tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hgo...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/doc tomcat-ssl-howto.html
Date Mon, 11 Dec 2000 15:05:23 GMT
hgomez      00/12/11 07:05:22

  Modified:    src/doc  tomcat-ssl-howto.html
  Log:
  Updated documentation on SSL (SSLVars)
  
  Revision  Changes    Path
  1.3       +270 -259  jakarta-tomcat/src/doc/tomcat-ssl-howto.html
  
  Index: tomcat-ssl-howto.html
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/doc/tomcat-ssl-howto.html,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- tomcat-ssl-howto.html	2000/11/30 07:32:46	1.2
  +++ tomcat-ssl-howto.html	2000/12/11 15:05:21	1.3
  @@ -1,259 +1,270 @@
  -<html>
  -<head>
  -    <!-- $Id  $ -->
  -    <!-- Copyright 1999, Apache Software Foundation -->
  -
  -    <meta http-equiv=Content-Type content="text/html">
  -    <link rel="stylesheet" href="style.css">
  -    <style type="text/css">
  -    .inlinetd {
  -        background-color: #E0E0E0;
  -        vertical-align: text-top;
  -        border-top: thick black;
  -        border-right: thick black;
  -        border-bottom: thick black;
  -        border-left: thick black;
  -    }
  -    .inlineth {
  -        background-color: #d0d0d0;
  -        border-top: thick black;
  -        border-right: thick black;
  -        border-bottom: thick black;
  -        border-left: thick black;
  -    }
  -    .inlinetable {
  -        width: 75%;
  -        border: thick;
  -        background-color: #000000;
  -    }
  -    .subsection { margin:20pt; }
  -    .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
  -
  -    </style>
  -
  -<title>Tomcat and SSL</title>
  -</head>
  -
  -<body>
  -<!-- Banner element, all hail the Project! --> 
  -<table border="0" width="100%" cellspacing="0" cellpadding="0">
  -  <tr> 
  -    <td width="50%" align="left"> <a href="http://jakarta.apache.org/index.html">

  -      <img src="uguide/images/banner.gif" width="350" height="100" alt="The Jakarta
Project" border="0"> 
  -      </a> </td>
  -    <td width="50%" align="right"> <img border="0" src="uguide/images/tomcat.gif"
width="100" height="71" alt="The mighty Tomcat - Meow!"> 
  -    </td>
  -  </tr>
  -</table>
  -<h1>Tomcat and SSL</h1>
  -<p>By Gomez Henri <tt>&lt;<a href="mailto:shachor@il.ibm.com">hgomez@slib.fr</a>&gt;</tt></p>
  -<h2>Table of Contents</h2>
  -<ul>
  -  <li><a href="#s2">Tomcat and SSL</a></li>
  -  <li><a href="#s3">Building tomcat with SSL support</a></li>
  -  <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
  -  <li><a href="#s5">SSL via apache</a></li>
  -  <li><a href="#s6">SSL direct</a></li>
  -  <li><a href="#s7">Credits</a></li>
  -</ul>
  -<hr>
  -<h2><a name=s2>Tomcat and SSL</a></h2>
  -<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via 
  -  an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or
apache-mod_ssl) 
  -  with the mod_jk connector.</p>
  -<hr>
  -<h2><a name=s3>Building tomcat with SSL support</a></h2>
  -<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH. 
  -  I used to clear the CLASSPATH env var to avoid conflict in jar. A common case 
  -  of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser 
  -  like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
  -<p>At build time, (via ant), tomcat will check for some libs and will then included

  -  more or less options. It's the case of SSL support. If you have the JSSE 1.0.2 
  -  jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat 
  -  will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T 
  -  BE INCLUDED in tomcat. You'll have to go to <a href="http://java.sun.com/products/jsse/%20">jsse

  -  home page </a>and download from there the domestic (US/Canada) or global archive.

