tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Coetmeur, Alain" <alain.coetm...@icdc.caissedesdepots.fr>
Subject RE: Apache mod_SSL and Tomcat using mod_jk
Date Tue, 16 Jan 2001 11:50:09 GMT

-----Message d'origine-----
De: Pete Ehli [mailto:peteehli@teleport.com]
Date: mardi 16 janvier 2001 08:34
À: tomcat-user@jakarta.apache.org
Objet: Apache mod_SSL and Tomcat using mod_jk


>Hello I am new to Apache and am using mod_ssl Apache server 
>connected with Tomcat via the mod_jk module - 
I've just done that ... (absolute beginer)

>I get the following
> warning when starting Apache after I start tomcat 
>"Loaded DSO modules/mod_jk.dll uses plain Apache 1.3 API, 
>this module might crash under EAPI! (Please recompile it with -DEAPI)

same for me... it seems to works anyway...

note that I had to install JSSE 102 from sun java site...
I've put it into the JRE 1.3 as documented (jar in lib/ext)
and changed the security provider list in some properties file
as documented...

For tomcat servlet/jsp to be able to call-back HTTPS as a client
I had to add a -D... that sets the implementor of URL...
documented in JSSE also...
I also had to set the keystore of jsse

extract from tomcat.bat:
:runServer
rem Running Tomcat in this window
if "%2" == "-security" goto runSecure
%_RUNJAVA% %TOMCAT_OPTS% -Dtomcat.home="%TOMCAT_HOME%"
-Djavax.net.ssl.trustStore="%TOMCAT_HOME%/conf/ssl/cacerts"
-Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
org.apache.tomcat.startup.Tomcat %2 %3 %4 %5 %6 %7 %8 %9
goto cleanup




> I am trying to get Apache and Tomcat to use SSL . 
>I don't have a certificate configured and get the following error  
>"localhost:443 should be SSL-aware but has no certificate configured 
>[Hint: SSLCertificateFile]" Can someone point me to the exact directions 
>on how to configure a certificate and also will this module 

I had to use the snakeoil certificates an keys as documented...
all is configured in a virtual host on port 443...

the last problem is tha the snakeoil certificate
have a /CN= different from my host DNS name
(sure, it is a dummy certificate),
and thus the HTTPS URL connector refuse to trust
an HTTPS server whose certificat CN is different from
it's DNS name...

I've found example of config files on the web...
note the the ifdefined SSL does not works with the apache/mod_ssl
found on mod_ssl.org... I have used the IfModule mod_ssl.c

I've put parts of the config files at the end...


>
>mod_jk work with the version of Apache I am using - 
>Apache_1.3.14-mod_ssl_2.7.2-openssl_0.96-win32.zip  
>and Tomcat 3.2.1 I have configured this via the documentation 
>in Tomcat. Any ideas or suggestion on where to go form here
> would be much appreciated

if some one can explai me how to generate
a good server certificat with openssl or
keytool...  8)



------------------------------
here is the SSL config included at the end of the
httpd.conf in apache

##
##  SSL Support
##
##  When we also provide SSL we have to listen to the 
##  standard HTTP port (see above) and to the HTTPS port
##

LoadModule ssl_module modules/ApacheModuleSSL.dll

<IfModule mod_ssl.c>

Listen 8000
Listen 8443
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl    .crl

#   Pass Phrase Dialog:
#   Configure the pass phrase gathering process.
#   The filtering dialog program (`builtin' is a internal
#   terminal dialog) has to provide the pass phrase on stdout.
SSLPassPhraseDialog  builtin

#   Inter-Process Session Cache:
#   Configure the SSL Session Cache: First either `none'
#   or `dbm:/path/to/file' for the mechanism to use and
#   second the expiring timeout (in seconds).
#SSLSessionCache        none
#SSLSessionCache        shm:logs/ssl_scache(512000)
SSLSessionCache         dbm:logs/ssl_scache
SSLSessionCacheTimeout  300

