tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bill Barker" <wbar...@wilshire.com>
Subject Re: CRL on Tomcat Tomcat/5.5.15
Date Sat, 04 Feb 2006 04:27:43 GMT

"Dobson Paul L Contr 84 MSUG/GBMLBR" <Paul.Dobson@HILL.af.mil> wrote in 
message 
news:EE6F396F72C0154CAAD38FAAF8256EEE20CAA5@fskrsm23.hill.afmc.ds.af.mil...
>I have just downloaded and installed tomcat 5.5.15 and configured SSL and
> Client Authentication.  I have about a dozen different CRL lists I need to
> authenticate against.  I have read little bits and pieces about CRL list
> support from different postings here and there like having to recompile 
> with
> java 5, using crlfile or crlfiles properties, etc.  Is there anywhere that 
> I
> can get good quality thorough documentation or a good tutorial on how to
> achieve CRL support on tomcat?
>
>

Yes, you can write it up, and submit it.  Patches are always welcome ;-).

Yes, since there isn't yet a Java 5 binary distro, you need to grab the 
source distro, and at a minumum compile 
org.apache.tomcat.util.net.jsse.JSSE15*.java.  If you've already got the 
binary distro, than it's probably easier to just rebuild all of 
tomcat-util.jar:
  1) Goto connectors/util, and create a build.properties file with your 
favorite editor with:
        catalina.home=/path/to/tomcat
        commons-logging.jar=${catalina.home}/bin/commons-logging-api.jar
        commons-modeler.jar=${catalina.home}/server/lib/commons-modeler.jar
        tomcat-jni.jar=${catalina.home}/server/lib/tomcat-apr.jar

  2) Run `ant jar`
  3) Copy the resulting tomcat-util.jar to $CATALINA_HOME/server/lib

Currently, only one CRL file is supported (with the attribute 'crlFile'). 
It wouldn't be too hard to hack JSSE15SocketFactory to support multiple CRL 
files.  If you want to do it and submit it back, I'd take a look at it. 
Otherwise, you'll have to combine yours.

The file format for crlFile is simply that documented for 
java.security.cert.CertificateFactory.generateCRLs.  Other than that, it 
should just work :).

>
> I apologize if this has been answered already.  The firewall at work
> prevents me from searching the archives.
>
>
>
> Thanks in advance for you help.
>
>
>
>
>
> --Paul
>
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message