1

As per the below link

https://github.com/spring-projects/spring-boot/issues/6164, the following features are removed from tomcat 8.5

a) Class org.apache.tomcat.util.net.ServerSocketFactory no longer exists

b) Class org.apache.tomcat.util.net.jsse.JSSESocketFactory no longer exists

c) Method JSSEImplementaton.getServerSockerFactory(AbstractEndpoint) no longer exists

d) Method JSSEImplementaton.getSSLUtil(AbstractEndpoint) no longer exists

These make our upgrade from tomcat 8.0 to tomcat 8.5.x difficult.

We have two requirements

  1. Tomcat AJP protocol receives encrypted content coming from the HTTP server and gives an encrypted response. This was possible with tomcat 8, by using custom classes implementing tomcat's ServerSocketFactory interface.
  2. Store certificates file for tomcat https in a custom keystore (an XML file)

How these can be achieved in tomcat 8.5? Any suggestions appreciated. (We were doing it in Tomcat 8 using custom SocketFcatory implementing tomcat's interface)

George Thomas
  • 67
  • 1
  • 12

1 Answers1

1

After the connector refactoring the JIoEndpoint that allowed to specify arbitrary ServerSocketFactory is no longer available.

However the AJP connector is almost ready to accept SSL connections if you allow some changes to Tomcat's codebase: the AbstractAjpProtocol class just lacks an implementation of the addSslHostConfig and findSslHostConfigs or better it has implementations that don't store or return anything with a very explicit comment:

SSL is not supported in AJP

If you change them as in AbstractHttp11Protocol, you'll be able to configure an AJP connector the same way you configure a HTTP/1.1 connector:

<Connector SSLEnabled="true" port="8009" protocol="AJP/1.3">
    <SSLHostConfig ...>
        <Certificate ... />
    </SSLHostConfig>
</Connector>

Regarding the certificate storage you can implement your own KeyStoreSpi and security provider and use:

<Certificate certificateKeystoreProvider="your_provider"
             certificateKeystoreType="your_type"
             ... />
Piotr P. Karwasz
  • 12,857
  • 3
  • 20
  • 43
  • 1
    Thank you. I had contacted tomcat users group also. The answer I got was also in similar directions – George Thomas Feb 20 '21 at 07:04
  • The answer from the tomcat-users group was not as detailed as yours. So your answer helped me. However, my final requirement is to read the certificate from a custom key store for AJP SSL also. Our Keystore already implements java.security.KeyStoreSpi. However I am not quite clear which classes in tomcat I should focus on making use of it. Do you have any guidelines? – George Thomas Feb 25 '21 at 14:24
  • You must create, test and register a custom security `Provider` (cf. [Oracle's documentation](https://docs.oracle.com/javase/9/security/howtoimplaprovider.htm)) which will provide only your custom keystore type. Once that is done you just need to provide `certificateKeystoreType` in the `` element and Tomcat should use it. – Piotr P. Karwasz Feb 25 '21 at 16:42