-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Senthil,
On 8/8/17 4:03 PM, dsenthil...@gmail.com wrote: > >> Hello, >> >> I have configured ssl certificates for below requirements: >> >> 1. Tomcat server certificate configuration in 'server.xml' file >> to run tomcat server on port 443 and https >> >> <Connector port="443" maxHttpHeaderSize="8192" maxThreads="150" >> minSpareThreads="25" maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" acceptCount="100" scheme="https" >> secure="true" SSLEnabled="true" clientAuth="false" >> sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" >> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" >> keystoreType="PKCS12" /> >> >> 2. Service certificate configuration in 'setenv.sh' file for the >> two-way ssl authentication for the connection to MQ / Soap >> service servers. >> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >> >> >> But It looks like the service certificate configured (for the >> two-way ssl handshake with MQ and Soap service servers) in >> 'setenv.sh' file is overwriting the tomcat server ssl >> configuration configured in 'server.xml' and subsequently tomcat >> server is down for https and port 443. >> >> Can someone recommend suitable tomcat config to fix this issue. >> The tomcat config should support both https (port 443) and >> two-ways ssl handshake with other servers. Regardless of the actual problem and solution, here, I would always highly recommend that you use explicit configuration for your <Connector> for your truststore as well as our keystore. Using system properties is very heavy-handed and ends up applying the same trust store to a whole variety of components, not just the <Connector>. - -chris -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKOlgACgkQHPApP6U8 pFiIvRAArbBwixXhAxxgegBWYIrCMxtqgg8KAccfRyvkmSIGOkQ/xMV+Z8sP+2Xr KHEnK8P2vKDzgGKT7fjAaD0HCTbWK7j455OKRKYXxowZkOU5Qbz10xW1j25bHtUy 3mD2Vn5jmrv/vMEkr0sJ3AxB8QeyyZ/ZpK33Zy0bNMYB945H3QQ3QX5lX6d8k9El 0VSt4NKglYdLXvuYmI/YVBvIZw0rzt9hPjBAO9Mc0cIEGJfNJafMKjdYpFSfoUOs b5TpvVEszEGwgsaaOU4Y7EyHg72EAyNtUzyeSIbn0s0VsvYWS3AqT7QiL5GUvQ4Z glLdYL+34R1gfsB462fE0RFgVaUuGEBUFs/YxV3loh2FUkCe91MbJ02OTRK27Z/o ipKXNzcwPJ6ASafMRc2qBR6Wt0Mwg+FC/tXIlMcIhVBbkCXNUuhs21n0lO13kdJM 7uK7XSWWTjHyXd38b1NhplidNmDygzTzJ2lcEs/7MDf1lzU0h4l46FbvWNbInDw7 OvvWjheDKH8mqmCNDgbj7iA+b3FMoSwE+Xv5qG54k1nwoStAWzeTFi4vjqHNMxEa VzKQMcIa++31/Ytdp7UElixMeGwQfxSGJluWi2wnXmupC/+h2YXM3TwG3hgv3t1H SHQeBUXtnsITpy5iSka1Y2efhEL26jIiApsPIl+TUOLcvumlTrc= =Bz/F -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
