Bug 38774 - try using keyStorePassword property if set
try using keyStorePassword property if set
Product: Tomcat 5
Classification: Unclassified
Component: Connector:HTTP
Other All
: P2 enhancement (vote)
: ---
Assigned To: Tomcat Developers Mailing List
Depends on:
  Show dependency tree
Reported: 2006-02-23 21:31 UTC by Ted X. Toth
Modified: 2012-06-04 07:44 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Ted X. Toth 2006-02-23 21:31:00 UTC
use the javax.net.ssl.keyStorePassword property, if it is set, in
getKeystorePassword after doing it's current checks but before using the default

     * Gets the SSL server's keystore password.
    protected String getKeystorePassword() {
        String keyPass = (String)attributes.get("keypass");
        if (keyPass == null) {
            keyPass = defaultKeyPass;
        String keystorePass = (String)attributes.get("keystorePass");
        if (keystorePass == null) {
            keystorePass = System.getProperty("javax.net.ssl.keyStorePassword");
            if (keystorePass == null ) {
                keystorePass = keyPass;
        return keystorePass;
Comment 1 Yoav Shapira 2006-12-24 18:42:16 UTC
Nice little enhancement, done.
Comment 2 Ralf Hauser 2008-05-11 22:09:00 UTC
see also Bug 38217

Comment 3 Dmitry Shikhaleev 2012-04-28 08:30:34 UTC

The change has broken ability to use different key stores for SSL RMI and SSL HTTP on the same host.

"keystorePass" attribute specified in Tomcat config is get replaced with "keypass" attribute by Catalina. In org.apache.catalina.connector.Connector there is the following code:

protected static HashMap replacements = new HashMap();
     static {
         replacements.put("acceptCount", "backlog");
         replacements.put("connectionLinger", "soLinger");
         replacements.put("connectionTimeout", "soTimeout");
         replacements.put("connectionUploadTimeout", "timeout");
         replacements.put("clientAuth", "clientauth");
         replacements.put("keystoreFile", "keystore");
         replacements.put("randomFile", "randomfile");
         replacements.put("rootFile", "rootfile");
         replacements.put("keystorePass", "keypass");
         replacements.put("keystoreType", "keytype");
         replacements.put("sslProtocol", "protocol");
         replacements.put("sslProtocols", "protocols");

     * Set a configured property.
    public void setProperty(String name, String value) {
        String repl = name;
        if (replacements.get(name) != null) {
            repl = (String) replacements.get(name);
        IntrospectionUtils.setProperty(protocolHandler, repl, value);

As the result, in JSSESocketFactory "keystorePass" attribute is never set. 

Before the change, "keypass" was used, now "javax.net.ssl.keyStorePassword". But the latter contains password for key store specified by "javax.net.ssl.keyStore" property.
Comment 4 Konstantin Kolinko 2012-06-04 07:44:46 UTC
(In reply to comment #3)
If you do care, you should open a new bug report and provide enough details to reproduce the issue. Commenting on a 6-year old issue is wrong. A lot has changed.

Do not forget to mention the exact Tomcat version.

Your comment does not match current Tomcat code, so I make no sense out of it.