Hi Jon,
first of all, it seems that you have hijacked a thread by replying to a
mail from this mailing list and changing the subject of the thread.
That might be a reason, why you have not got any answers to your
question yet.
Am 27.03.2013 17:03, schrieb Wilmoth, Jon:
After searching through the Tomcat user forums and bug list it
appears there are only two options to enable ldaps connections,
without modification to the Tomcat JNDI Realm itself:
1) Start Tomcat using system properties that specify the default
trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to
truststore> -Djavax.net.ssl.trustStorePassword=<password>). The
problem with this is it requires the password to the trust keystore be
provided on the command line.
I don't think that you need to give a trustStorePassword, when all you
need is a secure connection to a tls/ssl based service.
You only need the password, if you want to access private keys in the
truststore, for example when you want to use client certificates.
HTH
Felix
2) Add the CA cert to the <java-home>/lib/security/cacerts file (or
<java-home>/lib/security/jssecacerts which has higher precedence)
which is used as the default trust store. This has the downside of
tying the CA cert maintenance lifecycle to the JVM maintenance
lifecycle (e.g. upgrades). It also limits the reuse of a JDK
installation across applications/Tomcat instances.
Are there any plans for org.apache.catalina.realm.JNDIRealm to
address these items via support for configuring the trust store
path/password like org.apache.tomcat.util.net.AbstractEndpoint?
Thanks,
Jon
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
