>>Hello I am new to Apache and am using mod_ssl Apache server
>>connected with Tomcat via the mod_jk module -
>I've just done that ... (absolute beginer)
>
>>I get the following
>> warning when starting Apache after I start tomcat
>>"Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API,
>>this module might crash under EAPI! (Please recompile it with -DEAPI)
The module as been compiled on a Standard Apache and
you want it to run on a EAPI Apache (ie using mod_ssl).
If you're using a Linux Redhat or compatible take a look
at my RPM at :ftp://ftp.falsehope.com/home/gomez/tomcat/
or at http://jakarta.apache.org/builds/jakarta-tomcat/release/v3.2.1/rpms/
>same for me... it seems to works anyway...
>
>note that I had to install JSSE 102 from sun java site...
>I've put it into the JRE 1.3 as documented (jar in lib/ext)
>and changed the security provider list in some properties file
>as documented...
>
>For tomcat servlet/jsp to be able to call-back HTTPS as a client
>I had to add a -D... that sets the implementor of URL...
>documented in JSSE also...
>I also had to set the keystore of jsse
>
>extract from tomcat.bat:
>:runServer
>rem Running Tomcat in this window
>if "%2" == "-security" goto runSecure
>%_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%"
>-Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts"
>-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
>org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9
>goto cleanup
>
>
>
>
>> I am trying to get Apache and Tomcat to use SSL .
>>I don't have a certificate configured and get the following error
>>"localhost:443 should be SSL-aware but has no certificate configured
>>[Hint: SSLCertificateFile]" Can someone point me to the exact
>directions
>>on how to configure a certificate and also will this module
>
>I had to use the snakeoil certificates an keys as documented...
>all is configured in a virtual host on port 443...
>
>the last problem is tha the snakeoil certificate
>have a /CN= different from my host DNS name
>(sure, it is a dummy certificate),
>and thus the HTTPS URL connector refuse to trust
>an HTTPS server whose certificat CN is different from
>it's DNS name...
>
>I've found example of config files on the web...
>note the the ifdefined SSL does not works with the apache/mod_ssl
>found on mod_ssl.org... I have used the IfModule mod_ssl.c
>
>I've put parts of the config files at the end...
>
>
>>
>>mod_jk work with the version of Apache I am using -
>>Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip
>>and Tomcat 3.2.1 I have configured this via the documentation
>>in Tomcat. Any ideas or suggestion on where to go form here
>> would be much appreciated
>
>if some one can explai me how to generate
>a good server certificat with openssl or
>keytool... 8)
>
>
>
>------------------------------
>here is the SSL config included at the end of the
>httpd.conf in apache
>
>##
>## SSL Support
>##
>## When we also provide SSL we have to listen to the
>## standard HTTP port (see above) and to the HTTPS port
>##
>
>LoadModule ssl_module modules/ApacheModuleSSL.dll
>
><IfModule mod_ssl.c>
>
>Listen 8000
>Listen 8443
>AddType application/x-x509-ca-cert .crt
>AddType application/x-pkcs7-crl .crl
>
># Pass Phrase Dialog:
># Configure the pass phrase gathering process.
># The filtering dialog program (`builtin' is a internal
># terminal dialog) has to provide the pass phrase on stdout.
>SSLPassPhraseDialog builtin
>
># Inter-Process Session Cache:
># Configure the SSL Session Cache: First either `none'
># or `dbm:/path/to/file' for the mechanism to use and
># second the expiring timeout (in seconds).
>#SSLSessionCache none
>#SSLSessionCache shm:logs/ssl_scache(512000)
>SSLSessionCache dbm:logs/ssl_scache
>SSLSessionCacheTimeout 300
>
># Semaphore:
># Configure the path to the mutual explusion semaphore the
># SSL engine uses internally for inter-process synchronization.
>#SSLMutex file:logs/ssl_mutex
>
># Pseudo Random Number Generator (PRNG):
># Configure one or more sources to seed the PRNG of the
># SSL library. The seed data should be of good random quality.
># WARNING! On some platforms /dev/random blocks if not enough entropy
># is available. This means you then cannot use the /dev/random device
># because it would lead to very long connection times (as long as
># it requires to make more entropy available). But usually those
># platforms additionally provide a /dev/urandom device which doesn't
># block. So, if available, use this one instead. Read the
>mod_ssl User
># Manual for more details.
>SSLRandomSeed startup builtin
>SSLRandomSeed connect builtin
>#SSLRandomSeed startup file:/dev/random 512
>#SSLRandomSeed startup file:/dev/urandom 512
>#SSLRandomSeed connect file:/dev/random 512
>#SSLRandomSeed connect file:/dev/urandom 512
>
># Logging:
># The home of the dedicated SSL protocol logfile. Errors are
># additionally duplicated in the general error log file. Put
># this somewhere where it cannot be used for symlink attacks on
># a real server (i.e. somewhere where only root can write).
># Log levels are (ascending order: higher ones include lower ones):
># none, error, warn, info, trace, debug.
>SSLLog logs/ssl_engine.log
>SSLLogLevel info
>
>
>##
>## SSL Virtual Host Context
>##
>
><VirtualHost _default_:8443>
>
># General setup for the virtual host
>DocumentRoot "d:/apache/htdocs"
>ServerName maui.idt.cdc.fr
>ServerAdmin [EMAIL PROTECTED]
>ErrorLog logs/ssl_error.log
>TransferLog logs/ssl_access.log
>
># SSL Engine Switch:
># Enable/Disable SSL for this virtual host.
>SSLEngine on
>
># SSL Cipher Suite:
># List the ciphers that the client is permitted to negotiate.
># See the mod_ssl documentation for a complete list.
>SSLCipherSuite
>ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
>
># Server Certificate:
># Point SSLCertificateFile at a PEM encoded certificate. If
># the certificate is encrypted, then you will be prompted for a
># pass phrase. Note that a kill -HUP will prompt again. A test
># certificate can be generated with `make certificate' under
># built time. Keep in mind that if you've both a RSA and a DSA
># certificate you can configure both in parallel (to also allow
># the use of DSA ciphers, etc.)
>SSLCertificateFile d:/apache/conf/ssl.crt/snakeoil-rsa.crt
>#SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt
>
># Server Private Key:
># If the key is not combined with the certificate, use this
># directive to point at the key file. Keep in mind that if
># you've both a RSA and a DSA private key you can configure
># both in parallel (to also allow the use of DSA ciphers, etc.)
>SSLCertificateKeyFile d:/apache/conf/ssl.key/snakeoil-rsa.key
>#SSLCertificateKeyFile d:/apache/conf/ssl.key/server-dsa.key
>
># Server Certificate Chain:
># Point SSLCertificateChainFile at a file containing the
># concatenation of PEM encoded CA certificates which form the
># certificate chain for the server certificate. Alternatively
># the referenced file can be the same as SSLCertificateFile
># when the CA certificates are directly appended to the server
># certificate for convinience.
>#SSLCertificateChainFile d:/apache/conf/ssl.crt/ca.crt
>
># Certificate Authority (CA):
># Set the CA certificate verification path where to find CA
># certificates for client authentication or alternatively one
># huge file containing all of them (file must be PEM encoded)
># Note: Inside SSLCACertificatePath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCACertificatePath d:/apache/conf/ssl.crt
>#SSLCACertificateFile d:/apache/conf/ssl.crt/ca-bundle.crt
>
># Certificate Revocation Lists (CRL):
># Set the CA revocation path where to find CA CRLs for client
># authentication or alternatively one huge file containing all
># of them (file must be PEM encoded)
># Note: Inside SSLCARevocationPath you need hash symlinks
># to point to the certificate files. Use the provided
># Makefile to update the hash symlinks after changes.
