Hi, Each of the <Connector> elements in catalina-server.xml, defines one port number on which tomcat will listen for requests. AFIK, the trust store file use to validate client certificates of the connections for a particular port, should be what defined in the connector configuration. This will essentially tell tomcat to use the specified trust store instead of the default cacerts trust store which tomcat loads.
For mutual SSL with X509 authenticator, we can configure a new tomcat http connector, as follows in catalina-server.xml. This supports the HTTP/1.1 protocol and listening to a specific TCP port (8443) for connections. <Connector protocol="HTTP/1.1" port="8443" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" keystoreFile="/path/to/keystore.jks" keystorePass="keystorepwd" truststoreFile="/path/to/truststore.jks" truststorePass="truststorespassword" clientAuth="want" sslProtocol="TLS"/> Noted that, with X509 authenticator, during the authentication, the client certificate in the browser will be considered as trusted and sent to the IS server, *if only if, the tomcat connector defined for port "8443" is configured as 1st in the order*. Otherwise when mutual SSL happens, the already existing connector (9443) will be picked up and certificate will not retrieved correctly. If so, the certificate of the CA, which issued the client certificate, should be added into the server client-truststore.jks. Noticed that, when we configure connector for 8443 in 1st in order, wso2 carbon console will be hosted in both port 8443 (" https://localhost:8443/carbon/") and 9443. Is this an expected behavior? Anyone knows the reason for this behavior in tomcat level? Appreciate your help on this. If this is an expected behavior, we need to mention that in the documentation [1]. [1] https://docs.wso2.com/display/ISCONNECTORS/Configuring+X509Certificate+Authenticator#ConfiguringX509CertificateAuthenticator-ConfiguringtheX509Certificatefortheapp Thanks and Regards -- Indunil Upeksha Rathnayake Software Engineer | WSO2 Inc Email indu...@wso2.com Mobile 0772182255
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev