On Thu, 13 Feb 2014 16:08:20 +0100
Delusional Insanity <[email protected]> wrote:

 
> In my /etc/tomcat7/server.xml I have the following lines
> 
> ===
> 
> <!-- Connector #1 -->
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                ciphers="SSL_RSA_WITH_RC4_128_SHA"
>                keystoreFile="${user.home}/.keystore"
> keystorePass="changeit"/>
> 
> It finally works under Apache via AJP, so I have an extra line
> 
> <!-- Connector #2 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 
> ===
> 
> At the moment, certificate files are in apache vhost file.
> 
> SSLCertificateFile /etc/apache2/ssl/STAR_mydomain_com.crt
> SSLCertificateKeyFile /etc/apache2/ssl/STAR_mydomain_com.key
> SSLCertificateChainFile /etc/apache2/ssl/PositiveSSL-bundle.ca-bundle
> 
> Following advise of @Alberto, in the Tomcat7 docs I found the following:
> 
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
> 
> <Connector
>            protocol="HTTP/1.1"
>            port="8443" maxThreads="200"
>            scheme="https" secure="true" SSLEnabled="true"
>            SSLCertificateFile="/usr/local/ssl/server.crt"
>            SSLCertificateKeyFile="/usr/local/ssl/server.pem"
>            SSLVerifyClient="optional" SSLProtocol="TLSv1"/>
> 
> @Alberto Cabello Sánchez
> 
> Do you mean, I should be adding "SSLCertificateFile" and
> "SSLCertificateKeyFile" options to the "Connector #1"?

This would be, AFAIK, should you were running an APR connector (which
I think is not the case). I'm rather speaking about the options
in $TOMCAT_HOME/bin/catalina.sh, where I had to set

CATALINA_OPTS="-XX:PermSize=64m -XX:MaxPermSize=768m \
           -XX:+CMSClassUnloadingEnabled -Xms256m -Xmx768m -server \
           -Djavax.net.ssl.trustStore=/opt/jdk/jre/lib/security/cacerts \
           -Djavax.net.ssl.trustStorePassword=changeit"

The javax.net.ssl.trustStore beign a keystore containing all of the 
certificates involved.

-- 
Alberto Cabello Sánchez
<[email protected]>

-- 
You are currently subscribed to [email protected] as: 
[email protected]
To unsubscribe, change settings or access archives, see 
http://www.ja-sig.org/wiki/display/JSG/cas-user

Reply via email to