How to deploy from Ant to Tomcat through SSL

Problem: Deploy a war using the Ant to Tomcat. The Ant task should be something like this (where ${tomcat-manager-url} is something like httpS://targetServer:port/manager/text):

<target name="deploy" description="Deploy application to tomcat">
<echo>deploying from local source</echo>
<deploy url="${tomcat-manager-url}" username="${tomcat-manager-username}" password="${tomcat-manager-password}" path="/${deployed-application-name}" war="file:///${project-workspace}/${war.name}" />
</target>

Solution: The basic idea is to add the server certificate to the keystore from witch the deployment will be done and use this this certificate to talk with the server through SSL.

Step 1: Get and save the server certificate to the disk.

Step 2: Add the server certificate to the keystone truststore of the system from which Ant will deploy the application.
C:\>keytool -importcert -keystore keystoreFile -trustcacerts -alias targetServer
-file full path to the certificate file

Step 3: Execute the ant script script with the following system properties:
-Djavax.net.ssl.keyStoreType=jks
-Djavax.net.ssl.keyStore=Full path to the keystore file
-Djavax.net.ssl.keyStorePassword=keystore password
-Djavax.net.ssl.trustStore=Full path to the keystore file
-Djavax.net.ssl.trustStorePassword=keystore password

Problems: Some errors that can appear and how to solve them.

Problem: PKIX path building failed. The full error message is:

javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException:
unable to find valid certification path to requested target

Solution: The executed Ant script cannot find the keystore passed as parameter in the Step 3

Problem: No name matching “serverName” found. The full error message is:
javax.net.ssl.SSLHandshakeException: java.security.cert.CertificateException: No name matching serverName found

Solution: The server name on which the deployment is made should be the same as the FQDN(Fully Qualified Domain Name) of the certificate. The FQDN of the certificate is something like serverName.foo.org; the server name on which the deployment is made by Ant should be exactly the same.

Comments are closed.

%d bloggers like this: