Re: Tomcat in a Windows environment : new keystore possibilities

Mon, 08 Apr 2024 05:14:30 -0700 

David,

On 4/8/24 05:35, David Wooffindin wrote:

Referring to the documentation on Apache Tomcat 9 Configuration Reference (9.0.87) - 
The HTTP 
Connector<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Key_store_types>
 keystore types, i wanted to get mentioned that a new set of possibilities is 
available with newer java builds, when using Tomcat in a Windows environment.


As mentioned on the OpenJDK bug tracker: 
https://bugs.openjdk.org/browse/JDK-8286790


The Windows KeyStore support in the SunMSCAPI provider has been expanded to 
include access to the local machine location. The new keystore types are:



Windows-MY-LOCALMACHINE

Windows-ROOT-LOCALMACHINE



The following keystore types were also added, allowing developers to make it 
clear they map to the current user:

  Windows-MY-CURRENTUSER (same as "Windows-MY")

Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")


Alongside other configurations possible on the server side, web certificates 
can be automatically published, renewed and managed with a company's internal 
Active Directory CA. The account running the Tomcat Windows Service needs local 
Administrator rights to be able to refernce these certificate stores.

With this enabled, and setting the server.xml Connector like shown below can 
make certificate management a lot easier.


<Connector name="whatever_name"

            port="443"
            protocol="HTTP/1.1"
            connectionTimeout="20000"
            URIEncoding="UTF-8"
            SSLEnabled="true"
            maxThreads="1500"
            scheme="https"
            secure="true"
            clientAuth="false"
            
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
            sslProtocol="TLS"
            sslEnabledProtocols="TLSv1.2+TLSv1.3"
            
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
            keyAlias="${COMPUTERNAME}.my.domain.org"
            keystoreFile=""
            keystoreType="Windows-MY-LOCALMACHINE"
            keystorePass=""
            truststoreFile=""
            truststoreType="Windows-ROOT-LOCALMACHINE"
            truststorePass=""       
            enableLookups="true"
      />
the use of a predefined Environment Variable for the system name, possible when 
using also this setting  in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource

  makes it easier to maintain a common server.xml file through tools like GPO.

Could it be useful to somehow document this, as it does make our WIndows admin 
life easier!!


Hmm.
While this seems really useful, I personally think that encouraging Windows admins to run the Tomcat server under a local Administrator account would be malfeasance on our part.
Perhaps if there were a native component that could be used as a service to request access to the keystore, it would be a more secure setup. In the absence of such a component, I think we'll leave the documentation along for the time being.
Feel free to publish your findings and setup yourself, but I think we'll leave our documentation alone. 

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to