I want to secure connection to my applications using TLS 1.2.
And now I'm stuck. According to Tomcat guide i should create a keystore file to store my keys, then I should generate new key. I want to use the files I have already generated, how can I archive this?
Could you describe or redirect me to a page where I can find a step-by-step guide how to configure https on tomcat with the files I have?
found solution:
generate jsk key
put it in tomcat keystore folder (if doesnt exist, create it)
configure server xml to point to key storage with your generated key
more detailed instruction on how to can be found here.
I need to consume a secure webservice deployed in WSO2 AS from another web service develop in axis2 and deployed in apache tomcat.
I create a java project to test the secure webservice client and I work OK.
But when I move the client code inside the axis2 service I cannot access to some resources like in this cases:
System.setProperty("javax.net.ssl.trustStore", "keys\\store.jks");
in this case I have the keys folder in the root of the wb services
sc.engageModule("rampart");
and in this case I leave the code idem
Any idea about this?
Well getting a resource path from an archieve file whether it is a jar ,war or aar is a tedious problem. There are two options two choose from:
1- Since client application runs on a servers put jks file somewhere on the server path, its path retrieved dynamically via property. (Either system property, servers context etc.)
2- A customSSLFactory handling loading keystore from resources.
This SO thread mentions such solution, which i used it too to connect to server via SSL from a web service without touching system properties.
Background: In my application, I use ServiceMix instances to serve HTTP requests. To load balance these, we figured out(according to some requirement) that we need to use Tomcat.
Question: As I think it should be said that tomcat has its own http server built into it, can Tomcat and mod_jk(without Apache Http Server) be used as a load balancer?
My readings: I read few of the Tomcat domcumentation like Tomcat Clustering doc
, Tomcat JK load balancer (which wasn't quite helpful)
So I wonder is it even possible to use only Tomcat and mod_jk for the purpose of load balancing!!
Any help is appreciated.
To load balance your application you'll need to run two or more Tomcat instances with the same application. You could run two instances on the same machine on different ports (e.g. www.myapp.com:8080 and www.myapp.com:9090) or on different machines on the same port (e.g. www1.myapp.com:8080 and www2.myapp.com:8080). Usually the instances share the same backend data store. Each Tomcat is its own webserver, so you'll have multiple web servers running.
Because you now have two identical instances a user can use either of the two instances. They can also switch from one to the other if something happens to the machine they are currently using. But you don't want your users to have to choose a machine or swap manually. This is where a load balancer comes in.
A load balancer takes a request from the user and dynamically routes it to one of your load balanced instances. A load balancer is also a web server. It can be a hardware load balancer like a BIG-IP F5, or software like Apache, nginx or even another Tomcat server.
If you use an Apache web server to do the load balancing you'll need an Apache module to pass on the request to one of your Tomcat servers. Typically this is mod_jk or mod_proxy.
So the short answer is that if you use Apache as your load balancer then you have to use mod_jk (or mod_proxy). If you use another load balancer then you can't use mod_jk.
Also refer to Tomcat load balancer solutions
mod_jk runs inside of apache httpd server or some other server it is written in native code, Here are some configurations that will work.
Apache httpd or IIS with mod_jk load balances requests to tomcat server
A web server with reverse proxy support with and a load balancing feature can be used
A dedicated load balancer product can be used
For load balancing you need to make sure to determine weather you need sticky session routing or not.
Also you do don't need to configure tomcat clustered session manager in order to configure and use load balancing.
I am fairly certain that tomcat itself the java part does not ship with a built in load balancer it expect users to use one of the above options.
We need to have a context path to deploy the Java application and access it through the browser. We have nearly 10 applications on Oracle Application server. We would like to work our applications without context path. i.e.; we would like the application server to look at the corresponding application based on the domain name.
I know this can be done as Google app engine is doing the same when users deploy their applications. Context path of these application will be just "/".
Any ideas on setting this up on Oracle app server?
I'm assuming that the Oracle Application Server being referred to, is the older Oracle Containers for Java (OC4J).
With OC4J, you'll need to put OHS (Oracle HTTP Server) or any compatible HTTP Server (Apache 1/2 works) in front of OC4J, and configure the HTTP Server to forward requests to OC4J (there are mod_oc4j plugins available for the same). Additionally, you'll have to configure the HTTP Server to serve multiple virtual hosts.
The same information holds good even for Oracle WebLogic Server.
You can find more information on the same in Oracle HTTP Server Administrator's Guide. The guide to version 10.1.3.1 is available here; you might need to determine the appropriate version of OHS for your version of OC4J/WLS.
You could ask additional questions on OHS/Apache configuration on ServerFault.
I need to have my java applet use a soap based web service over ssl.
I know that you can have a servlet act as a go-between/proxy, but I want to have the applet use the web service directly over SSL.
The problem is supplying the certs to the web server hosting the web services.
I supplied these Java Applet Runtime Settings via the Java Control Panel:
-Djavax.net.ssl.keyStore=<local path to .p12>
-Djavax.net.ssl.keyStorePassword=<password>
I also imported the client cert (.p12) as a Client certificate via the Java Control Panel.
I was hoping to do:
KeyStore ks =
KeyStore.getInstance("JKS");
ks.load(new
FileInputStream(System.getProperty("javax.net.ssl.keyStore"),
System.getProperty("javax.net.ssl.keyStorePassword").toCharArray());
and use the KeyStore from there. But, no dice! It seems that I can't access those properties from within the applet. I don't want to hardcode the paths, either.
I'm using JRE 1.6.0_10
Is there any other way to have the applet use a web service without the servlet proxy approach? It's likely I'm going down the wrong path.
Also, I'd be interested in having this work when the web service is different from the one that's hosting the applet, if possible.
BTW: The servlet proxy approach that I want to move away from is spelled out here:
http://www.ibm.com/developerworks/xml/library/x-jappws/
Thanks!
To access the properties and to connect to a host other than the one the applet was served from you will need (a) a signed applet, and (b) permissions granting your applet the access it needs.
You may want to look into Java Web Start to deliver the application instead of using an applet.
EDIT: The permissions might be automatic once the applet is signed.