#   Semaphore:
#   Configure the path to the mutual explusion semaphore the
#   SSL engine uses internally for inter-process synchronization. 
#SSLMutex  file:logs/ssl_mutex

#   Pseudo Random Number Generator (PRNG):
#   Configure one or more sources to seed the PRNG of the 
#   SSL library. The seed data should be of good random quality.
#   WARNING! On some platforms /dev/random blocks if not enough entropy
#   is available. This means you then cannot use the /dev/random device
#   because it would lead to very long connection times (as long as
#   it requires to make more entropy available). But usually those
#   platforms additionally provide a /dev/urandom device which doesn't
#   block. So, if available, use this one instead. Read the mod_ssl User
#   Manual for more details.
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random  512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random  512
#SSLRandomSeed connect file:/dev/urandom 512

#   Logging:
#   The home of the dedicated SSL protocol logfile. Errors are
#   additionally duplicated in the general error log file.  Put
#   this somewhere where it cannot be used for symlink attacks on
#   a real server (i.e. somewhere where only root can write).
#   Log levels are (ascending order: higher ones include lower ones):
#   none, error, warn, info, trace, debug.
SSLLog      logs/ssl_engine.log
SSLLogLevel info


##
## SSL Virtual Host Context
##

<VirtualHost _default_:8443>

#  General setup for the virtual host
DocumentRoot "d:/apache/htdocs"
ServerName maui.idt.cdc.fr
ServerAdmin alain.coetmeur@icdc.caissedesdepots.fr
ErrorLog logs/ssl_error.log
TransferLog logs/ssl_access.log

#   SSL Engine Switch:
#   Enable/Disable SSL for this virtual host.
SSLEngine on

#   SSL Cipher Suite:
#   List the ciphers that the client is permitted to negotiate.
#   See the mod_ssl documentation for a complete list.
SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL

#   Server Certificate:
#   Point SSLCertificateFile at a PEM encoded certificate.  If
#   the certificate is encrypted, then you will be prompted for a
#   pass phrase.  Note that a kill -HUP will prompt again. A test
#   certificate can be generated with `make certificate' under
#   built time. Keep in mind that if you've both a RSA and a DSA
#   certificate you can configure both in parallel (to also allow
#   the use of DSA ciphers, etc.)
SSLCertificateFile d:/apache/conf/ssl.crt/snakeoil-rsa.crt
#SSLCertificateFile @@ServerRoot@@/conf/ssl.crt/server-dsa.crt

#   Server Private Key:
#   If the key is not combined with the certificate, use this
#   directive to point at the key file.  Keep in mind that if
#   you've both a RSA and a DSA private key you can configure
#   both in parallel (to also allow the use of DSA ciphers, etc.)
SSLCertificateKeyFile d:/apache/conf/ssl.key/snakeoil-rsa.key
#SSLCertificateKeyFile d:/apache/conf/ssl.key/server-dsa.key

#   Server Certificate Chain:
#   Point SSLCertificateChainFile at a file containing the
#   concatenation of PEM encoded CA certificates which form the
#   certificate chain for the server certificate. Alternatively
#   the referenced file can be the same as SSLCertificateFile
#   when the CA certificates are directly appended to the server
#   certificate for convinience.
#SSLCertificateChainFile d:/apache/conf/ssl.crt/ca.crt

#   Certificate Authority (CA):
#   Set the CA certificate verification path where to find CA
#   certificates for client authentication or alternatively one
#   huge file containing all of them (file must be PEM encoded)
#   Note: Inside SSLCACertificatePath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCACertificatePath d:/apache/conf/ssl.crt
#SSLCACertificateFile d:/apache/conf/ssl.crt/ca-bundle.crt

