Chris,
Back at my desk and going through you notes again.
On 6/14/22 14:43, Rob Sargent wrote:
Let's get one thing working at a time. I reviewed this thread, and I
honestly can't figure out exactly what you are trying to do. Can you
please clarify?
1. "I want to get Tomcat working as a server with a TLS
Certificate." This can be self-signed, or it can be signed by a real
Certificate Authority. The process is almost the same, except you
have to send something to the CA.
2. "I want to get Tomcat working as a server with a TLS Certificate,
AND I want to demand that all clients connecting also present a
client-certificate to authenticate."
Which of the above is it?
I believe I can live with #1. I'm using a self-signed cert for sure.
Okay, that's good because it reduces the complexity of this whole
operation by ~50%.
Because the server-side cert is self-signed, it likely means that each
client will have to import the server-cert into the /client/
trust-store. Either that, of you can "ignore warnings" but IMO that's
a significant reduction in security. We can talk about that, later.
Your server should not have to configure a trust store, full stop.
It the moment it's name in the read-in properties file but not actually
acted on in the code. TODO!
You might not need it. You only need a trust store if you want
option #2 from above.
The clients get them from command line -D properties
defvs += F"
-Djavax.net.ssl.keyStore=/ppr/certs/sgs10.0.2.118.p12
-Djavax.net.ssl.keyStoreType=PKCS12
-Djavax.net.ssl.keyStorePassword=changeit"
defvs += F" -Djavax.net.ssl.trustStore=/ppr/certs/fullca.p12
-Djavax.net.ssl.trustStoreType=PKCS12
-Djavax.net.ssl.trustStorePassword=changeit"
But as I said "It's working" so I'm likely to let sleeping dogs lie.
Okay, so if your clients (connecting you your Tomcat, right?) are
using keystores, then... it sounds like you want option #2
My embedded tomcat is mainly there to mediate between db and analysis
clients. I just need the traffic between the two to be encrypted.
You mention 3 parties: HTTP clients, HTTP server (Tomcat), and db.
Which links must be encrypted? (I would answer "all links should be
encrypted", but encrypting between app <- -> db is a whole different
process.)
I am under an edict to encrypt ALL traffic within my AWS set-up. I have
the tomcat-postgres using SSL (verify-full). This is NOT a high traffic
situation.
I'll re-re-read the rest of your message until I get it right.
Thanks ever so much.
rjs
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