>#SSLCARevocationPath d:/apache/conf/ssl.crl
>#SSLCARevocationFile d:/apache/conf/ssl.crl/ca-bundle.crl
>
># Client Authentication (Type):
># Client certificate verification type and depth. Types are
># none, optional, require and optional_no_ca. Depth is a
># number which specifies how deeply to verify the certificate
># issuer chain before deciding the certificate is not valid.
>#SSLVerifyClient require
>#SSLVerifyDepth 10
>
># Access Control:
># With SSLRequire you can do per-directory access control based
># on arbitrary complex boolean expressions containing server
># variable checks and other lookup directives. The syntax is a
># mixture between C and Perl. See the mod_ssl documentation
># for more details.
>#<Location />
>#SSLRequire ( %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
># and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
># and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
># and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
># and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20 ) \
># or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
>#</Location>
>
># SSL Engine Options:
># Set various options for the SSL engine.
># o FakeBasicAuth:
># Translate the client X.509 into a Basic Authorisation.
>This means
>that
># the standard Auth/DBMAuth methods can be used for access
>control. The
># user name is the `one line' version of the client's
>X.509 certificate.
># Note that no password is obtained from the user. Every
>entry in the
>user
># file needs this password: `xxj31ZMTZzkVA'.
># o ExportCertData:
># This exports two additional environment variables:
>SSL_CLIENT_CERT and
># SSL_SERVER_CERT. These contain the PEM-encoded
>certificates of the
># server (always existing) and the client (only existing
>when client
># authentication is used). This can be used to import the
>certificates
># into CGI scripts.
># o StdEnvVars:
># This exports the standard SSL/TLS related `SSL_*' environment
>variables.
># Per default this exportation is switched off for
>performance reasons,
># because the extraction step is an expensive operation
>and is usually
># useless for serving static content. So one usually enables the
># exportation for CGI and SSI requests only.
># o CompatEnvVars:
># This exports obsolete environment variables for backward
>compatibility
># to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and
>Stronghold 2.x. Use
>this
># to provide compatibility to existing CGI scripts.
># o StrictRequire:
># This denies access when "SSLRequireSSL" or "SSLRequire"
>applied even
># under a "Satisfy any" situation, i.e. when it applies
>access is denied
># and no other module can change it.
># o OptRenegotiate:
># This enables optimized SSL connection renegotiation
>handling when SSL
># directives are used in per-directory context.
>#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars
>+StrictRequire
><Files ~ "\.(cgi|shtml|phtml|php3?)$">
> SSLOptions +StdEnvVars
></Files>
><Directory "d:/Apache/cgi-bin">
> SSLOptions +StdEnvVars
></Directory>
>
># SSL Protocol Adjustments:
># The safe and default but still SSL/TLS standard compliant shutdown
># approach is that mod_ssl sends the close notify alert but
>doesn't wait
>for
># the close notify alert from client. When you need a
>different shutdown
># approach you can use one of the following variables:
># o ssl-unclean-shutdown:
># This forces an unclean shutdown when the connection is
>closed, i.e. no
># SSL close notify alert is send or allowed to received.
>This violates
># the SSL/TLS standard but is needed for some brain-dead
>browsers. Use
># this when you receive I/O errors because of the standard approach
>where
># mod_ssl sends the close notify alert.
># o ssl-accurate-shutdown:
># This forces an accurate shutdown when the connection is
>closed, i.e. a
># SSL close notify alert is send and mod_ssl waits for the
>close notify
># alert of the client. This is 100% SSL/TLS standard
>compliant, but in
># practice often causes hanging connections with
>brain-dead browsers.
>Use
># this only for browsers where you know that their SSL
>implementation
># works correctly.
># Notice: Most problems of broken clients are also related
>to the HTTP
># keep-alive facility, so you usually additionally want to disable
># keep-alive for those clients, too. Use variable
>"nokeepalive" for this.
