tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Lee, Esmond" <Esmond_...@cable.comcast.com>
Subject RE: Re: Tomcat TLS with PKCS11 token
Date Fri, 01 Jun 2007 22:37:12 GMT
Thanks for the reply, however I think I've tried that and got some
errors stating that Tomcat couldn't find the keystore file. Here is a
snippet of my server.xml file 

>From Tomcat 5.5.23 - (I know I mentioned Tomcat 6 in the original thread
but that was a mistake)

<Connector port="443" maxHttpHeaderSize="8192"
               maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               acceptCount="100" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" 
               keystoreType="PKCS11"
               ciphers="TLS_RSA_WITH_AES_128_CBC_SHA />

and here is the error I am getting..

java.io.IOException: Exception trying to load keystore C:\Documents and
Settings\elee3389k/.keystore: PKCS11 not found
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
tory.java:294)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
Factory.java:227)
	at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE1
4SocketFactory.java:142)
	at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFac
tory.java:110)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:89)
	at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.
java:293)
	at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java
:139)
	at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
	at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:578)
	at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
82)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
	at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
May 31, 2007 2:52:26 PM org.apache.catalina.startup.Catalina load

It looks like the JSSESocketFactory has some default keystore file (and
maybe even password) that it sets when one is not set in the Connector.
This could be a problem as the PKCS11 Provider that I am using expects
null values for the keystore file and password.

Also, since there doesn't seem to be a way to tell the Tomcat connector
which PKCS11 Provider to use, do you know if Tomcat just searches the
Providers that are registered in the java.security file? 

Esmond Lee
Staff Engineer
CCAD, LLC
858.736.3238
 

-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Bill Barker
Sent: Thursday, May 31, 2007 8:14 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat TLS with PKCS11 token

If you are using the JIO Connector (the default if APR isn't installed),

then you should just be able to specify keystoreType="PKCS11" on the 
<Connector /> element, and configure the PKCS11 setting as in the JCE 
documents for your Java vendor.  If you have more than just the one
Tomcat 
key, then you will also want to specify the keyAlias="myHostAlias"
option on 
the <Connector />.  I'm guessing that this will work with the NIO
Connector 
as well, but I haven't looked.  I've got no clue how to do this for the
APR 
Connector :), but if you are using truststoreFile, then you aren't using

APR.

"Lee, Esmond" <Esmond_Lee@cable.comcast.com> wrote in message 
news:38F5F6E4D905F142BAA734B9D894F124055F849E@CAPLSEXCMB01.cable.comcast
.com...
Hello,



I would like to use TOMCAT 6 as an HTTPS server on our windows/linux
servers, using a PCI based PKCS11 token that stores the keys for TLS
connectivity. Up until now, we've enabled TLS connections using the
keystoreFile/keystorePass, truststoreFile/truststorePass attribute pairs
in server.xml. Our core application currently uses the PKCS11 token for
our keystore, but we would like TOMCAT to use it as well. Is there a way
to configure TOMCAT (via server.xml or by other means) to use this
token?

=20

Thanks in advance.



Esmond







---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message