  -  Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
  -<hr>
  -<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
  -<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector

  -  mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL 
  -  directive is present in your httpd.conf. </p>
  -<p>Informations are :</p>
  -<table width="75%" border="1">
  -  <tr> 
  -    <td>HTTPS</td>
  -    <td>apache redirect to tomcat from an SSL area</td>
  -  </tr>
  -  <tr> 
  -    <td>SSL_SESSION_ID</td>
  -    <td>SSL session ID</td>
  -  </tr>
  -  <tr> 
  -    <td>SSL_CIPHER</td>
  -    <td>SSL CIPHER used</td>
  -  </tr>
  -  <tr> 
  -    <td>SSL_CLIENT_CERT</td>
  -    <td>SSL Certificate of client</td>
  -  </tr>
  -</table>
  -<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt 
  -  SSL vars via the following JK vars </p>
  -<ul>
  -  <li>JkExtractSSL</li>
  -  <li>JkHTTPSIndicator</li>
  -  <li>JkSESSIONIndicator</li>
  -  <li>JkCIPHERIndicator</li>
  -  <li>JkCERTSIndicator: </li>
  -</ul>
  -<p>here is an example of directive to include in httpd.conf for use with mod_ssl

  -</p>
  -<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL

  -  information to Tomact (default is On)<br>
  -  JkExtractSSL On <br>
  -  # What is the indicator for SSL (default is HTTPS)<br>
  -  JkHTTPSIndicator HTTPS <br>
  -  # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
  -  JkSESSIONIndicator SSL_SESSION_ID <br>
  -  # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
  -  JkCIPHERIndicator SSL_CIPHER <br>
  -  # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)

  -  <br>
  -  JkCERTSIndicator SSL_CLIENT_CERT </font></p>
  -<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and

  -  ajp13, only ajp13 could forward SSL informations to tomcat.</p>
  -<hr>
  -<h2><a name=s5>SSL via apache</a></h2>
  -<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy 
  -  usefull when using an apache-mod_ssl with tomcat.<br>
  -  This config will easily secure your webapps via Apache SSL support. Just take 
  -  care of setting these jk vars outside VirtualHost directives :</p>
  -<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile /etc/httpd/conf/workers.properties<br>
  -  JkLogFile /var/log/httpd/mod_jk.log <br>
  -  JkLogLevel warn</font> </p>
  -<p>The jk redirect stuff could be set in virtual hosts : <virtualhost _default_:443></p>
  -<p><font face="Courier New, Courier, mono" size="-1">&lt;VirtualHost _default_:443&gt;<br>
  -  SSLEngine on <br>
  -  SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
  -  <br>
  -  <br>
  -  </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
  -  </font><font face="Courier New, Courier, mono" size="-1"><br>
  -  Alias /alesia "/var/tomcat/webapps/alesia" <directory "/var/tomcat/webapps/alesia">

  -  <br>
  -  &lt;Directory "/var/tomcat/webapps/alesia"&gt;</directory><br>
  -  <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </directory>

  -  <br>
  -  &lt;/Directory> <br>
  -  <br>
  -  JkMount /alesia/servlet/* ajp13 <br>
  -  JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
  -  </location><br>
  -  &lt;Location "/alesia/WEB-INF/"><br>
  -  AllowOverride None<br>
  -  Deny from all<br>
  -  &lt;/Location> </font></p>
  -<p><font face="Courier New, Courier, mono" size="-1">&lt;/VirtualHost></font><virtualhost
_default_:443></virtualhost></p>
  -<hr>
  -<h2><a name=s6>SSL direct</a></h2>
  -<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For 
  -  more informations about SSL and certificates, I suggest you could take a look 
  -  at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)

