Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (herse.apache.org: local policy)
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: RE:  Re: Tomcat TLS with PKCS11 token
Date: Fri, 1 Jun 2007 15:37:12 -0700
Message-ID: 
 <38F5F6E4D905F142BAA734B9D894F124055F8636@CAPLSEXCMB01.cable.comcast.com>
In-Reply-To: <f3o2sf$vt8$1@sea.gmane.org>
Thread-Topic: Re: Tomcat TLS with PKCS11 token
Thread-Index: AcekaSlC9tf1rponRWy6WZ9nXy3KHAAMoP6A
From: "Lee, Esmond" <Esmond_Lee@cable.comcast.com>
To: "Tomcat Users List" <users@tomcat.apache.org>

Thanks for the reply, however I think I've tried that and got some
errors stating that Tomcat couldn't find the keystore file. Here is a
snippet of my server.xml file=20

>From Tomcat 5.5.23 - (I know I mentioned Tomcat 6 in the original thread
but that was a mistake)

<Connector port=3D"443" maxHttpHeaderSize=3D"8192"
               maxThreads=3D"150" minSpareThreads=3D"25"
maxSpareThreads=3D"75"
               enableLookups=3D"false" disableUploadTimeout=3D"true"
               acceptCount=3D"100" scheme=3D"https" secure=3D"true"
               clientAuth=3D"false" sslProtocol=3D"TLS"=20
               keystoreType=3D"PKCS11"
               ciphers=3D"TLS_RSA_WITH_AES_128_CBC_SHA />

and here is the error I am getting..

java.io.IOException: Exception trying to load keystore C:\Documents and
Settings\elee3389k/.keystore: PKCS11 not found
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
tory.java:294)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
Factory.java:227)
	at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE1
4SocketFactory.java:142)
	at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFac
tory.java:110)
	at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:89)
	at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.
java:293)
	at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java
:139)
	at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
	at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:578)
	at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
82)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
	at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
	at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
	at java.lang.reflect.Method.invoke(Method.java:597)
	at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
	at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
May 31, 2007 2:52:26 PM org.apache.catalina.startup.Catalina load

It looks like the JSSESocketFactory has some default keystore file (and
maybe even password) that it sets when one is not set in the Connector.
This could be a problem as the PKCS11 Provider that I am using expects
null values for the keystore file and password.

Also, since there doesn't seem to be a way to tell the Tomcat connector
which PKCS11 Provider to use, do you know if Tomcat just searches the
Providers that are registered in the java.security file?=20

Esmond Lee
Staff Engineer
CCAD, LLC
858.736.3238
=20

-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Bill Barker
Sent: Thursday, May 31, 2007 8:14 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat TLS with PKCS11 token

If you are using the JIO Connector (the default if APR isn't installed),

then you should just be able to specify keystoreType=3D"PKCS11" on the=20
<Connector /> element, and configure the PKCS11 setting as in the JCE=20
documents for your Java vendor.  If you have more than just the one
Tomcat=20
key, then you will also want to specify the keyAlias=3D"myHostAlias"
option on=20
the <Connector />.  I'm guessing that this will work with the NIO
Connector=20
as well, but I haven't looked.  I've got no clue how to do this for the
APR=20
Connector :), but if you are using truststoreFile, then you aren't using

APR.

"Lee, Esmond" <Esmond_Lee@cable.comcast.com> wrote in message=20
news:38F5F6E4D905F142BAA734B9D894F124055F849E@CAPLSEXCMB01.cable.comcast
.com...
Hello,


I would like to use TOMCAT 6 as an HTTPS server on our windows/linux
servers, using a PCI based PKCS11 token that stores the keys for TLS
connectivity. Up until now, we've enabled TLS connections using the
keystoreFile/keystorePass, truststoreFile/truststorePass attribute pairs
in server.xml. Our core application currently uses the PKCS11 token for
our keystore, but we would like TOMCAT to use it as well. Is there a way
to configure TOMCAT (via server.xml or by other means) to use this
token?

=3D20

Thanks in advance.


Esmond


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org