># Similarly, one has to force some clients to use HTTP/1.0
>to workaround
># their broken HTTP/1.1 implementation. Use variables
>"downgrade-1.0" and
># "force-response-1.0" for this.
>SetEnvIf User-Agent ".*MSIE.*" \
> nokeepalive ssl-unclean-shutdown \
> downgrade-1.0 force-response-1.0
>
># Per-Server Logging:
># The home of a custom SSL log file. Use this when you want a
># compact non-error SSL logfile on a virtual host basis.
>CustomLog logs/ssl_request.log \
> "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
>
>
> JkMount /tomcat/*/servlet/* ajp13
> JkMount /tomcat/*.jsp ajp13
> JkMount /tomcat/cocoon/*.xml ajp13
> JkMount /*.jsp ajp13
> JkMount /servlet/* ajp13
>
>
></VirtualHost>
>
></IfModule>
>--------------------------------------
>
>part added to the the httpd.conf,
>relative to tomcat
>
>
>###################################################################
># Auto generated configuration. Dated: Mon Jan 08 12:06:07 CET 2001
>###################################################################
>
>#
># The following line instructs Apache to load the jk module
>#
>LoadModule jk_module modules/mod_jk.dll
>
>JkWorkersFile "D:/jakarta-tomcat-3.2.1/conf/workers.properties"
>JkLogFile "D:/jakarta-tomcat-3.2.1/logs/mod_jk.log"
>
>#
># Log level to be used by mod_jk
>#
>JkLogLevel error
>
>###################################################################
># SSL configuration #
>#
># By default mod_jk is configured to collect SSL information from
># the apache environment and send it to the Tomcat workers. The
># problem is that there are many SSL solutions for Apache and as
># a result the environment variable names may change.
>#
># The following (commented out) JK related SSL configureation
># can be used to customize mod_jk's SSL behaviour.
>#
># Should mod_jk send SSL information to Tomact (default is On)
># JkExtractSSL Off
>#
># What is the indicator for SSL (default is HTTPS)
># JkHTTPSIndicator HTTPS
>#
># What is the indicator for SSL session (default is SSL_SESSION_ID)
># JkSESSIONIndicator SSL_SESSION_ID
>#
># What is the indicator for client SSL cipher suit (default is
>SSL_CIPHER)
># JkCIPHERIndicator SSL_CIPHER
>#
># What is the indicator for the client SSL certificated (default is
>SSL_CLIENT_CERT)
># JkCERTSIndicator SSL_CLIENT_CERT
>#
># #
>###################################################################
>
>#
># Root context mounts for Tomcat
>#
>JkMount /*.jsp ajp13
>JkMount /servlet/* ajp13
>
>#########################################################
># Auto configuration for the /examples context starts.
>#########################################################
>
>#
># The following line makes apache aware of the location of the
>/examples
>context
>#
>Alias /tomcat/examples "D:/jakarta-tomcat-3.2.1/webapps/examples"
><Directory "D:/jakarta-tomcat-3.2.1/webapps/examples">
> Options Indexes FollowSymLinks
></Directory>
>
>#
># The following line mounts all JSP files and the /servlet/
>uri to tomcat
>#
>JkMount /tomcat/examples/servlet/* ajp13
>JkMount /tomcat/examples/*.jsp ajp13
>
>#
># The following line prohibits users from directly accessing WEB-INF
>#
><Location "/tomcat/examples/WEB-INF/">
> AllowOverride None
> deny from all
></Location>
>#
># Use Directory too. On Windows, Location doesn't work unless
>case matches
>#
><Directory "D:/jakarta-tomcat-3.2.1/webapps/examples/WEB-INF/">
> AllowOverride None
> deny from all
></Directory>
>
>#
># The following line prohibits users from directly accessing META-INF
>#
><Location "/tomcat/examples/META-INF/">
> AllowOverride None
> deny from all
></Location>
>#
># Use Directory too. On Windows, Location doesn't work unless
>case matches
>#
><Directory "D:/jakarta-tomcat-3.2.1/webapps/examples/META-INF/">
> AllowOverride None
> deny from all
></Directory>
>
>#######################################################
># Auto configuration for the /examples context ends.