  -  and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
  -<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
file</font></a></h3>
  -<blockquote> 
  -  <p> <font face="Courier New, Courier, mono" size="-1">To use the HTTP with
SSL 
  -    connector in tomcat, verify that it is activated in server.xml</font></p>
  -  <p><font face="Courier New, Courier, mono" size="-1">&lt;Connector className="org.apache.tomcat.service.PoolTcpConnector"&gt;<br>
  -    &lt;Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/&gt;<br>
  -    &lt;Parameter name="port" value="8443"/&gt;<br>
  -    &lt;Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"

  -    /&gt; <br>
  -    &lt;/Connector&gt; </font></p>
  -</blockquote>
  -<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
  -<blockquote>
  -  <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
  -</blockquote>
  -<ul>
  -  <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext

  -    (JAVA &gt; 1.2)<br>
  -    </b><br>
  -  </li>
  -  <li> from server.xml doc.You _need_ to set up a server certificate if you want

  -    this to work, and you need JSSE. <br>
  -    <br>
  -    <ul>
  -      <li> Add JSSE jars to CLASSPATH </li>
  -      <li> Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
  -      <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey

  -        -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape 
  -        and IIS. Use "changeit" as password. ( or add keypass attribute ) You 
  -        don't need to sign the certificate. You can set parameter keystore and 
  -        keypass if you want to change the default ( user.home/.keystore with changeit 
  -        )<br>
  -        <br>
  -      </li>
  -    </ul>
  -  </li>
  -  <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext

  -    and then add them to CLASSPATH export <br>
  -    <br>
  -    <font size="-1" face="Courier New, Courier, mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH

  -    export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
  -    <br>
  -    You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically 
  -    added to CLASSPATH at tomcat startup (tomcat.sh).</li>
  -</ul>
  -<p>&nbsp; </p>
  -<h3><a name=s63>Importing SSL certificates</a></h3>
  -<p>It's possible to import certificates generated with <a href="http://www.openssl.org">OpenSSL</a>.

  -  Here are the steps needed to generate such certs with OpenSSL : </p>
  -<ul>
  -  <li>To generate a new request and a new key <br>
  -    <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem
-keyout KEY.pem</font> </pre>
  -  </li>
  -  <li>To generate a self signed x509 certificate from a certificate request using

  -    a supplied key, and we want to see the text form of the output certificate 
  -    (which we will put in the file selfSign.pem 
  -    <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509
-in 
  -      REQ.pem -key KEY.pem -out CERT.pem</font> </p>
  -  </li>
  -  <li>Verify that the signature is correct on a certificate request. 
  -    <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify
-in 
  -      REQ.pem</font> </p>
  -  </li>
  -  <li>Verify that the signature was made using a specified public key 
  -    <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify
-in 
  -      REQ.pem -key KEY.pem</font> </p>
  -  </li>
  -  <li>Print the contents of a certificate request 
  -    <p><font face="Courier New, Courier, mono" size="-1">openssl req -text
-in 
  -      REQ.pem</font> </p>
  -  </li>
  -  <li>To import the CERT in keystore, you just do next : 
  -    <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v
-trustcacerts 
  -      -alias tomcat -file</font> <font size="-1" face="Courier New, Courier, mono">CERT.pem</font>

  -    </p>
  -  </li>
  -</ul>
  -<hr>
  -<h2><a name=s7>Credits</a></h2>
  -<p>This document was created by <a href="mailto:hgomez@slib.fr">Gomez Henri</a>.

  -  Thanks to hgopal@cmcltd.com for import info. Feel free to contact me for more 
  -  updates.</p>
  -<table width="100%" border="0" cellpadding="10" cellspacing="0">
  -  <tr> 
  -    <td> 
  -      <p class="fineprint"> Copyright &copy;1999-2000 The Apache Software Foundation<br>
  -        <a href="http://jakarta.apache.org/legal.html">Legal Stuff They Make Us 
  -        Say</a><br>
  -        <a href="http://jakarta.apache.org/contact.html">Contact Information</a>

