Thanks Chris, I'd seen a lot of traffic on the topic over the years, so knew someone had real-world experience on the subject. I'll check out what you did a little further. Of course, thinking on my proposed plan, a really uptight security admin might not think it all that more secure that basic-auth over server-only SSL. You know the type: the guy that insists the SSLPassword value in server.xml be encrypted. Jeff
> -----Original Message----- > From: Christopher Schultz [mailto:ch...@christopherschultz.net] > Sent: Friday, July 13, 2012 9:30 PM > To: Tomcat Users List > Subject: Re: Client Authentication using SSL > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Jeffrey, > > On 7/12/12 9:44 AM, Jeffrey Janner wrote: > > Is there anyone who's implemented true-client SSL auth over APR that > > would be willing to share hints/tips on how they handled certificate > > distributions, etc.? > > I wasn't using APR -- though it shouldn't be too terrible to switch > from JSK configuration to openssl ; openssl is a *lot* more > straightforward IMO -- and I wasn't actually using CLIENT-AUTH, but I > did some playing-around a few years ago and posted a bunch to the list > about it. Here's on of the threads: > http://markmail.org/thread/vxwwli5nzt4itfr2 > > You could also look around the archives in the same general time period > (fall 2009) for other semi-related posts by me. I wasn't able to find a > post that said "Here's what I actually got working" though I'm > reasonably certain I actually did do that. > > Finally, there is a (relatively) new <Realm> configuration attribute > that you might want to check out if you want to use CLIENT-CERT: > X509UsernameRetrieverClassName > > http://tomcat.apache.org/tomcat-7.0-doc/config/realm.html > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG/MacGPG2 v2.0.17 (Darwin) > Comment: GPGTools - http://gpgtools.org > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAlAA2acACgkQ9CaO5/Lv0PApAwCgrbYroL5Ywjh2MvBZ1qzcBCAS > wtMAni9T0f9K17xG3AN7IsdCxZZtPurr > =N6zS > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > __________________________________________________________________________ Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system.