#   Certificate Revocation Lists (CRL):
#   Set the CA revocation path where to find CA CRLs for client
#   authentication or alternatively one huge file containing all
#   of them (file must be PEM encoded)
#   Note: Inside SSLCARevocationPath you need hash symlinks
#         to point to the certificate files. Use the provided
#         Makefile to update the hash symlinks after changes.
#SSLCARevocationPath d:/apache/conf/ssl.crl
#SSLCARevocationFile d:/apache/conf/ssl.crl/ca-bundle.crl

#   Client Authentication (Type):
#   Client certificate verification type and depth.  Types are
#   none, optional, require and optional_no_ca.  Depth is a
#   number which specifies how deeply to verify the certificate
#   issuer chain before deciding the certificate is not valid.
#SSLVerifyClient require
#SSLVerifyDepth  10

#   Access Control:
#   With SSLRequire you can do per-directory access control based
#   on arbitrary complex boolean expressions containing server
#   variable checks and other lookup directives.  The syntax is a
#   mixture between C and Perl.  See the mod_ssl documentation
#   for more details.
#<Location />
#SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)-/ \
#            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
#            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
#            and %{TIME_WDAY} >= 1 and %{TIME_WDAY} <= 5 \
#            and %{TIME_HOUR} >= 8 and %{TIME_HOUR} <= 20       ) \
#           or %{REMOTE_ADDR} =~ m/^192\.76\.162\.[0-9]+$/
#</Location>

#   SSL Engine Options:
#   Set various options for the SSL engine.
#   o FakeBasicAuth:
#     Translate the client X.509 into a Basic Authorisation.  This means
that
#     the standard Auth/DBMAuth methods can be used for access control.  The
#     user name is the `one line' version of the client's X.509 certificate.
#     Note that no password is obtained from the user. Every entry in the
user
#     file needs this password: `xxj31ZMTZzkVA'.
#   o ExportCertData:
#     This exports two additional environment variables: SSL_CLIENT_CERT and
#     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
#     server (always existing) and the client (only existing when client
#     authentication is used). This can be used to import the certificates
#     into CGI scripts.
#   o StdEnvVars:
#     This exports the standard SSL/TLS related `SSL_*' environment
variables.
#     Per default this exportation is switched off for performance reasons,
#     because the extraction step is an expensive operation and is usually
#     useless for serving static content. So one usually enables the
#     exportation for CGI and SSI requests only.
#   o CompatEnvVars:
#     This exports obsolete environment variables for backward compatibility
#     to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use
this
#     to provide compatibility to existing CGI scripts.
#   o StrictRequire:
#     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
#     under a "Satisfy any" situation, i.e. when it applies access is denied
#     and no other module can change it.
#   o OptRenegotiate:
#     This enables optimized SSL connection renegotiation handling when SSL
#     directives are used in per-directory context. 
#SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
    SSLOptions +StdEnvVars
</Files>
<Directory "d:/Apache/cgi-bin">
    SSLOptions +StdEnvVars
</Directory>

#   SSL Protocol Adjustments:
#   The safe and default but still SSL/TLS standard compliant shutdown
#   approach is that mod_ssl sends the close notify alert but doesn't wait
for
#   the close notify alert from client. When you need a different shutdown
#   approach you can use one of the following variables:
#   o ssl-unclean-shutdown:
#     This forces an unclean shutdown when the connection is closed, i.e. no
#     SSL close notify alert is send or allowed to received.  This violates
#     the SSL/TLS standard but is needed for some brain-dead browsers. Use
#     this when you receive I/O errors because of the standard approach
where
#     mod_ssl sends the close notify alert.
#   o ssl-accurate-shutdown:
#     This forces an accurate shutdown when the connection is closed, i.e. a
#     SSL close notify alert is send and mod_ssl waits for the close notify
#     alert of the client. This is 100% SSL/TLS standard compliant, but in
#     practice often causes hanging connections with brain-dead browsers.
Use
#     this only for browsers where you know that their SSL implementation
#     works correctly. 
#   Notice: Most problems of broken clients are also related to the HTTP
#   keep-alive facility, so you usually additionally want to disable
#   keep-alive for those clients, too. Use variable "nokeepalive" for this.
#   Similarly, one has to force some clients to use HTTP/1.0 to workaround
#   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
#   "force-response-1.0" for this.
SetEnvIf User-Agent ".*MSIE.*" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0

