In Tomcat you configure your server.xml with the following SSL Connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
proxyPort=""
keystoreFile="/etc/path/to/keystore.jks"
keystorePass="12345"
keystoreType="jks"
truststorePass="12345"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
...or somethign similar. But keyStoreFile doesn't seem to allow anything other than local file paths. What if I wanted to store my JKS on a remote server? It would be nice to be able to specify something like:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
proxyPort=""
keystoreFile="http://mycert01.example.org/myapp/keystore.jks"
keystorePass="12345"
keystoreType="jks"
truststorePass="12345"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" />
Obviously this would present security issues, but if mycert01.example.org was behind a VPN, I don't think it would be any more or less secure than something on the local file system.
Is this possible? If so, how? If not, what would I have to do to make it possible?
No, it isn't possible with the available Connector. You would have to rewrite the Connector to make this possible. Otherwise, you might be able to work around this if you map the remote filesystem (by mounting it, I guess, but this is just a guess). I've never tried doing that for this kind of scenario and I don't recommend it. Hosting your SSL keystore remotely is quite simply the wrong way to do things - both for security and efficiency.