Using the finalizer for sensitive operations is not a good idea since nothing in Tomcat retains the SSLContext instances after using them to init.