SVM SSL/TLS Configuration
SW360 communicates with the SVM service over HTTPS.
Two files can be configured in /etc/sw360/sw360.properties:
| File | Purpose | Property |
|---|---|---|
| Trust store (JKS) | Trust the SVM server’s CA certificate | svm.sw360.truststore.filename |
| Client key store (PKCS12) | Authenticate SW360 to the SVM server (mutual TLS) | svm.sw360.certificate.filename |
Both files are resolved by SW360’s CommonUtils.loadResource, which searches
/etc/sw360/<filename> first and then falls back to the classpath.
Set only the filename (e.g. svm-truststore.jks), not an absolute path.
Trust-store lookup order
For SSL connections to the SVM API to be trusted, the CA certificate must be present in the JVM default cacerts or provided via a custom JKS trust store.
- Custom JKS trust store - configured via
svm.sw360.truststore.filename. - JVM default -
$JAVA_HOME/lib/security/cacertswhen the property is absent or empty.
Non-Debian JDK note
When the JDK is installed outside the OS package manager (e.g.
/opt/jdk-21.0.2/), runningupdate-ca-certificatesdoes not update$JAVA_HOME/lib/security/cacerts. Use the custom trust-store approach below.
Building a custom trust store for the SVM server certificate
Option 1 - Obtain CA certificates from a PKI bundle
If your CA ships a PEM bundle with multiple certificates (common with enterprise
PKI packages), it must be split before import - keytool requires one
certificate per import:
csplit --prefix=ca-cert- --suffix-format='%03d.pem' --quiet \
/path/to/ca-bundle.pem \
'/-----BEGIN CERTIFICATE-----/' '{*}'
rm -f ca-cert-000.pem 2>/dev/null || true
Option 2 - Extract the server certificate with openssl s_client
Use this option only if you do not have a CA bundle from your PKI team. This method connects to the SVM server and extracts the certificate chain it presents. It is susceptible to spoofing if the connection is compromised.
SVM_HOST=svm.example.com
SVM_PORT=443
# Fetch the full certificate chain presented by the server
openssl s_client -connect "${SVM_HOST}:${SVM_PORT}" -showcerts </dev/null 2>/dev/null \
| awk '/-----BEGIN CERTIFICATE-----/,/-----END CERTIFICATE-----/' \
> server-chain.pem
# Inspect the chain to find individual certificates
openssl crl2pkcs7 -nocrl -certfile server-chain.pem \
| openssl pkcs7 -print_certs -noout
Split the chain into individual PEM files (one certificate per file):
csplit --prefix=cert- --suffix-format='%02d.pem' --quiet \
server-chain.pem '/-----BEGIN CERTIFICATE-----/' '{*}'
# Remove any empty first file produced by csplit
rm -f cert-00.pem 2>/dev/null || true
# Show subject and issuer for each certificate to identify the CA
for f in cert-*.pem; do
echo "=== $f ==="
openssl x509 -noout -subject -issuer -in "$f"
done
Create the JKS trust store
Start from a copy of the JVM’s existing cacerts to retain all publicly-trusted CAs:
JAVA_HOME=/opt/jdk-21.0.2 # Adjust to your JDK location
TRUSTSTORE=/etc/sw360/svm-truststore.jks
TRUSTSTORE_PASS=changeit
# Copy existing cacerts as the base
cp "$JAVA_HOME/lib/security/cacerts" "$TRUSTSTORE"
# Import each CA certificate
for cert in cert-*.pem ca-cert-*.pem; do
[ -f "$cert" ] || continue
alias="svm-ca-$(basename "$cert" .pem)"
"$JAVA_HOME/bin/keytool" -importcert \
-noprompt -trustcacerts \
-alias "$alias" \
-file "$cert" \
-keystore "$TRUSTSTORE" \
-storepass "$TRUSTSTORE_PASS"
echo "Imported: $cert (alias: $alias)"
done
Verify
"$JAVA_HOME/bin/keytool" -list \
-keystore "$TRUSTSTORE" -storepass "$TRUSTSTORE_PASS" \
| grep -i "svm-ca"
Set permissions and configure SW360
chown sw360:sw360 /etc/sw360/svm-truststore.jks
chmod 640 /etc/sw360/svm-truststore.jks
In /etc/sw360/sw360.properties:
# Filename only - resolved from /etc/sw360/
svm.sw360.truststore.filename=svm-truststore.jks
svm.sw360.truststore.password=changeit
Restart Tomcat/SW360.
Client key store for mutual TLS
SW360 sends the project monitoring list to the SVM API using mutual TLS. The
client certificate must be a PKCS12 (.p12 / .pfx) file stored in
/etc/sw360/. Ask the SVM team to provide you with a .p12 file containing
the client certificate and private key.
Permissions and configuration
cp svm-client.p12 /etc/sw360/svm-client.p12
chown sw360:sw360 /etc/sw360/svm-client.p12
chmod 640 /etc/sw360/svm-client.p12
In /etc/sw360/sw360.properties:
# Filename only - resolved from /etc/sw360/
svm.sw360.certificate.filename=svm-client.p12
svm.sw360.certificate.passphrase=<password-for-pkcs12>
sw360.properties reference
All SVM-related SSL properties in /etc/sw360/sw360.properties:
# Monitoring-list upload endpoint (mutual TLS)
svm.sw360.api.url=
# Component-mappings fetch endpoint (one-way TLS)
svm.sw360.componentmappings.api.url=
# PKCS12 client key store for mutual TLS (filename only, resolved from /etc/sw360/)
svm.sw360.certificate.filename=
svm.sw360.certificate.passphrase=
# Optional JKS trust store (filename only, resolved from /etc/sw360/)
# When not set, the JVM default cacerts is used.
#svm.sw360.truststore.filename=
svm.sw360.truststore.password=changeit
Troubleshooting
| Symptom | Likely cause | Fix |
|---|---|---|
PKIX path building failed | CA cert not in trust store | Import the CA cert (see above) |
SVM client key store '...' not found | Wrong filename or file missing from /etc/sw360/ | Verify svm.sw360.certificate.filename and file location |
Failed to open SVM client key store ... verify passphrase | Wrong PKCS12 password or corrupted file | Verify svm.sw360.certificate.passphrase |
Cannot extract private key ... verify passphrase matches the key-entry password | Key-entry password differs from store password | Re-export the PKCS12 with consistent passwords |
Keystore was tampered with or password was incorrect | Wrong trust store password | Verify svm.sw360.truststore.password |
| Bundle PEM not importing | File contains multiple certs | Split the bundle (Option 1) |
| Certs updated after initial import | New PKI bundle released | Repeat trust store steps and restart SW360 |