tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "epicwinter@hotmail.com" <epicwin...@hotmail.com>
Subject RE: ssl connector
Date Fri, 13 Feb 2009 05:09:15 GMT

Thanks it makes sense now, i have made lots of progress.  But of course, like usual,  there
are some complications.  The application I am developing uses tomcat on the back end and a
swing client on the front with the Spring HttpInvoker.  

So first I got it working without apr.  After I set up the connector I changed it so when
i ran my java client using this vm parameter
-Djavax.net.ssl.trustStore="keystore.jks" 

Everything worked.  So next, I moved on to APR.  I got apr properly compiled/installed.  Then
I set up the connector like so:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true" 
           acceptCount="100"  maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
    SSLCertificateFile="certfile"
    SSLCertificateKeyFile="key"
    SSLPassword="password"
           clientAuth="false" sslProtocol="TLS"/

Tomcat starts and acknowledges that apr is working without a problem.  I thought that with
apr I could just run the client without the trustStore parameter set.  But i get this error:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException:
PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable
to find valid certification path to requested target

So how do I tell the client about the cert?  I tried the trustStore="pathtocert" but that
didn't work.  

thanks
-ryan

> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Thu, 12 Feb 2009 21:47:45 -0600
> Subject: RE: ssl connector
> 
> > From: epicwinter@hotmail.com [mailto:epicwinter@hotmail.com]
> > Subject: RE: ssl connector
> >
> > So I don't understand the docs where they suggest
> > defining connectors with apr and without.
> 
> APR is an additional, non-Java Tomcat component that utilizes code from httpd for increased
SSL performance.  It uses OpenSSL, not Java, for the SSL negotiation and encryption, so there's
no keystore file, and the <Connector> configuration is very different from that for
the standard or NIO options.  The drawback of APR is that you typically have to compile it
from source for the specific platform you're running on (some binary downloads are available),
so it's not something for the casual or first-time Tomcat administrator.
> 
> The table at the bottom of this page:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> gives you a comparison of the three forms of connector; pick just one for your usage.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and
is thus for use only by the intended recipient. If you received this in error, please contact
the sender and delete the e-mail and its attachments from all computers.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 

_________________________________________________________________
Windows Liveā„¢: E-mail. Chat. Share. Get more ways to connect. 
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message