The choice of going to SSL-CERT auth puts a huge burden on your IT staff. You've got to collect all of your client's certs, and manage them (including renewals, revocations, et. al.). Except for small closed-groups, it is almost always not worth the trouble.
Which headaches you want really depend on your configuration. The methods are different if you are using Apache/IIS/iPlanet in front of Tomcat, or if you are using Tomcat-Stand-Alone. <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] et... > Within our company we've decided to use client certificates for security. > I've spent all week trying to get this working on Tomcat. If the client and > server are on the same machine it's easy. But how do I do it if the client > is on a different machine ? I can get SSL working on HTTPS no problem, but > client certificates ? No way. > > If we can't find an answer we'll have to ban the use of Tomcat in our > company for any serious work. > > Dave --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]