Re: SSL % tomcat 6.0

[Mikolaj Rydzewski]

Andrey D wrote:

I have a small troubles with SSL certificates integration for tomcat 6.0.
Of course I've read the FAQ and SSL tutorial but my situation is not
described in that help sheets in details...
  
Well, maybe it does not address your problem directly. I found it's much 
easier to work with following configuration:


apache httpd (+ SSL) - mod_proxy_ajp - tomcat

AJP connector is aware of SSL being used by apache.

--
Mikolaj Rydzewski m...@ceti.pl


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL % tomcat 6.0

[Andrey D]

Sorry, but I can't use apache httpd separately... only tomcat.. :(

someone said me:

 ok, I think the solution is this 
 create a CA ... then, import the CA public key into key-store
 sign each client certificate with CA private key ..
 I believe this will mean that when Tomcat requests client certificate, it
can be checked against the CA public key in keystore ...
 have a look at this ..

what do you think about it?
and if it helps... how to do it
Thanks!

On Tue, Feb 16, 2010 at 1:40 PM, Mikolaj Rydzewski m...@ceti.pl wrote:

 Andrey D wrote:

 I have a small troubles with SSL certificates integration for tomcat 6.0.
 Of course I've read the FAQ and SSL tutorial but my situation is not
 described in that help sheets in details...


 Well, maybe it does not address your problem directly. I found it's much
 easier to work with following configuration:

 apache httpd (+ SSL) - mod_proxy_ajp - tomcat

 AJP connector is aware of SSL being used by apache.

 --
 Mikolaj Rydzewski m...@ceti.pl


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL % tomcat 6.0

[Christopher Schultz]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Andrey,

On 2/16/2010 7:46 AM, Andrey D wrote:
 Sorry, but I can't use apache httpd separately... only tomcat.. :(
 
 someone said me:
 
 ok, I think the solution is this 
 create a CA ... then, import the CA public key into key-store
 sign each client certificate with CA private key ..
 I believe this will mean that when Tomcat requests client certificate, it
 can be checked against the CA public key in keystore ...
 have a look at this ..
 
 what do you think about it?

This sounds reasonable: basically, instead of creating many trusted
certificates, you create a single trusted certificate, then use that to
sign the client certificates. Tomcat trusts the signing certificate and
therefore, implicitly, all the client certificates signed with that
top-level one.

 and if it helps... how to do it

Heh... it gets to be a bit of a pain in the neck.

For starters, read the thread titled mod_jk  Client SSL Certificates
from the archives back in October. Specifically, this message: 
http://tomcat.markmail.org/message/kzxsamuiu6bldjmv?q=%22mod_jk+%26+Client+SSL+Certificates%22+list:org.apache.tomcat.users

You can ignore most of the Apache httpd-related stuff, but I did end up
creating the key stores in OpenSSL format, so you'll have to
read-through the certificate creation process in order to get a
top-level certificate that you can actually use with my code.

Or, you could follow the client certificate instructions on Tomcat's
website (I found the lack of documentation for using Client SSL
certificates a little frustrating, but I ended up doing most of my work
with OpenSSL, etc., and not Tomcat so I don't really have any better
instructions than what's already on the Tomcat site).

Good luck,
- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkt7DpEACgkQ9CaO5/Lv0PAKWgCffenUPfvSfPeL8EuPIGxx2FiX
1/wAoI4wNFQ5RhBzJKmbOEiNQ2m2yIzb
=5Rrp
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org