  -      </p>
  -    </td>
  -  </tr>
  -</table>
  -</body>
  -</html>
  -
  +<html>
  +<head>
  +    <!-- $Id  $ -->
  +    <!-- Copyright 1999, Apache Software Foundation -->
  +
  +    <meta http-equiv=Content-Type content="text/html">
  +    <link rel="stylesheet" href="style.css">
  +    <style type="text/css">
  +    .inlinetd {
  +        background-color: #E0E0E0;
  +        vertical-align: text-top;
  +        border-top: thick black;
  +        border-right: thick black;
  +        border-bottom: thick black;
  +        border-left: thick black;
  +    }
  +    .inlineth {
  +        background-color: #d0d0d0;
  +        border-top: thick black;
  +        border-right: thick black;
  +        border-bottom: thick black;
  +        border-left: thick black;
  +    }
  +    .inlinetable {
  +        width: 75%;
  +        border: thick;
  +        background-color: #000000;
  +    }
  +    .subsection { margin:20pt; }
  +    .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
  +
  +    </style>
  +
  +<title>Tomcat and SSL</title>
  +</head>
  +
  +<body>
  +<!-- Banner element, all hail the Project! --> 
  +<table border="0" width="100%" cellspacing="0" cellpadding="0">
  +  <tr> 
  +    <td width="50%" align="left"> <a href="http://jakarta.apache.org/index.html">

  +      <img src="uguide/images/banner.gif" width="350" height="100" alt="The Jakarta
Project" border="0"> 
  +      </a> </td>
  +    <td width="50%" align="right"> <img border="0" src="uguide/images/tomcat.gif"
width="100" height="71" alt="The mighty Tomcat - Meow!"> 
  +    </td>
  +  </tr>
  +</table>
  +<h1>Tomcat and SSL</h1>
  +<p>By Gomez Henri <tt>&lt;<a href="mailto:shachor@il.ibm.com">hgomez@slib.fr</a>&gt;</tt></p>
  +<h2>Table of Contents</h2>
  +<ul>
  +  <li><a href="#s2">Tomcat and SSL</a></li>
  +  <li><a href="#s3">Building tomcat with SSL support</a></li>
  +  <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
  +  <li><a href="#s5">SSL via apache</a></li>
  +  <li><a href="#s6">SSL direct</a></li>
  +  <li><a href="#s7">Credits</a></li>
  +</ul>
  +<hr>
  +<h2><a name=s2>Tomcat and SSL</a></h2>
  +<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via 
  +  an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or
apache-mod_ssl) 
  +  with the mod_jk connector.</p>
  +<hr>
  +<h2><a name=s3>Building tomcat with SSL support</a></h2>
  +<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH. 
  +  I used to clear the CLASSPATH env var to avoid conflict in jar. A common case 
  +  of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser 
  +  like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
  +<p>At build time, (via ant), tomcat will check for some libs and will then included

  +  more or less options. It's the case of SSL support. If you have the JSSE 1.0.2 
  +  jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat 
  +  will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T 
  +  BE INCLUDED in tomcat. You'll have to go to <a href="http://java.sun.com/products/jsse/%20">jsse

  +  home page </a>and download from there the domestic (US/Canada) or global archive.

  +  Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
  +<hr>
  +<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
  +<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector

  +  mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL 
  +  directive is present in your httpd.conf. </p>
  +<p>Informations are :</p>
  +<table width="75%" border="1">
  +  <tr> 
  +    <td>HTTPS</td>
  +    <td>apache redirect to tomcat from an SSL area</td>
  +  </tr>
  +  <tr> 
  +    <td>SSL_SESSION_ID</td>
  +    <td>SSL session ID</td>
  +  </tr>
  +  <tr> 
  +    <td>SSL_CIPHER</td>
  +    <td>SSL CIPHER used</td>
  +  </tr>
  +  <tr> 
  +    <td>SSL_CLIENT_CERT</td>
  +    <td>SSL Certificate of client</td>
  +  </tr>
  +</table>
  +<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt 
  +  SSL vars via the following JK vars </p>
  +<ul>
  +  <li>JkExtractSSL</li>
  +  <li>JkHTTPSIndicator</li>
  +  <li>JkSESSIONIndicator</li>
  +  <li>JkCIPHERIndicator</li>
  +  <li>JkCERTSIndicator: </li>
  +</ul>
  +<p>here is an example of directive to include in httpd.conf for use with mod_ssl

