On Nov 7, 2013, at 2:08 PM, Crystal Maramba <cmara...@acumenllc.com> wrote:
> Thanks, Dan. That helps a lot. Please don't top post. Reply inline or at the bottom. > 2) a. I was referring to importing another certificate to the same .keystore > that Instance1 is using. A keystore file can contain multiple certificates. You just need to specify which certificate to use and that is done by specifying the "keyAlias" attribute on your connector. > 3) The tomcat-users.xml file is used to store the user and password for the > tomcat manager which is used to deploy .war files. Ignore what I previously wrote here. You can store hashes of your password in tomcat-users.xml. To do this, you need to add the "digest" attribute on your Realm. For the default configuration that would look like this. <Realm className="org.apache.catalina.realm.LockOutRealm"> <Realm className="org.apache.catalina.realm.UserDatabaseRealm" resourceName="UserDatabase" digest="SHA-256" /> </Realm> See here for more details. https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html Dan > > -----Original Message----- > From: Daniel Mikusa [mailto:dmik...@gopivotal.com] > Sent: Thursday, November 07, 2013 10:38 AM > To: Tomcat Users List > Subject: Re: Second Instance of Tomcat > > On Nov 7, 2013, at 12:46 PM, Crystal Maramba <cmara...@acumenllc.com> wrote: > >> Hi, >> >> I am getting ready to deploy the Second Instance of Tomcat on the same >> server using different IP addresses. >> >> \Tomcat\Instance1 (IP Address: xx.xx.xx.x1) >> \Tomcat\Instance2 (IP Address: xx.xx.xx.x2) >> >> I have a few question, see below: >> >> >> 1) For the Tomcat server ports, I will be using the Connector Port and >> Redirect port to bind it to a specific IP address by using >> "address="xx.xx.xx.xx"". Is there a way to use the same Shutdown Port and >> AJP Port to bind it to a different IP address? Or do I have to change the >> Shutdown and AJP port number. > > The shutdown address can be specified in Tomcat 7, not in Tomcat 6. > > https://tomcat.apache.org/tomcat-7.0-doc/config/server.html > > All of the AJP connectors (Tomcat 6 & 7) support an "address" attribute. See > here. > > > https://tomcat.apache.org/tomcat-7.0-doc/config/ajp.html#Standard_Implementations > >> >> 2) Keystore: >> >> a. I am going to be using https, can I use the same .keystore to >> import the certificate? > > Not exactly sure I follow you here. Are you asking if you can configure the > connector for both instances of Tomcat to point to the same keystore file? > As far as I know, that's OK. > > >> b. If I move the .keystore to another location outside of Tomcat home, >> will Tomcat be able to see the .keystore if I specify the path within the >> server.xml file for .keystore path? > > Yes. See keystoreFile. > > https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support > > >> c. Should I create a new .keystore for the new instance? > > That's up to you. Do whatever makes the most sense for your setup. > > >> d. What is the best practice for this? > > It's tough to say what is a "best practice", since most environments are > different and what makes the most sense for you likely depends on your unique > environment. > > What I can say is that I often see SSL terminated in front of Tomcat with a > dedicated hardware device or Apache HTTPD. It performs well, plus it makes > sense in setups with multiple Tomcat instances because there is already > something in front of the Tomcat instances to load balance across them. > > That doesn't mean you have to do that though. You could terminate the SSL > with Tomcat and people do. If you go this route, I'd suggest using the APR > or NIO connector though. The APR connector performs the best with SSL, but > is a little trickier to setup. The NIO doesn't perform as good as the APR, > but I believe it's better than the BIO connector and it's easy to setup. > > >> 3) Does anyone know a way to encrypt the clear-text passwords specified >> in tom-user.xml for the Tomcat manager and server.xml file for .keystore? > > I don't know of anything for the tomcat-users.xml file. It's my > understanding that this file is not recommended for production use, so you > should probably look at using a JDBC or LDAP realm instead. > > https://tomcat.apache.org/tomcat-7.0-doc/config/realm.html > > Another option would be to write a custom realm that decrypts the passwords. > > Having said that, I believe the general suggestion here is to apply proper > unix permissions on the files to control access to them. For example, you > should set the owner to be the user that is running Tomcat, which should > *not* be root and set the permission to r/w only for the owner. > > Dan > >> >> Any help would be greatly appreciated. >> >> >> >> > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org