On Nov 7, 2013, at 2:08 PM, Crystal Maramba <cmara...@acumenllc.com> wrote:
> Thanks, Dan. That helps a lot.
Please don't top post. Reply inline or at the bottom.
> 2) a. I was referring to importing another certificate to the same .keystore
> that Instance1 is using.
A keystore file can contain multiple certificates. You just need to specify
which certificate to use and that is done by specifying the "keyAlias"
attribute on your connector.
> 3) The tomcat-users.xml file is used to store the user and password for the
> tomcat manager which is used to deploy .war files.
Ignore what I previously wrote here. You can store hashes of your password in
tomcat-users.xml. To do this, you need to add the "digest" attribute on your
Realm. For the default configuration that would look like this.
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase" digest="SHA-256" />
</Realm>
See here for more details.
https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
Dan
>
> -----Original Message-----
> From: Daniel Mikusa [mailto:dmik...@gopivotal.com]
> Sent: Thursday, November 07, 2013 10:38 AM
> To: Tomcat Users List
> Subject: Re: Second Instance of Tomcat
>
> On Nov 7, 2013, at 12:46 PM, Crystal Maramba <cmara...@acumenllc.com> wrote:
>
>> Hi,
>>
>> I am getting ready to deploy the Second Instance of Tomcat on the same
>> server using different IP addresses.
>>
>> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1)
>> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2)
>>
>> I have a few question, see below:
>>
>>
>> 1) For the Tomcat server ports, I will be using the Connector Port and
>> Redirect port to bind it to a specific IP address by using
>> "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and
>> AJP Port to bind it to a different IP address? Or do I have to change the
>> Shutdown and AJP port number.
>
> The shutdown address can be specified in Tomcat 7, not in Tomcat 6.
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/server.html
>
> All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute. See
> here.
>
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations
>
>>
>> 2) Keystore:
>>
>> a. I am going to be using https, can I use the same .keystore to
>> import the certificate?
>
> Not exactly sure I follow you here. Are you asking if you can configure the
> connector for both instances of Tomcat to point to the same keystore file?
> As far as I know, that's OK.
>
>
>> b. If I move the .keystore to another location outside of Tomcat home,
>> will Tomcat be able to see the .keystore if I specify the path within the
>> server.xml file for .keystore path?
>
> Yes. See keystoreFile.
>
> https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
>
>
>> c. Should I create a new .keystore for the new instance?
>
> That's up to you. Do whatever makes the most sense for your setup.
>
>
>> d. What is the best practice for this?
>
> It's tough to say what is a "best practice", since most environments are
> different and what makes the most sense for you likely depends on your unique
> environment.
>
> What I can say is that I often see SSL terminated in front of Tomcat with a
> dedicated hardware device or Apache HTTPD. It performs well, plus it makes
> sense in setups with multiple Tomcat instances because there is already
> something in front of the Tomcat instances to load balance across them.
>
> That doesn't mean you have to do that though. You could terminate the SSL
> with Tomcat and people do. If you go this route, I'd suggest using the APR
> or NIO connector though. The APR connector performs the best with SSL, but
> is a little trickier to setup. The NIO doesn't perform as good as the APR,
> but I believe it's better than the BIO connector and it's easy to setup.
>
>
>> 3) Does anyone know a way to encrypt the clear-text passwords specified
>> in tom-user.xml for the Tomcat manager and server.xml file for .keystore?
>
> I don't know of anything for the tomcat-users.xml file. It's my
> understanding that this file is not recommended for production use, so you
> should probably look at using a JDBC or LDAP realm instead.
>
> https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html
>
> Another option would be to write a custom realm that decrypts the passwords.
>
> Having said that, I believe the general suggestion here is to apply proper
> unix permissions on the files to control access to them. For example, you
> should set the owner to be the user that is running Tomcat, which should
> *not* be root and set the permission to r/w only for the owner.
>
> Dan
>
>>
>> Any help would be greatly appreciated.
>>
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
