Thanks Ognjen! Please find my inline comments. 1. By "*.keystore", do you mean keystore or truststore? Do you understand the difference between them? - Could you please explain the difference.
2. Is your customer aware that there is no essential difference in term of security between JSSE and OpenSSL security implementations? - They may not be, but I shall get confirmation from them. 3. Do you plan to use client authentication via HTTPS or not? You are mentioning truststoreFile later. - Yes customer wants to use client authentication. 4. Is your server certificate self signed or signed by trusted CA? If you don't use client authentication using HTTPS, and your server is signed by trusted CA, perhaps there is no need to ship certificate with your application. - It is self signed. On Mon, Jan 30, 2012 at 5:06 PM, Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Geet, > > Bottom-posting style is standard on this list ( > http://en.wikipedia.org/wiki/**Posting_style#Bottom-posting<http://en.wikipedia.org/wiki/Posting_style#Bottom-posting> > ). > > > > On 30.1.2012 5:42, Geet Chandra wrote: > >> - The customer has got very secure environment...they don't want to use >> the >> *.keystore being shipped >> with particular product. >> > > Uhm... lots of questions here: > > 1. By "*.keystore", do you mean keystore or truststore? Do you understand > the difference between them? > > 2. Is your customer aware that there is no essential difference in term of > security between JSSE and OpenSSL security implementations? > > 3. Do you plan to use client authentication via HTTPS or not? You are > mentioning truststoreFile later. > > 4. Is your server certificate self signed or signed by trusted CA? If you > don't use client authentication using HTTPS, and your server is signed by > trusted CA, perhaps there is no need to ship certificate with your > application. > > > > Is it possible to configure like this >> >> <Connector port="8446" maxHttpHeaderSize="8192" >> protocol="org.apache.coyote.**http11.Http11Protocol" SSLEnabled="true" >> maxThreads="150" minSpareThreads="25" maxSpareThreads="75" >> enableLookups="false" disableUploadTimeout="true" >> acceptCount="100" scheme="https" secure="true" >> clientAuth="want" sslProtocol="TLS" >> keystoreFile="c:/tomcat.**keystore" >> truststoreFile ="C:/user.cer" >> /> >> @END_ENABLESTANDALONEHTTPS@--> >> > > No. > > Parameters keystoreFile and truststoreFile are to be used with Java > keystores. For .cer files (OpenSSL) you must use APR connector and SSL* > attributes. See: > > http://tomcat.apache.org/**tomcat-6.0-doc/apr.html#HTTPS<http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS> > > -Ognjen > > ------------------------------**------------------------------**--------- > To unsubscribe, e-mail: > users-unsubscribe@tomcat.**apache.org<users-unsubscr...@tomcat.apache.org> > For additional commands, e-mail: users-h...@tomcat.apache.org > > -- Thanks & Regards Geet