#   Per-Server Logging:
#   The home of a custom SSL log file. Use this when you want a
#   compact non-error SSL logfile on a virtual host basis.
CustomLog logs/ssl_request.log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

 
  JkMount /tomcat/*/servlet/* ajp13
  JkMount /tomcat/*.jsp ajp13
  JkMount /tomcat/cocoon/*.xml ajp13
  JkMount /*.jsp ajp13
  JkMount /servlet/* ajp13


</VirtualHost>                                  

</IfModule>
--------------------------------------

part added to the the httpd.conf,
relative to tomcat


###################################################################
# Auto generated configuration. Dated: Mon Jan 08 12:06:07 CET 2001
###################################################################

#
# The following line instructs Apache to load the jk module
#
LoadModule jk_module modules/mod_jk.dll

JkWorkersFile "D:/jakarta-tomcat-3.2.1/conf/workers.properties"
JkLogFile "D:/jakarta-tomcat-3.2.1/logs/mod_jk.log"

#
# Log level to be used by mod_jk
#
JkLogLevel error

###################################################################
#                     SSL configuration                           #
# 
# By default mod_jk is configured to collect SSL information from
# the apache environment and send it to the Tomcat workers. The
# problem is that there are many SSL solutions for Apache and as
# a result the environment variable names may change.
#
# The following (commented out) JK related SSL configureation
# can be used to customize mod_jk's SSL behaviour.
# 
# Should mod_jk send SSL information to Tomact (default is On)
# JkExtractSSL Off
# 
# What is the indicator for SSL (default is HTTPS)
# JkHTTPSIndicator HTTPS
# 
# What is the indicator for SSL session (default is SSL_SESSION_ID)
# JkSESSIONIndicator SSL_SESSION_ID
# 
# What is the indicator for client SSL cipher suit (default is SSL_CIPHER)
# JkCIPHERIndicator SSL_CIPHER
# 
# What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
# JkCERTSIndicator SSL_CLIENT_CERT
# 
#                                                                 #
###################################################################

#
# Root context mounts for Tomcat
#
JkMount /*.jsp ajp13
JkMount /servlet/* ajp13

#########################################################
# Auto configuration for the /examples context starts.
#########################################################

#
# The following line makes apache aware of the location of the /examples
context
#
Alias /tomcat/examples "D:/jakarta-tomcat-3.2.1/webapps/examples"
<Directory "D:/jakarta-tomcat-3.2.1/webapps/examples">
    Options Indexes FollowSymLinks
</Directory>

#
# The following line mounts all JSP files and the /servlet/ uri to tomcat
#
JkMount /tomcat/examples/servlet/* ajp13
JkMount /tomcat/examples/*.jsp ajp13

#
# The following line prohibits users from directly accessing WEB-INF
#
<Location "/tomcat/examples/WEB-INF/">
    AllowOverride None
    deny from all
</Location>
#
# Use Directory too. On Windows, Location doesn't work unless case matches
#
<Directory "D:/jakarta-tomcat-3.2.1/webapps/examples/WEB-INF/">
    AllowOverride None
    deny from all
</Directory>

#
# The following line prohibits users from directly accessing META-INF
#
<Location "/tomcat/examples/META-INF/">
    AllowOverride None
    deny from all
</Location>
#
# Use Directory too. On Windows, Location doesn't work unless case matches
#
<Directory "D:/jakarta-tomcat-3.2.1/webapps/examples/META-INF/">
    AllowOverride None
    deny from all
</Directory>