>#######################################################
>
>
>
>----- server.xml for tomcat
>
><?xml version="1.0" encoding="ISO-8859-1"?>
>
><Server>
> <!-- Debug low-level events in XmlMapper startup -->
> <xmlmapper:debug level="0" />
>
> <!--
>
> Logging:
>
> Logging in Tomcat is quite flexible; we can either have a log
> file per module (example: ContextManager) or we can have one
> for Servlets and one for Jasper, or we can just have one
> tomcat.log for both Servlet and Jasper. Right now there are
> three standard log streams, "tc_log", "servlet_log", and
> "JASPER_LOG".
>
> Path:
>
> The file to which to output this log, relative to
> TOMCAT_HOME. If you omit a "path" value, then stderr or
> stdout will be used.
>
> Verbosity:
>
> Threshold for which types of messages are displayed in the
> log. Levels are inclusive; that is, "WARNING" level displays
> any log message marked as warning, error, or fatal. Default
> level is WARNING.
>
> verbosityLevel values can be:
> FATAL
> ERROR
> WARNING
> INFORMATION
> DEBUG
>
> Timestamps:
>
> By default, logs print a timestamp in the form "yyyy-MM-dd
> hh:mm:ss" in front of each message. To disable timestamps
> completely, set 'timestamp="no"'. To use the raw
> msec-since-epoch, which is more efficient, set
> 'timestampFormat="msec"'. If you want a custom format, you
> can use 'timestampFormat="hh:mm:ss"' following the syntax of
> java.text.SimpleDateFormat (see Javadoc API). For a
> production environment, we recommend turning timestamps off,
> or setting the format to "msec".
>
> Custom Output:
>
> "Custom" means "normal looking". "Non-custom" means
> "surrounded with funny xml tags". In preparation for
> possibly disposing of "custom" altogether, now the default is
> 'custom="yes"' (i.e. no tags)
>
> Per-component Debugging:
>
> Some components accept a "debug" attribute. This further
> enhances log output. If you set the "debug" level for a
> component, it may output extra debugging information.
> -->
>
> <!-- if you don't want messages on screen, add the attribute
> path="logs/tomcat.log"
> to the Logger element below
> -->
> <Logger name="tc_log"
> verbosityLevel = "INFORMATION"
> />
>
> <Logger name="servlet_log"
> path="logs/servlet.log"
> />
>
> <Logger name="JASPER_LOG"
> path="logs/jasper.log"
> verbosityLevel = "INFORMATION" />
>
> <!-- You can add a "home" attribute to represent the "base" for
> all relative paths. If none is set, the TOMCAT_HOME property
> will be used, and if not set "." will be used.
> webapps/, work/ and logs/ will be relative to this ( unless
> set explicitely to absolute paths ).
>
> You can also specify a "randomClass" attribute, which
>determines
> a subclass of java.util.Random will be used for
>generating session
>IDs.
> By default this is "java.security.SecureRandom".
> Specifying "java.util.Random" will speed up Tomcat startup,
> but it will cause sessions to be less secure.
>
> You can specify the "showDebugInfo" attribute to
>control whether
> debugging information is displayed in Tomcat's
>default responses.
> This debugging information includes:
> 1. Stack traces for exceptions
> 2. Request URI's that cause status codes >= 400
> The default is "true", so you must specify "false" to prevent
> the debug information from appearing. Since the debugging
> information reveals internal details about what
>Tomcat is serving,
> set showDebugInfo="false" if you wish increased security.
