RE: New idea - Enable Tomcat for SSL?
Hi, I don't know about CRL support -- why not just try it out? Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 7:51 PM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
Yoav, The problem is that I can't find any info at all on how to configure it to use a CRL. FYI, after an all-nighter, I was just able to get the client and server SSL part working with standalone Tomcat. Very cool :)! And, best of all, I was able to confirm that with this, I can access the client certificate info from my JSPs. I'm just so close to what I need now, if I can just figure out how to enable or incorporate the CRL checking, as from a security standpoint, they won't let me deploy a PKI-enabled system if it doesn't support CRLs. Jim Shapira, Yoav wrote: Hi, I don't know about CRL support -- why not just try it out? Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 7:51 PM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: New idea - Enable Tomcat for SSL?
Hi, I'm afraid I can't help much with CRLs on Tomcat. I've never done that before ;) I don't see much in the docs. I do see hits on Google, such as http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html, suggesting a custom SSLSocketFactory is in order. Tomcat of course lets you integrate whatever socket factory you want for your connector, and the one in the above links allows for CRL configuration. Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:55 AM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Yoav, The problem is that I can't find any info at all on how to configure it to use a CRL. FYI, after an all-nighter, I was just able to get the client and server SSL part working with standalone Tomcat. Very cool :)! And, best of all, I was able to confirm that with this, I can access the client certificate info from my JSPs. I'm just so close to what I need now, if I can just figure out how to enable or incorporate the CRL checking, as from a security standpoint, they won't let me deploy a PKI-enabled system if it doesn't support CRLs. Jim Shapira, Yoav wrote: Hi, I don't know about CRL support -- why not just try it out? Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 7:51 PM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
Excuse me everyone who has talked on this thread, i haven't followed this thread closely, but why aren't you using a proven software for that matter like Apache HTTPD?. it has years of SSL patches, corrections and improvements, also, tomcat is just too slow to serve static content like images or large files. If you're concerned with security, you should never think on the first place to begin a new development, security has to have a process of maturity before you can decide something is *secure enough* Shapira, Yoav escribió: Hi, I'm afraid I can't help much with CRLs on Tomcat. I've never done that before ;) I don't see much in the docs. I do see hits on Google, such as http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html, suggesting a custom SSLSocketFactory is in order. Tomcat of course lets you integrate whatever socket factory you want for your connector, and the one in the above links allows for CRL configuration. Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:55 AM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Yoav, The problem is that I can't find any info at all on how to configure it to use a CRL. FYI, after an all-nighter, I was just able to get the client and server SSL part working with standalone Tomcat. Very cool :)! And, best of all, I was able to confirm that with this, I can access the client certificate info from my JSPs. I'm just so close to what I need now, if I can just figure out how to enable or incorporate the CRL checking, as from a security standpoint, they won't let me deploy a PKI-enabled system if it doesn't support CRLs. Jim Shapira, Yoav wrote: Hi, I don't know about CRL support -- why not just try it out? Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 7:51 PM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
On Fri, Aug 20, 2004 at 10:11:01AM -0400, John Villar wrote: : tomcat is just too slow to serve : static content like images or large files. Says who? ;) -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
Somewhere on the net don't know where :-D. just in case, i did test it. with the JK2 integrator with IIS and Tomcat 5.0.19 the performance tripled comparing with Tomcat 5.0.19 alone of course, with a site that has *LOTS* of statically placed images QM escribió: On Fri, Aug 20, 2004 at 10:11:01AM -0400, John Villar wrote: : tomcat is just too slow to serve : static content like images or large files. Says who? ;) -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: New idea - Enable Tomcat for SSL?
