-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jason,
On 8/10/2010 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00
wrote:
> I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL
> into our web application due to the "authentication" process taking a while,
> causing the web app to run abnormally slow.
>
> I am wanting to use our server certificate (PKCS12) as the keystore. I've
> been doing a lot of research and it seems that I need to import the root
> certificates into the keystore using OpenSSL. What I am not too clear on is
> how to edit the server.xml file to accommodate these configurations. Here is
> what I have thus far, however, SSL does not seem to be working.
>
> Copied from Notepad:
>
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> keystoreFile="C:\Program Files\Apache Software
> Foundation\Tomcat 6.0\con\geo.pfx"
> keystorePass="password" keystoreType="pkcs12"
> clientAuth="false" sslProtocol="TLS" />
Wait, are you trying to do CLIENT-CERT authentication?
If so, you'll want to do clientAuth="want" (if you want a cert, but
don't want to fail otherwise, which I think is usually what one wants to
do) and set the truststore* attributes on the <Connector>.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkxhvGQACgkQ9CaO5/Lv0PA7xQCdGdGEwXko++Jm0t8/lJR1eAQb
el0An3FjqgDbTP54DX3oSX9wscDMaqLk
=jLqM
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
|