#######################################################
# Auto configuration for the /examples context ends.
#######################################################



----- server.xml for tomcat

<?xml version="1.0" encoding="ISO-8859-1"?>

<Server>
    <!-- Debug low-level events in XmlMapper startup -->
    <xmlmapper:debug level="0" />

    <!-- 

    Logging:

         Logging in Tomcat is quite flexible; we can either have a log
         file per module (example: ContextManager) or we can have one
         for Servlets and one for Jasper, or we can just have one
         tomcat.log for both Servlet and Jasper.  Right now there are
         three standard log streams, "tc_log", "servlet_log", and
         "JASPER_LOG".  

	 Path: 

	 The file to which to output this log, relative to
	 TOMCAT_HOME.  If you omit a "path" value, then stderr or
	 stdout will be used.

	 Verbosity: 

	 Threshold for which types of messages are displayed in the
	 log.  Levels are inclusive; that is, "WARNING" level displays
	 any log message marked as warning, error, or fatal.  Default
	 level is WARNING.

	 verbosityLevel values can be: 
	    FATAL
	    ERROR
	    WARNING 
            INFORMATION
            DEBUG

	 Timestamps:

	 By default, logs print a timestamp in the form "yyyy-MM-dd
	 hh:mm:ss" in front of each message.  To disable timestamps
	 completely, set 'timestamp="no"'. To use the raw
	 msec-since-epoch, which is more efficient, set
	 'timestampFormat="msec"'.  If you want a custom format, you
	 can use 'timestampFormat="hh:mm:ss"' following the syntax of
	 java.text.SimpleDateFormat (see Javadoc API).  For a
	 production environment, we recommend turning timestamps off,
	 or setting the format to "msec".

	 Custom Output:

	 "Custom" means "normal looking".  "Non-custom" means
	 "surrounded with funny xml tags".  In preparation for
	 possibly disposing of "custom" altogether, now the default is
	 'custom="yes"' (i.e. no tags)

	 Per-component Debugging:

	 Some components accept a "debug" attribute.  This further
	 enhances log output.  If you set the "debug" level for a
	 component, it may output extra debugging information.
    -->

    <!-- if you don't want messages on screen, add the attribute
            path="logs/tomcat.log" 
	 to the Logger element below
    -->
    <Logger name="tc_log" 
            verbosityLevel = "INFORMATION" 
    />

    <Logger name="servlet_log" 
            path="logs/servlet.log"
    />

    <Logger name="JASPER_LOG" 
	    path="logs/jasper.log"
            verbosityLevel = "INFORMATION" />

    <!-- You can add a "home" attribute to represent the "base" for 
         all relative paths. If none is set, the TOMCAT_HOME property
         will be used, and if not set "." will be used.
         webapps/, work/ and logs/ will be relative to this ( unless 
         set explicitely to absolute paths ).

         You can also specify a "randomClass" attribute, which determines 
         a subclass of java.util.Random will be used for generating session
IDs.
         By default this is "java.security.SecureRandom". 
         Specifying "java.util.Random" will speed up Tomcat startup, 
         but it will cause sessions to be less secure.

         You can specify the "showDebugInfo" attribute to control whether
         debugging information is displayed in Tomcat's default responses.
         This debugging information includes:
             1. Stack traces for exceptions
             2. Request URI's that cause status codes >= 400
         The default is "true", so you must specify "false" to prevent
         the debug information from appearing.  Since the debugging
         information reveals internal details about what Tomcat is serving,
         set showDebugInfo="false" if you wish increased security.
      -->
    <ContextManager debug="0" workDir="work" showDebugInfo="true" >

      <!-- ==================== Interceptors ==================== -->

        <!-- 
         ContextInterceptor className="org.apache.tomcat.context.LogEvents" 
         -->
        
        <ContextInterceptor className="org.apache.tomcat.context.AutoSetup"
/>

        <ContextInterceptor 
            className="org.apache.tomcat.context.WebXmlReader" />