> -->
> <ContextManager debug="0" workDir="work" showDebugInfo="true" >
>
> <!-- ==================== Interceptors ==================== -->
>
> <!--
> ContextInterceptor
>className="org.apache.tomcat.context.LogEvents"
> -->
>
> <ContextInterceptor
>className="org.apache.tomcat.context.AutoSetup"
>/>
>
> <ContextInterceptor
> className="org.apache.tomcat.context.WebXmlReader" />
>
> <!-- Uncomment out if you have JDK1.2 and want to use policy
> <ContextInterceptor
> className="org.apache.tomcat.context.PolicyInterceptor" />
> -->
>
> <ContextInterceptor
> className="org.apache.tomcat.context.LoaderInterceptor" />
> <ContextInterceptor
> className="org.apache.tomcat.context.DefaultCMSetter" />
> <ContextInterceptor
> className="org.apache.tomcat.context.WorkDirInterceptor" />
>
> <!-- Request processing -->
> <!-- Session interceptor will extract the session id
>from cookies
>and
> deal with URL rewriting ( by fixing the URL ).
>If you wish to
> suppress the use of cookies for session
>identifiers, change the
> "noCookies" attribute to "true"
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.SessionInterceptor"
> noCookies="false" />
>
> <!-- Find the container ( context and prefix/extension map )
> for a request.
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.SimpleMapper1"
> debug="0" />
>
> <!-- Non-standard invoker, for backward compat. ( /servlet/* )
> You can modify the prefix that is matched by adjusting the
> "prefix" parameter below. Be sure your modified pattern
> starts and ends with a slash.
>
> NOTE: This prefix applies to *all* web applications that
> are running in this instance of Tomcat.
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.InvokerInterceptor"
> debug="0" prefix="/servlet/" />
>
> <!-- "default" handler - static files and dirs. Set the
> "suppress" property to "true" to suppress
>directory listings
> when no welcome file is present.
>
> NOTE: This setting applies to *all* web applications that
> are running in this instance of Tomcat.
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.StaticInterceptor"
> debug="0" suppress="false" />
>
> <!-- Plug a session manager. You can plug in more
>advanced session
> modules.
> -->
> <RequestInterceptor
>
>className="org.apache.tomcat.session.StandardSessionInterceptor"
>/>
>
> <!-- Check if the request requires an authenticated role.
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.AccessInterceptor"
> debug="0" />
>
> <!-- Check permissions using the simple xml file. You can
> plug more advanced authentication modules.
> -->
> <RequestInterceptor
> className="org.apache.tomcat.request.SimpleRealm"
> debug="0" />
>
> <!-- UnComment the following and comment out the
> above to get a JDBC realm.
> Other options for driverName:
> driverName="oracle.jdbc.driver.OracleDriver"
> connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
> connectionName="scott"
> connectionPassword="tiger"
>
> driverName="org.gjt.mm.mysql.Driver"
> connectionURL="jdbc:mysql://localhost/authority"
> connectionName="test"
> connectionPassword="test"
>
> "connectionName" and "connectionPassword" are optional.
> -->
> <!--
> <RequestInterceptor
> className="org.apache.tomcat.request.JDBCRealm"
> debug="99"
> driverName="sun.jdbc.odbc.JdbcOdbcDriver"
> connectionURL="jdbc:odbc:TOMCAT"
> userTable="users"
> userNameCol="user_name"
> userCredCol="user_pass"
> userRoleTable="user_roles"
> roleNameCol="role_name" />
> -->
>
> <!-- Loaded last since JSP's that load-on-startup use request
>handling -->
> <ContextInterceptor
>
>className="org.apache.tomcat.context.LoadOnStartupInterceptor"
>/>
>
> <!-- ==================== Connectors ==================== -->
>
> <!-- Normal HTTP -->
> <Connector
>className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
>
>value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
> <Parameter name="port"
> value="8001"/>
> </Connector>
>
> <!--
> Uncomment this for SSL support.
> You _need_ to set up a server certificate if you want this
> to work, and you need JSSE.
