Hey guys, I was wondering if there were any thoughts on this particular suggestion. I hadn't seen anything on the list.
Chad La Joie wrote: > Good Morning, > I work on the Internet2 Shibboleth project and we've run in to an > issue with client cert authentication in a stand alone Tomcat > environment (i.e. without Apache HTTPD in front of it). Shibboleth > clients use client cert auth when talking with the Shibboleth server, > however, the certificate chains for the clients are not in a Java > keystore. Instead they are in XML files that contain a large amount of > metadata needed by both the client and the server. > Our current, supported, deployment configuration is to have Apache > HTTPD in front of Tomcat and to use "SSLVerifyClient optional_no_ca" > HTTPD directive. This allows the client to send its certificate, but > instead of HTTPD trying to validate the cert, it just passes the cert on > to the Shibboleth server. This allows us to validate the certificate > against the cert chains in the metadata files within the server code (a > huge support boon for us). What we'd like to request is a similar > option for the SSL connector when client cert auth is used so that we > can support a stand alone Tomcat set up too. > Would this be possible? -- Chad La Joie 315Q St. Mary's Hall Project Sentinel 202.687.0124 --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]