When dealing with CAS or LDAP authentication in java web applications in most of the cases a SSL connection must be made from Tomcat (where the java web application is) to CAS or LDAP server. This requires a keystore with the public keys of the CAS/LDAP servers to be used from Tomcat.
This article explains how to achieve that.
-
Acquire the public key (certificate) of the target server (LDAP or CAS)
-
If you don’t have the certificate you can extract it from the browser (the steps below are for Chrome browser):
-
-
-
Goto https://<server_address>
-
Click on the site information button. A popup containing a link to the certificate information would appear – click on the link. A new popup would appear with cert info.
-
Goto Details tab, and click on “Copy to File…” option
-
In the export wizard choose DER format, and save file as .cer
-
-
- Create a keystore with the certificate
Using the keytool command (located in $JAVA_HOME/bin/):
/> keytool -import -file <cert_file>.cer -keystore <key_store> -allias <alias>
You will be prompted for password. Use “changeit” as password, if you don’t want to configure another password in Tomcat (“changeit” is the default one tomcat would use).
<alias> is useful if you want to import several keys. You can omit it if you intend to add only one key to the store.
4. Add keystore to Tomcat
Tomcat needs to know about the keystore to actually use it. To tell tomcat where the keystore is use the system property:
-Djavax.net.ssl.trustStore=””
This property can be added in catalina.bat like this:
set JAVA_OPTS = %JAVA_OPTS% -Djavax.net.ssl.trustStore=””
or in catalina.sh like this:
JAVA_OPTS = $JAVA_OPTS -Djavax.net.ssl.trustStore=””