  +</p>
  +<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL

  +  information to Tomact (default is On)<br>
  +  JkExtractSSL On <br>
  +  # What is the indicator for SSL (default is HTTPS)<br>
  +  JkHTTPSIndicator HTTPS <br>
  +  # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
  +  JkSESSIONIndicator SSL_SESSION_ID <br>
  +  # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
  +  JkCIPHERIndicator SSL_CIPHER <br>
  +  # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)

  +  <br>
  +  JkCERTSIndicator SSL_CLIENT_CERT </font></p>
  +<p>When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions

  +  +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
  +  Otherwise mod_ssl will not produce the neccessary environment variables for 
  +  mod_jk. (Tilo Christ &lt;tilo.christ@med.siemens.de&gt;)</p>
  +<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and

  +  ajp13, only ajp13 could forward SSL informations to tomcat.</p>
  +<hr>
  +<h2><a name=s5>SSL via apache</a></h2>
  +<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy 
  +  usefull when using an apache-mod_ssl with tomcat.<br>
  +  This config will easily secure your webapps via Apache SSL support. Just take 
  +  care of setting these jk vars outside VirtualHost directives :</p>
  +<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile /etc/httpd/conf/workers.properties<br>
  +  JkLogFile /var/log/httpd/mod_jk.log <br>
  +  JkLogLevel warn</font> </p>
  +<p>The jk redirect stuff could be set in virtual hosts : <virtualhost _default_:443></p>
  +<p><font face="Courier New, Courier, mono" size="-1">&lt;VirtualHost _default_:443&gt;<br>
  +  SSLEngine on <br>
  +  SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL 
  +  <br>
  +  <br>
  +  </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
  +  </font><font face="Courier New, Courier, mono" size="-1"><br>
  +  Alias /alesia "/var/tomcat/webapps/alesia" <directory "/var/tomcat/webapps/alesia">

  +  <br>
  +  &lt;Directory "/var/tomcat/webapps/alesia"&gt;</directory><br>
  +  <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </directory>

  +  <br>
  +  &lt;/Directory> <br>
  +  <br>
  +  JkMount /alesia/servlet/* ajp13 <br>
  +  JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
  +  </location><br>
  +  &lt;Location "/alesia/WEB-INF/"><br>
  +  AllowOverride None<br>
  +  Deny from all<br>
  +  &lt;/Location> </font></p>
  +<p><font face="Courier New, Courier, mono" size="-1">&lt;/VirtualHost></font><virtualhost
_default_:443></virtualhost></p>
  +<hr>
  +<h2><a name=s6>SSL direct</a></h2>
  +<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For 
  +  more informations about SSL and certificates, I suggest you could take a look 
  +  at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)

  +  and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
  +<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
file</font></a></h3>
  +<blockquote> 
  +  <p> To use the HTTP with SSL connector in tomcat, verify that it is activated 
  +    in server.xml</p>
  +  <p><font face="Courier New, Courier, mono" size="-1">&lt;Connector className="org.apache.tomcat.service.PoolTcpConnector"&gt;<br>
  +    &lt;Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/&gt;<br>
  +    &lt;Parameter name="port" value="8443"/&gt;<br>
  +    &lt;Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"

  +    /&gt;<br>
  +    &lt;Parameter name="keystore" value="/var/tomcat/conf/keystore" /&gt;</font><font
face="Courier New, Courier, mono" size="-1"> 
  +    <br>
  +    &lt;Parameter name="keypass" value="changeit"/&gt;<br>
  +    &lt;Parameter name="clientAuth" value="true"/&gt; <br>
  +    &lt;/Connector&gt; </font></p>
  +  <p>In this example we indicate the keystore is file <b>/var/tomcat/conf/keystore</b>.

