Can Tomcat reload its SSL certificate without being restarted?

ssl tomcat

I have a background process that can update the keystore Tomcat uses for its SSL credentials. I would like to be able to have Tomcat reload this automatically without needing a manual restart.

Is it possible to have Tomcat reload this without restarting, or is there a programmatic way that it could be done instead?


Solution 1:

I don't believe there is a way to do it automatically although your background process could restart tomcat automatically. The keystore only gets read once when the jvm is initialized. There might be a solution if you were to write your own handler that periodically re-checks the keystore but I personally haven't found any examples of this on the Internet.

Solution 2:

You can restart individual Tomcat connector i.e. port restart like 8443 is possible after you change your jssecacert file.

Here is the complete code/method that I am using to restart tomcat connectors after I add/delete certificates.

// Stop and restart the SSL connection so that the tomcat server will
// re-read the certificates from the truststore file.
public void refreshTrustStore() throws Exception 
{
    try 
    {
        //following line should be replaced based on where you get your port number. You may pass in as argument to this method
        String httpsPort = configurationManager.getHttpsPort();
        String objectString = "*:type=Connector,port=" + httpsPort + ",*";

        final ObjectName objectNameQuery = new ObjectName(objectString); 

        for (final MBeanServer server: MBeanServerFactory.findMBeanServer(null))
        {
            if (!server.queryNames(objectNameQuery, null).isEmpty())
            {
                MBeanServer mbeanServer = server;
                ObjectName objectName = (ObjectName) server.queryNames(objectNameQuery, null).toArray()[0];

                mbeanServer.invoke(objectName, "stop", null, null);

                // Polling sleep to reduce delay to safe minimum.
                // Use currentTimeMillis() over nanoTime() to avoid issues
                // with migrating threads across sleep() calls.
                long start = System.currentTimeMillis();
                // Maximum of 6 seconds, 3x time required on an idle system.
                long max_duration = 6000L;
                long duration = 0L;
                do
                {
                    try
                    {
                        Thread.sleep(100);
                    }
                    catch (InterruptedException e)
                    {
                        Thread.currentThread().interrupt();
                    }

                    duration = (System.currentTimeMillis() - start);
                } while (duration < max_duration &&
                        server.queryNames(objectNameQuery, null).size() > 0);

                // Use below to get more accurate metrics.
                String message = "TrustStoreManager TrustStore Stop: took " + duration + "milliseconds";
                logger.information(message);

                mbeanServer.invoke(objectName, "start", null, null);

                break;
            }
        }
    } 
    catch (Exception exception) 
    {
        // Log and throw exception
            throw exception
    }
}

Related

Paging using ldapsearch
How to add SSH key to PuTTY Agent at startup in Windows Server?
How to install old PHP version
yumdownloader vs repotrack
What is the downside to sticky sessions with load balancers?
Can Bash Tell Me Which SSH Public Key Was Used To Authenticate?
ntpdate -d Server dropped Strata too high
Jenkins: Accessed denied after turning on global security. How to revert?
Networking Units: Not getting expected performance from 100Mb Ethernet
Downtimeless MySQL backups on a budget
How do I temporarily suspend mail delivery to a specific domain (non-local) with Postfix?
Is there a way to use the Autodiscover feature without Exchange?