tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Ronald Spiers" <nogermanp...@gmail.com>
Subject Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Date Tue, 12 Jun 2007 03:32:20 GMT
Hi Bill:

Indeed. Mark's comments put me on the track again, searching for
something simpler and more direct than calling openssl or subclassing
a provider, and I found this article, which demonstrates how to create
a client certificate and sign it using a self-signed root certificate,
like the ones you produce with keytool:

http://www.mayrhofer.eu.org/Default.aspx?pageindex=4&pageid=39

I made some minor adjustments to the code, and it worked fine, still
have to test several things, but the client certificate was generated
and the issuer was set as expected. I still have to test the
client-cert verification.

The article's author (Rene Mayrhofer) used Bounce Castle component
along with JCE. The code can be easily encapsulated to be used in a
web application.

Thanks to all for your comments and suggestions, especially Mark. I
must say that judging by what I found in the tomcat-list archives,
this time the question got a lot more [useful] feedback than in the
recent past. Lucky I am.

Regards.

On 6/11/07, Bill Barker <wbarker@wilshire.com> wrote:
>
> "Ronald Spiers" <nogermanpows@gmail.com> wrote in message
> news:fb5447930706111041i77c677a5r8600e76a5d0766c4@mail.gmail.com...
> > Hi Pulkit, assuming that I can create the trustManager, I am not sure
> > about how to register it with Tomcat, and if I need to implement more
> > interfaces, etc.
> >
> > In short, I suspect other people already solved this problem, and
> > since it will be my first time, I am trying to obtain their feedback
> > and suggestions to avoid common pitfalls.
> >
> > You are right, I already have a clue in the JSSE docs, but I am
> > looking for a little bit more advice - if possible.
> >
> > And as Mark's reply pointed out, I may not be using the certificate
> > mechanism in the best way. That's also the kind of feedback I am
> > looking for.
> >
>
> Yes, as Mark has pointed out the usual way to solve this is to have your own
> CA certificate imported into the truststoreFile, and use that to sign all of
> the certificates that you issue.  Then any certificate that you issue will
> be verified without you having to do anything fancy.
>
> To do this the hard way, you can either:
> a)  implement your own trust management algorithm, and pass that as the
> truststoreAlgorithm on the <Connector />
> b)  implement your own SSLImplementation (probably by extending the JSSE one
> in Tomcat), and override JSSE14SocketFactory.getTrustManagers
>
>
>
>
> > Thans for your reply.
> >
> >
> > On 6/11/07, Pulkit Singhal <pulkitsinghal@gmail.com> wrote:
> >> Hello,
> >>
> >> I am not sure what you are asking for here. You say that you fond some
> >> instructions on "Creating Your Own X509TrustManager" ... thats good.
> >> 1) Given that you have these instructions, whats the issue at hand?
> >> Conceptually (and without even looking at any content other than the
> >> title)
> >> I would chime-in and say that it sounds like ... if you can create your
> >> own
> >> TrustManager then you most likely make dynamic additions to it.
> >> 2) Or may be you have yet to implement any such solution and are still
> >> lookign for pre-provided alternatives?
> >>
> >> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that
> >> you
> >> might want to have a look at, I think it can be deployed on Tomcat.
> >>
> >> On 6/11/07, Ronald Spiers <nogermanpows@gmail.com> wrote:
> >> >
> >> > Hi, I am preparing a self enrollment webapp for generating client
> >> > certificates and adding them to the server keystore. I know that
> >> > Tomcat won't reload keystore unless the server is restarted, so I did
> >> > look for alternatives, and the JSSE guide explains an approach to this
> >> > in the section "Creating Your Own X509TrustManager".
> >> >
> >> > My question is: Does anybody in this list have some experience solving
> >> > this problem?, providing tomcat a custom trust manager to dynamically
> >> > add a client certificate to the verification path when client
> >> > credentials are presented?
> >> >
> >> > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
> >> > done I am just wasting my time ;) I have searched a lot in the last 3
> >> > days, tomcat list archives and other materials, I have not found a
> >> > single solution to this problem, except for the JSSE guide and this
> >> > article, that explains how to create a trustManager and a SSLContext
> >> > for implementing S/MIME with JavaMail:
> >> >
> >> > * http://www.javaworld.com/javatips/jw-javatip115.html
> >> >
> >> > Thanks a lot for any feedback you can provide.
> >> >
> >> > Regards,
> >> > Martin
> >> >
> >> > ---------------------------------------------------------------------
> >> > To start a new topic, e-mail: users@tomcat.apache.org
> >> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> > For additional commands, e-mail: users-help@tomcat.apache.org
> >> >
> >> >
> >>
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message