tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Wilmoth, Jon" <Jon.D.Wilm...@nordstrom.com>
Subject Tomcat support for JNDIRealm LDAPS connections
Date Wed, 27 Mar 2013 16:03:36 GMT
After searching through the Tomcat user forums and bug list it appears there are only two options
to enable ldaps connections, without modification to the Tomcat JNDI Realm itself:

1)	Start Tomcat using system properties that specify the default trust keystore & password
(e.g. -Djavax.net.ssl.trustStore=<path to truststore> -Djavax.net.ssl.trustStorePassword=<password>).
 The problem with this is it requires the password to the trust keystore be provided on the
command line.
2)	Add the CA cert to the <java-home>/lib/security/cacerts file (or <java-home>/lib/security/jssecacerts
which has higher precedence) which is used as the default trust store.  This has the downside
of tying the CA cert maintenance lifecycle to the JVM maintenance lifecycle (e.g. upgrades).
 It also limits the reuse of a JDK installation across applications/Tomcat instances.

Are there any plans for org.apache.catalina.realm.JNDIRealm to address these items via support
for configuring the trust store path/password like org.apache.tomcat.util.net.AbstractEndpoint?

Thanks,
Jon
Mime
View raw message