        <!-- Uncomment out if you have JDK1.2 and want to use policy 
        <ContextInterceptor 
            className="org.apache.tomcat.context.PolicyInterceptor" />
        -->

        <ContextInterceptor 
            className="org.apache.tomcat.context.LoaderInterceptor" />
        <ContextInterceptor 
            className="org.apache.tomcat.context.DefaultCMSetter" />
        <ContextInterceptor 
            className="org.apache.tomcat.context.WorkDirInterceptor" />

        <!-- Request processing -->
        <!-- Session interceptor will extract the session id from cookies
and 
             deal with URL rewriting ( by fixing the URL ).  If you wish to
             suppress the use of cookies for session identifiers, change the
             "noCookies" attribute to "true"
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.SessionInterceptor"
            noCookies="false" />

        <!-- Find the container ( context and prefix/extension map ) 
             for a request.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.SimpleMapper1" 
            debug="0" />

        <!-- Non-standard invoker, for backward compat. ( /servlet/* )
             You can modify the prefix that is matched by adjusting the
             "prefix" parameter below.  Be sure your modified pattern
             starts and ends with a slash.

             NOTE:  This prefix applies to *all* web applications that
             are running in this instance of Tomcat.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.InvokerInterceptor" 
            debug="0" prefix="/servlet/" />

        <!-- "default" handler - static files and dirs.  Set the
             "suppress" property to "true" to suppress directory listings
             when no welcome file is present.

             NOTE:  This setting applies to *all* web applications that
             are running in this instance of Tomcat.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.StaticInterceptor" 
            debug="0" suppress="false" />

        <!-- Plug a session manager. You can plug in more advanced session
             modules.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.session.StandardSessionInterceptor"
/>

        <!-- Check if the request requires an authenticated role.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.AccessInterceptor" 
            debug="0" />

        <!-- Check permissions using the simple xml file. You can 
             plug more advanced authentication modules.
          -->
        <RequestInterceptor 
            className="org.apache.tomcat.request.SimpleRealm" 
            debug="0" />

       <!-- UnComment the following and comment out the
            above to get a JDBC realm.
            Other options for driverName: 
              driverName="oracle.jdbc.driver.OracleDriver"
              connectionURL="jdbc:oracle:thin:@ntserver:1521:ORCL"
              connectionName="scott"
              connectionPassword="tiger"

              driverName="org.gjt.mm.mysql.Driver"
              connectionURL="jdbc:mysql://localhost/authority"
              connectionName="test"
              connectionPassword="test"

            "connectionName" and "connectionPassword" are optional.
        -->
        <!--
        <RequestInterceptor 
            className="org.apache.tomcat.request.JDBCRealm" 
            debug="99" 
	    driverName="sun.jdbc.odbc.JdbcOdbcDriver" 
	    connectionURL="jdbc:odbc:TOMCAT" 
	    userTable="users" 
            userNameCol="user_name" 
            userCredCol="user_pass" 
	    userRoleTable="user_roles" 
            roleNameCol="role_name" />
        -->

        <!-- Loaded last since JSP's that load-on-startup use request
handling -->
        <ContextInterceptor 
            className="org.apache.tomcat.context.LoadOnStartupInterceptor"
/>

      <!-- ==================== Connectors ==================== -->

        <!-- Normal HTTP -->
        <Connector className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler" 
 
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
            <Parameter name="port" 
                value="8001"/>
        </Connector>

        <!--
            Uncomment this for SSL support. 
            You _need_ to set up a server certificate if you want this
            to work, and you need JSSE.
            1. Add JSSE jars to CLASSPATH 
            2. Edit java.home/jre/lib/security/java.security
               Add:
               security.provider.2=com.sun.net.ssl.internal.ssl.Provider
            3. Do: keytool -genkey -alias tomcat -keyalg RSA
               RSA is essential to work with Netscape and IIS.
               Use "changeit" as password. ( or add keypass attribute )
               You don't need to sign the certificate.
 
