How to configure keystore and truststore properties for Tanzu tc Server 10.1+
search cancel

How to configure keystore and truststore properties for Tanzu tc Server 10.1+

book

Article ID: 386809

calendar_today

Updated On:

Products

VMware Tanzu Spring Runtime

Issue/Introduction

Using the service wrapper is stopped since Tanzu tc Serrver 10.1. Instead, it's moved to using Apache Commons Daemon and the same setenv.sh/setenv.bat that the Tomcat would use.

Although the keystore and truststore related properties can still be defined in setenv.sh/setenv.bat as JAVA_OPT option, it's recommended to use templates (e.g. nio-ssl) for easy reproducibility.

Environment

Tanzu tc Server 10.1+

Cause

This KB article gives an example of setting keystore and trustroe properties for tc Server 10.1+ instance (applicable to both Windows and Linux platform).

Resolution

As it's stated in the documents (see "Additional Information" part), the <SSLHostConfig><Certificate> nodes  could be used to define the SSL properties including keystore/truststore properties, as shown by the the following example.

  • Suppose nio-ssl template is used to create the instance
  • Configuring keystore/truststore related properties in file conf/server.xml with variables as the values
       <Connector SSLEnabled="true"
           ......
            <SSLHostConfig ciphers="${nio-ssl.cipher.list}"
                           sslProtocol="${nio-ssl.ssl.protocol}"
                           truststoreFile="${truststore.location}"
                           truststorePassword="${truststore.password}">
                 <Certificate certificateKeyAlias="${nio-ssl.ssl.key.alias}"
                             certificateKeyPassword="${nio-ssl.ssl.key.password}"
                             certificateKeystoreFile="${nio-ssl.ssl.keystore.location}"
                             certificateKeystorePassword="${nio-ssl.ssl.keystore.password}"
                             certificateKeystoreType="${nio-ssl.ssl.keystore.type}"/>
            </SSLHostConfig>
         </Connector>
  • Setting the value of variables in file conf/catalina.properties
nio-ssl.cipher.list=\
TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,\
TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_256_CBC_SHA,\
TLS_DHE_DSS_WITH_AES_256_CBC_SHA,\
TLS_DH_RSA_WITH_AES_256_CBC_SHA,\
TLS_DH_DSS_WITH_AES_256_CBC_SHA,\
TLS_RSA_WITH_AES_256_CBC_SHA,\
TLS_DHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_RSA_WITH_AES_128_CBC_SHA,\
TLS_DHE_DSS_WITH_AES_128_CBC_SHA,\
TLS_DH_RSA_WITH_AES_128_CBC_SHA,\
TLS_DH_DSS_WITH_AES_128_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,\
TLS_RSA_WITH_AES_128_CBC_SHA256,\
TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,\
SSL_RSA_WITH_3DES_EDE_CBC_SHA,\
TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,\
TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
nio-ssl.ssl.protocol=TLS
nio-ssl.ssl.key.alias=tomcat
nio-ssl.ssl.key.password=changeit
nio-ssl.ssl.keystore.location=C:/Users/user1/data/keystore
nio-ssl.ssl.keystore.password=changeit
nio-ssl.ssl.keystore.type=pkcs12
truststore.location=C:/Users/user1/data/truststore
truststore.password=changeit

**Note: the keystore and truststore files should be created first in specified path on local disk 

Additional Information

Powered by Wolken Software