Using PKCS12 keystores

You can use PKCS12 keystores instead of JKS-format client certificates.

The previous sections assume that the Tomcat application server is using a JKS-format client certificate. However, the Tomcat server version 5.0 and higher supports the use of PKCS12 keystores. Therefore, you can use the eneCert.p12 certificate key that you generated with the enecerts utility.

To set up a PKCS12 keystore on a Tomcat server:

  1. Edit the JAVA_HOME/jre/lib/security/java.security file and change the default keystore type: 
    # Default keystore type.
keystore.type=pkcs12
  2. Configure the SSL connector by editing the Tomcat server.xml file with an entry similar to the following example. Note that the keystoreType and truststoreType attributes are set to "PKCS12" because you are not using the default JKS format. 
    <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
  maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
  enableLookups="false" disableUploadTimeout="true"
  acceptCount="100" debug="0" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS" 
  keystoreType="PKCS12"
  keystoreFile="C:\Endeca\MDEXEngine\workspace\etc\eneCert.p12"
  keystorePass="endeca"
  truststoreType="PKCS12"
  truststoreFile="C:\Endeca\MDEXEngine\workspace\etc\eneCert.p12"
  truststorePass="endeca" />
  3. Start Tomcat with a batch file or script similar to the following Windows batch file example. (Note that the values for the set CATALINA_OPTS command are on separate lines for ease of reading, but should be on the same command line in the batch file.) 
    @echo off
setlocal
set CLIENT_CERT=C:\Endeca\MDEXEngine\workspace\etc\eneCert.p12
set CATALINA_OPTS=-Djavax.net.ssl.keyStoreType=PKCS12 
  -Djavax.net.ssl.keyStore=%CLIENT_CERT% 
  -Djavax.net.ssl.keyStorePassword=endeca 
  -Djavax.net.ssl.trustStore=%CLIENT_CERT% 
  -Djavax.net.ssl.trustStorePassword=endeca
cd c:\tomcat\bin
call c:\tomcat\bin\startup.bat
endlocal