David,
On 4/8/24 05:35, David Wooffindin wrote:
Referring to the documentation on Apache Tomcat 9 Configuration Reference (9.0.87) -
The HTTP
Connector<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Key_store_types>
keystore types, i wanted to get mentioned that a new set of possibilities is
available with newer java builds, when using Tomcat in a Windows environment.
As mentioned on the OpenJDK bug tracker:
https://bugs.openjdk.org/browse/JDK-8286790
The Windows KeyStore support in the SunMSCAPI provider has been expanded to
include access to the local machine location. The new keystore types are:
Windows-MY-LOCALMACHINE
Windows-ROOT-LOCALMACHINE
The following keystore types were also added, allowing developers to make it
clear they map to the current user:
Windows-MY-CURRENTUSER (same as "Windows-MY")
Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")
Alongside other configurations possible on the server side, web certificates
can be automatically published, renewed and managed with a company's internal
Active Directory CA. The account running the Tomcat Windows Service needs local
Administrator rights to be able to refernce these certificate stores.
With this enabled, and setting the server.xml Connector like shown below can
make certificate management a lot easier.
<Connector name="whatever_name"
port="443"
protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
SSLEnabled="true"
maxThreads="1500"
scheme="https"
secure="true"
clientAuth="false"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
keyAlias="${COMPUTERNAME}.my.domain.org"
keystoreFile=""
keystoreType="Windows-MY-LOCALMACHINE"
keystorePass=""
truststoreFile=""
truststoreType="Windows-ROOT-LOCALMACHINE"
truststorePass=""
enableLookups="true"
/>
the use of a predefined Environment Variable for the system name, possible when
using also this setting in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource
makes it easier to maintain a common server.xml file through tools like GPO.
Could it be useful to somehow document this, as it does make our WIndows admin
life easier!!
Hmm.
While this seems really useful, I personally think that encouraging
Windows admins to run the Tomcat server under a local Administrator
account would be malfeasance on our part.
Perhaps if there were a native component that could be used as a service
to request access to the keystore, it would be a more secure setup. In
the absence of such a component, I think we'll leave the documentation
along for the time being.
Feel free to publish your findings and setup yourself, but I think we'll
leave our documentation alone.
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org