billbarker 2003/10/05 16:49:09 Modified: webapps/docs ssl-howto.xml Log: Updating docs, including adding notes for the current limitations of IBM's implementation of JSSE. Revision Changes Path 1.6 +42 -7 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml =================================================================== RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ssl-howto.xml 4 Aug 2003 05:13:35 -0000 1.5 +++ ssl-howto.xml 5 Oct 2003 23:49:09 -0000 1.6 @@ -29,7 +29,7 @@ <p>To install and configure SSL support on Tomcat 5, you need to follow these simple steps. For more information, read the rest of this HOW-TO.</p> <ol> -<li>If you are running a 1.3 JVM, download JSSE 1.0.2 (or later) from +<li>If you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from <a href="http://java.sun.com/products/jsse/">http://java.sun.com/products/jsse/</a> and either make it an <em>installed extension</em> on the system, or else set an environment variable <code>JSSE_HOME</code> that points at the @@ -176,10 +176,10 @@ <subsection name="Download and Install JSSE"> <p>Download the <em>Java Secure Socket Extensions</em> (JSSE) package, -version 1.0.2 or later, from +version 1.0.3 or later, from <a href="http://java.sun.com/products/jsse/">http://java.sun.com/products/jsse/</a>. If you built Tomcat from source, you have probably already downloaded this -package. If you are running JDK 1.4 (currently in beta), these classes have +package. If you are running JDK 1.4.x, these classes have been integrated directly into the JDK, so you can skip this entire step.</p> <p>After expanding the package, there are two ways to make it available to @@ -197,15 +197,27 @@ <subsection name="Prepare the Certificate Keystore"> -<p>Tomcat currently operates only on <code>JKS</code> format keystores. This +<p>Tomcat currently operates only on <code>JKS</code> or <code>PKCS12</code> +format keystores. The <code>JKS</code> format is Java's standard "Java KeyStore" format, and is the format created by the <code>keytool</code> command-line utility. This tool is included in the JDK. +The <code>PKCS12</code> format is an internet standard, and can be manipulated +via (among other things) OpenSSL and Microsoft's Key-Manager. However, +currently there are some limitations on the support for <code>PKCS12</code>. </p> <p>To import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package) about <code>keytool</code>. </p> - +<p>To import an existing certificate signed by your own CA into a PKCS12 +keystore using OpenSSL you would execute a command like: +</source>openssl pkcs12 -export -infile mycert.crt -inkey mykey.key \ + -outfile mycert.p12 -name tomcat -CAfile myCA.crt \ + -caname root -chain +</source> +For more advanced cases, consult the <a href="http://www.openssl.org/">OpenSSL +documententation</a>. +</p> <p>To create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:</p> <p>Windows:</p> @@ -276,7 +288,7 @@ port="8443" minProcessors="5" maxProcessors="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" debug="0" scheme="https" secure="true"; - clientAuth="false" sslprotocol="TLS"/> + clientAuth="false" sslProtocol="TLS"/> --> </source> @@ -333,14 +345,37 @@ password than the one Tomcat expects (<code>changeit</code>).</td> </tr> <tr> + <td><code>keystoreType</code></td> + <td>Add this element if using a PKCS12 keystore. The valid values are + <code>JKS</code> and <code>PKCS12</code>. + <tr> <td><code>sslProtocol</code></td> <td>The encryption/decryption protocol to be used on this socket. - Do not change the default value.</td> + It is not recommended to change this value if you are using Sun's + JVM. It is reported that IBM's 1.4.1 implementation + of the TLS protocol is not compatible with some popular browsers. + In this case, use the value <code>SSL</code>.</td> </tr> <tr> <td><code>ciphers</code></td> <td>The comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed.</td> + </tr> + <tr> + <td><code>algorithm</code></td> + <td>The <code>X509</code> algorithm to use. This defaults to the Sun + implementation (<code>SunX509</code>). For IBM JVMs you should use + the value <code>IbmX509</code>. For other vendors, consult the JVM + documentation for the correct value. + </td> + </tr> + <tr> + <td><code>truststoreFile</code></td> + <td>The TrustStore file to use to validate client certificates.</td> + </tr> + <tr> + <td><code>truststorePass</code></td> + <td>The password to access the TrustStore.</td> </tr> </table>
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]