Hi, I just love it when people pop in to a thread with assertions and their own performance tripled benchmarks. http://jakarta.apache.org/tomcat/faq/performance.html#faster Stop basing your decisions on out of date information. Yoav Shapira Millennium Research Informatics -Original Message- From: John Villar [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 10:18 AM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Somewhere on the net don't know where :-D. just in case, i did test it. with the JK2 integrator with IIS and Tomcat 5.0.19 the performance tripled comparing with Tomcat 5.0.19 alone of course, with a site that has *LOTS* of statically placed images QM escribió: On Fri, Aug 20, 2004 at 10:11:01AM -0400, John Villar wrote: : tomcat is just too slow to serve : static content like images or large files. Says who? ;) -QM - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
John, FYI, that (Apache+SSL) was my first approach, and I spent over a week trying to get it working, and posted a bunch of times about my problems. I was able to get the SSL authentication working early on, but what I was struggling with is getting access to the client cert information from JSPs. In the end, I was able to conclude that the reason for that last problem was that the binaries that I was working with (Apache, mod_jk/jk2) were not compiled with the --EAPI directive, and that was preventing the SSL/client cert info from passing to Tomcat. Besides the fact that I'm kind of running out of time to get something working, so I wouldn't have the time to build Apache, mod_ssl, mod_jk/jk2, I'm working in an environment where the binaries are controlled and single-sourced internally, and so even if I did have the time, I wouldn't be allowed to do and deploy a 'special' build. After all of that, I turned back to Tomcat, and like I said, I'm that close now. Also, as I indicated in an earlier msg in this thread, this is not going to be a high-volume website, at most maybe 1-2 people at a time, so performance is not a major concern. Jim John Villar wrote: Excuse me everyone who has talked on this thread, i haven't followed this thread closely, but why aren't you using a proven software for that matter like Apache HTTPD?. it has years of SSL patches, corrections and improvements, also, tomcat is just too slow to serve static content like images or large files. If you're concerned with security, you should never think on the first place to begin a new development, security has to have a process of maturity before you can decide something is *secure enough* Shapira, Yoav escribió: Hi, I'm afraid I can't help much with CRLs on Tomcat. I've never done that before ;) I don't see much in the docs. I do see hits on Google, such as http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html, suggesting a custom SSLSocketFactory is in order. Tomcat of course lets you integrate whatever socket factory you want for your connector, and the one in the above links allows for CRL configuration. Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Friday, August 20, 2004 9:55 AM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Yoav, The problem is that I can't find any info at all on how to configure it to use a CRL. FYI, after an all-nighter, I was just able to get the client and server SSL part working with standalone Tomcat. Very cool :)! And, best of all, I was able to confirm that with this, I can access the client certificate info from my JSPs. I'm just so close to what I need now, if I can just figure out how to enable or incorporate the CRL checking, as from a security standpoint, they won't let me deploy a PKI-enabled system if it doesn't support CRLs. Jim Shapira, Yoav wrote: Hi, I don't know about CRL support -- why not just try it out? Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 7:51 PM To: Tomcat Users List Subject: Re: New idea - Enable Tomcat for SSL? Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you
Re: New idea - Enable Tomcat for SSL?
Please, don't start a flame war with this but in my enviroment (W2K Server, IIS 5.0, Tomcat 5.0.19, MS SQL Server 2000, J2SDK 1.4.1_02) it considerabily faster with when working in integrated mode. you could blame the OS (possibly that's the cause) but its a fact for me and my customers Stop basing your decisions on out of date information. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: New idea - Enable Tomcat for SSL?
Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav Shapira Millennium Research Informatics -Original Message- From: ohaya [mailto:[EMAIL PROTECTED] Sent: Thursday, August 19, 2004 10:47 AM To: [EMAIL PROTECTED] Subject: New idea - Enable Tomcat for SSL? Hi, With the problems that I've posted about, trying to run Apache+Tomcat+mod_jk/jk2/proxy and not being able to retrieve the PKI client certificate information in JSPs, I'm now wondering if the best way to do this might be to just forget about Apache, and just run Tomcat by itself. I've seen some info that SEEMS to indicate that it's possible to configure Tomcat as a standalone webserver+container that supports both client and server SSL authentication, i.e., no Apache, no mod_xxx, etc. Can anyone confirm that this is true? Also, if this is true, does anyone know if I'll then be able to access the client certificate information from my JSPs? If anyone can point to some detailed instructions or HOWTOs on configuring Tomcat this way, I'd really appreciate it. This would be for the latest Tomcat (5.0.27?). Even in production, traffic on the server for my project is going to be very limited, so I'm thinking that this might be the easiest option, if it can work, and if it allows me to access the info in client certs from JSP. Thanks, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
Shapira, Yoav wrote: Hi, http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html And, of course, http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which should have saved you considerable time and effort. Yoav, I had posted a number of messages about problems I was having, but in any event, thanks for the links. One other question: If I configure Tomcat (5.0.27) as a standalone SSL-enabled (client and server) webserver+container, will the Tomcat SSL handling support the use of certificate revocation lists (CRLs)? I've been trying to research this, and so far have had no luck finding anything on it, and, from the standpoint of security, support for CRLs is going to be a must-have if I go this direction. If you or anyone knows the answer to this question, please let me know. Thanks again, Jim - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: New idea - Enable Tomcat for SSL?
hi out there i am actually new to servlets and tomcat ofcourse. Basically the problem is that i have a servlet that i want to run in Tomcat. If you could just please tell me simple steps on how to run a simple hello world servlet in tomcat ..i would really appreciate it. and also tell me what url i should use to run it thanks -bhaarat
Servlet Basics [WAS: Re: New idea - Enable Tomcat for SSL?]
On Thu, Aug 19, 2004 at 07:55:32PM -0400, [EMAIL PROTECTED] wrote: : i am actually new to servlets and tomcat ofcourse. Basically the problem is : that i have a servlet that i want to run in Tomcat. If you could just please : tell me simple steps on how to run a simple hello world servlet in tomcat ..i : would really appreciate it. and also tell me what url i should use to run it Hello, 1/ When you write to the list, please post a new message. Responding to an old message confuses thread-aware mailers, which makes it more difficult for a helpful person to see your request. I've changed both your subject and yanked the old message-ID to address this. 2/ Tomcat has extensive docs on this subject, as does Sun: http://jakarta.apache.org/tomcat http://java.sun.com -QM -- software -- http://www.brandxdev.net tech news -- http://www.RoarNetworX.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]