            You can set parameter keystore and keypass if you want 
            to change the default ( user.home/.keystore with changeit )
         -->
        <Connector className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler" 
 
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
            <Parameter name="socketFactory" 
                value="org.apache.tomcat.net.SSLSocketFactory" />
            <Parameter name="port" 
                value="8543"/>
            <Parameter name="keystore" 
                value="d:\jakarta-tomcat-3.2.1\conf\ssl\cacerts" />
            <Parameter name="keypass"              value="changeit" />
        </Connector>

        <!-- Apache AJP12 support. This is also used to shut down tomcat.
          -->
        <Connector className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp12ConnectionHandler"/>
            <Parameter name="port" value="8007"/>
        </Connector>
        <!-- Apache AJP13 support. 
          -->
	<Connector className="org.apache.tomcat.service.PoolTcpConnector">
	  <Parameter name="handler"
value="org.apache.tomcat.service.connector.Ajp13ConnectionHandler"/>
	  <Parameter name="port" value="8009"/>
	</Connector>


        <!-- ==================== Special webapps ==================== -->
        <!-- You don't need this if you place your app in webapps/
             and use defaults. 
             For security you'll also need to edit tomcat.policy

             Defaults are: debug=0, reloadable=true, trusted=false
             (trusted allows you to access tomcat internal objects 
             with FacadeManager ), crossContext=true (allows you to
             access other contexts via ServletContext.getContext())
 
             If security manager is enabled, you'll have read perms.
             in the webapps dir and read/write in the workdir.
         -->

        <Context path="/tomcat/examples" 
                 docBase="webapps/examples" 
                 crossContext="false"
                 debug="1" 
                 reloadable="true" > 
        </Context>

        <!-- Admin context will use tomcat.core to add/remove/get info about
             the webapplications and tomcat internals. 
             By default it is not trusted - i.e. it is not allowed access to

             tomcat internals, only informations that are available to all 
             servlets are visible.

             If you change this to true, make sure you set a password.
          -->
        <Context path="/tomcat/admin" 
                 docBase="webapps/admin" 
                 crossContext="true"
                 debug="0" 
                 reloadable="true" 
                 trusted="false" > 
        </Context>

        <!-- Virtual host example - 
             In "127.0.0.1" virtual host we'll reverse "/" and 
             "/examples"
             (XXX need a better example )
             (use  "http://127.0.0.1/examples" )
        <Host name="127.0.0.1" >
           <Context path="" 
                    docBase="webapps/examples" />
           <Context path="/tomcat/examples" 
                    docsBase="webapps/ROOT" />
        </Host>
         -->

        <Context path="/tomcat/cocoon" 
		 docBase="webapps/cocoon" 
		 debug="1" 
		 reloadable="true" >
        </Context> 

        <Context path="/tomcat/test" 
                 docBase="webapps/test" 
                 crossContext="false"
                 debug="0" 
                 reloadable="true" > 
        </Context>
        <Context path="/tomcat/xsl-examples" 
                 docBase="webapps/xsl-examples" 
                 crossContext="false"
                 debug="1" 
                 reloadable="true" > 
        </Context>
        <Context path="/tomcat/xsl-doc" 
                 docBase="webapps/xsl-doc" 
                 crossContext="false"
                 debug="1" 
                 reloadable="true" > 
        </Context>
        <Context path="/tomcat/taglibs" 
                 docBase="webapps/taglibs" 
                 crossContext="false"
                 debug="1" 
                 reloadable="true" > 
        </Context>
        <Context path="/tomcat" 
                 docBase="webapps/ROOT" 
                 crossContext="false"
                 debug="1" 
                 reloadable="true" > 
        </Context>
    </ContextManager>
</Server>


Mime
View raw message