SSL/TLS certificates in Tomcat are configured using <Connector> tag in server.xml as follows:
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${path.to.my.keystore.file}"
keystorePass="${my.keystore.password}"
clientAuth="false" sslProtocol="TLS"/>
Resources path.to.my.keystore.file and my.keystore.password are defined in Tomcat's catalina.properties file. Project uses Spring Security SAML extension to implement SSO. Requirement is to use same certificates in SAML Service Provider (SP) metadata.
There is separate team that manages SSL/TLS certificates for Tomcat servers. They may change location of key store file or password. I would like my application to be unaffected by those changes.
I am reading above resources from catalina.properties file in my application using @PropertySource("file:/path/to/catalina.properties"). Is this approach good? Is there any better/recommended way to use same certificate configuration for TLS and SAML?
Finally, found the answer.
Tomcat exposes properties in catalina.properties as system properties. So System.getProperty() can be used to read them.
Ref: https://tomcat.apache.org/tomcat-8.0-doc/config/index.html
All system properties are available including those set using the -D syntax, those automatically made available by the JVM and those configured in the $CATALINA_BASE/conf/catalina.properties file.
Secondaly, Spring SAML documentation indicates that it is possible to use SSL/TLS certificates for SAML messages signing and encryption.
Ref: Spring SAML Certificate Configuration Documentation
Private keys (with either self-signed or CA signed certificates) are used to digitally sign SAML messages, encrypt their content and in some cases for SSL/TLS Client authentication of your service provider application.