> 1. Add JSSE jars to CLASSPATH
> 2. Edit java.home/jre/lib/security/java.security
> Add:
>
>security.provider.2=com.sun.net.ssl.internal.ssl.Provider
> 3. Do: keytool -genkey -alias tomcat -keyalg RSA
> RSA is essential to work with Netscape and IIS.
> Use "changeit" as password. ( or add keypass attribute )
> You don't need to sign the certificate.
>
> You can set parameter keystore and keypass if you want
> to change the default ( user.home/.keystore with changeit )
> -->
> <Connector
>className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
>
>value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
> <Parameter name="socketFactory"
> value="org.apache.tomcat.net.SSLSocketFactory" />
> <Parameter name="port"
> value="8543"/>
> <Parameter name="keystore"
> value="d:\jakarta-tomcat-3.2.1\conf\ssl\cacerts" />
> <Parameter name="keypass" value="changeit" />
> </Connector>
>
> <!-- Apache AJP12 support. This is also used to shut
>down tomcat.
> -->
> <Connector
>className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
>value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
> <Parameter name="port" value="8007"/>
> </Connector>
> <!-- Apache AJP13 support.
> -->
> <Connector
>className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler"
>value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
> <Parameter name="port" value="8009"/>
> </Connector>
>
>
> <!-- ==================== Special webapps
>==================== -->
> <!-- You don't need this if you place your app in webapps/
> and use defaults.
> For security you'll also need to edit tomcat.policy
>
> Defaults are: debug=0, reloadable=true, trusted=false
> (trusted allows you to access tomcat internal objects
> with FacadeManager ), crossContext=true (allows you to
> access other contexts via ServletContext.getContext())
>
> If security manager is enabled, you'll have read perms.
> in the webapps dir and read/write in the workdir.
> -->
>
> <Context path="/tomcat/examples"
> docBase="webapps/examples"
> crossContext="false"
> debug="1"
> reloadable="true" >
> </Context>
>
> <!-- Admin context will use tomcat.core to
>add/remove/get info about
> the webapplications and tomcat internals.
> By default it is not trusted - i.e. it is not
>allowed access to
>
> tomcat internals, only informations that are
>available to all
> servlets are visible.
>
> If you change this to true, make sure you set a password.
> -->
> <Context path="/tomcat/admin"
> docBase="webapps/admin"
> crossContext="true"
> debug="0"
> reloadable="true"
> trusted="false" >
> </Context>
>
> <!-- Virtual host example -
> In "127.0.0.1" virtual host we'll reverse "/" and
> "/examples"
> (XXX need a better example )
> (use "http://127.0.0.1/examples" )
> <Host name="127.0.0.1" >
> <Context path=""
> docBase="webapps/examples" />
> <Context path="/tomcat/examples"
> docsBase="webapps/ROOT" />
> </Host>
> -->
>
> <Context path="/tomcat/cocoon"
> docBase="webapps/cocoon"
> debug="1"
> reloadable="true" >
> </Context>
>
> <Context path="/tomcat/test"
> docBase="webapps/test"
> crossContext="false"
> debug="0"
> reloadable="true" >
> </Context>
> <Context path="/tomcat/xsl-examples"
> docBase="webapps/xsl-examples"
> crossContext="false"
> debug="1"
> reloadable="true" >
> </Context>
> <Context path="/tomcat/xsl-doc"
> docBase="webapps/xsl-doc"
> crossContext="false"
> debug="1"
> reloadable="true" >
> </Context>
> <Context path="/tomcat/taglibs"
> docBase="webapps/taglibs"
> crossContext="false"
> debug="1"
> reloadable="true" >
> </Context>
> <Context path="/tomcat"
> docBase="webapps/ROOT"
> crossContext="false"
> debug="1"
> reloadable="true" >
> </Context>
> </ContextManager>
></Server>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, email: [EMAIL PROTECTED]
>
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]