  +    The keystore password is <b>changeit</b> and we want client to authentificate.</p>
  +  <blockquote>&nbsp;</blockquote>
  +</blockquote>
  +<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
  +<blockquote>
  +  <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
  +</blockquote>
  +<ul>
  +  <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext

  +    (JAVA &gt; 1.2)<br>
  +    </b><br>
  +  </li>
  +  <li> from server.xml doc.You _need_ to set up a server certificate if you want

  +    this to work, and you need JSSE. <br>
  +    <br>
  +    <ul>
  +      <li> Add JSSE jars to CLASSPATH </li>
  +      <li> Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
  +      <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey

  +        -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape 
  +        and IIS. Use "changeit" as password. ( or add keypass attribute ) You 
  +        don't need to sign the certificate. You can set parameter keystore and 
  +        keypass if you want to change the default ( user.home/.keystore with changeit 
  +        )<br>
  +        <br>
  +      </li>
  +    </ul>
  +  </li>
  +  <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext

  +    and then add them to CLASSPATH export <br>
  +    <br>
  +    <font size="-1" face="Courier New, Courier, mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH

  +    export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
  +    <br>
  +    You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically 
  +    added to CLASSPATH at tomcat startup (tomcat.sh).</li>
  +</ul>
  +<p>&nbsp; </p>
  +<h3><a name=s63>Importing SSL certificates</a></h3>
  +<p>It's possible to import certificates generated with <a href="http://www.openssl.org">OpenSSL</a>.

  +  Here are the steps needed to generate such certs with OpenSSL : </p>
  +<ul>
  +  <li>To generate a new request and a new key <br>
  +    <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem
-keyout KEY.pem</font> </pre>
  +  </li>
  +  <li>To generate a self signed x509 certificate from a certificate request using

  +    a supplied key, and we want to see the text form of the output certificate 
  +    (which we will put in the file selfSign.pem 
  +    <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509
-in 
  +      REQ.pem -key KEY.pem -out CERT.pem</font> </p>
  +  </li>
  +  <li>Verify that the signature is correct on a certificate request. 
  +    <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify
-in 
  +      REQ.pem</font> </p>
  +  </li>
  +  <li>Verify that the signature was made using a specified public key 
  +    <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify
-in 
  +      REQ.pem -key KEY.pem</font> </p>
  +  </li>
  +  <li>Print the contents of a certificate request 
  +    <p><font face="Courier New, Courier, mono" size="-1">openssl req -text
-in 
  +      REQ.pem</font> </p>
  +  </li>
  +  <li>To import the CERT in keystore, you just do next : 
  +    <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v
-trustcacerts 
  +      -alias tomcat -file</font> <font size="-1" face="Courier New, Courier, mono">CERT.pem</font>

  +    </p>
  +  </li>
  +</ul>
  +<hr>
  +<h2><a name=s7>Credits</a></h2>
  +<p>This document was created by <a href="mailto:hgomez@slib.fr">Gomez Henri</a>.

  +  Thanks to hgopal@cmcltd.com for import info. Feel free to contact me for more 
  +  updates.</p>
  +<table width="100%" border="0" cellpadding="10" cellspacing="0">
  +  <tr> 
  +    <td> 
  +      <p class="fineprint"> Copyright &copy;1999-2000 The Apache Software Foundation<br>
  +        <a href="http://jakarta.apache.org/legal.html">Legal Stuff They Make Us 
  +        Say</a><br>
  +        <a href="http://jakarta.apache.org/contact.html">Contact Information</a>

  +      </p>
  +    </td>
  +  </tr>
  +</table>
  +</body>
  +</html>
  +
  
  
  

Mime
View raw message