So we heard earlier from the TriFork guys that they'd prefer if
Geronimo had a generic Keystore service. I notice that Jetty and Tomcat
have HTTPS support requiring Keystore configuration as well, and it
doesn't seem to make a ton of sense to me to repeat all the settings in
each HTTPS/SSL interface (unless you want them to be different). This
isn't super-onerous because normally you don't have that many, but I can
see the attraction of a centralized Leystore service.
If we provide a Keystore GBean, how would Jetty and Tomcat be able
to take advantage of it? It seems that if the Keystore GBean was just a
centralized place to access Keystore settings, the answer would be obvious
(the SSL web connectors could just say KeystoreGBean.getKeystoreFile(),
KeystoreGBean.getKeystorePassword(), etc.). But if the KeystoreGBean
instead only used the config settings internally and its external API
instead provided access directly to the server keys and CA certs, it's not
clear to me whether the Tomcat and Jetty HTTPS connectors could operate on
that basis (KeystoreGBean.getServerPrivateKey(),
KeystoreGBean.getCACerts(), etc.).
Any thoughts from the people who are more familiar with the web
containers?
Thanks,
Aaron
