cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
billbarker2004/01/25 18:11:09 Modified:webapps/docs ssl-howto.xml Log: Document the new value for clientAuth. Revision ChangesPath 1.11 +3 -1 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.10 retrieving revision 1.11 diff -u -r1.10 -r1.11 --- ssl-howto.xml 18 Dec 2003 05:31:48 - 1.10 +++ ssl-howto.xml 26 Jan 2004 02:11:09 - 1.11 @@ -328,7 +328,9 @@ tdcodeclientAuth/code/td tdSet this value to codetrue/code if you want Tomcat to require all SSL clients to present a client Certificate in order to use -this socket./td +this socket. Set this value to codewant/code if you want Tomcat +to request a client Certificate, but not fail if one isn't presented. +/td /tr tr tdcodekeystoreFile/code/td - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
billbarker2003/12/17 21:31:48 Modified:webapps/docs ssl-howto.xml Log: updating the SSL docs to match the code. Revision ChangesPath 1.10 +2 -1 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.9 retrieving revision 1.10 diff -u -r1.9 -r1.10 --- ssl-howto.xml 11 Oct 2003 08:52:41 - 1.9 +++ ssl-howto.xml 18 Dec 2003 05:31:48 - 1.10 @@ -376,7 +376,8 @@ /tr tr tdcodetruststorePass/code/td - tdThe password to access the TrustStore./td + tdThe password to access the TrustStore. This defaults to the value + of codekeystorePass/code./td /tr tr tdcodetruststoreType/code/td - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
remm2003/10/11 01:52:41 Modified:webapps/docs ssl-howto.xml Log: - Fix XML. Revision ChangesPath 1.9 +0 -1 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- ssl-howto.xml 11 Oct 2003 04:34:24 - 1.8 +++ ssl-howto.xml 11 Oct 2003 08:52:41 - 1.9 @@ -383,7 +383,6 @@ tdAdd this element if your are using a different format for the TrustStore then you are using for the KeyStore. The valid values are codeJKS/code and codePKCS12/code./td -/td /tr /table - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
billbarker2003/10/10 21:34:24 Modified:webapps/docs ssl-howto.xml Log: Document new configuration value. Revision ChangesPath 1.8 +7 -0 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- ssl-howto.xml 5 Oct 2003 23:53:52 - 1.7 +++ ssl-howto.xml 11 Oct 2003 04:34:24 - 1.8 @@ -378,6 +378,13 @@ tdcodetruststorePass/code/td tdThe password to access the TrustStore./td /tr + tr + tdcodetruststoreType/code/td +tdAdd this element if your are using a different format for the +TrustStore then you are using for the KeyStore. The valid values are +codeJKS/code and codePKCS12/code./td +/td + /tr /table pAfter completing these configuration changes, you must restart Tomcat as - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
billbarker2003/10/05 16:49:09 Modified:webapps/docs ssl-howto.xml Log: Updating docs, including adding notes for the current limitations of IBM's implementation of JSSE. Revision ChangesPath 1.6 +42 -7 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- ssl-howto.xml 4 Aug 2003 05:13:35 - 1.5 +++ ssl-howto.xml 5 Oct 2003 23:49:09 - 1.6 @@ -29,7 +29,7 @@ pTo install and configure SSL support on Tomcat 5, you need to follow these simple steps. For more information, read the rest of this HOW-TO./p ol -liIf you are running a 1.3 JVM, download JSSE 1.0.2 (or later) from +liIf you are running a 1.3 JVM, download JSSE 1.0.3 (or later) from a href=http://java.sun.com/products/jsse/;http://java.sun.com/products/jsse//a and either make it an eminstalled extension/em on the system, or else set an environment variable codeJSSE_HOME/code that points at the @@ -176,10 +176,10 @@ subsection name=Download and Install JSSE pDownload the emJava Secure Socket Extensions/em (JSSE) package, -version 1.0.2 or later, from +version 1.0.3 or later, from a href=http://java.sun.com/products/jsse/;http://java.sun.com/products/jsse//a. If you built Tomcat from source, you have probably already downloaded this -package. If you are running JDK 1.4 (currently in beta), these classes have +package. If you are running JDK 1.4.x, these classes have been integrated directly into the JDK, so you can skip this entire step./p pAfter expanding the package, there are two ways to make it available to @@ -197,15 +197,27 @@ subsection name=Prepare the Certificate Keystore -pTomcat currently operates only on codeJKS/code format keystores. This +pTomcat currently operates only on codeJKS/code or codePKCS12/code +format keystores. The codeJKS/code format is Java's standard Java KeyStore format, and is the format created by the codekeytool/code command-line utility. This tool is included in the JDK. +The codePKCS12/code format is an internet standard, and can be manipulated +via (among other things) OpenSSL and Microsoft's Key-Manager. However, +currently there are some limitations on the support for codePKCS12/code. /p pTo import an existing certificate into a JKS keystore, please read the documentation (in your JDK documentation package) about codekeytool/code. /p - +pTo import an existing certificate signed by your own CA into a PKCS12 +keystore using OpenSSL you would execute a command like: +/sourceopenssl pkcs12 -export -infile mycert.crt -inkey mykey.key \ +-outfile mycert.p12 -name tomcat -CAfile myCA.crt \ +-caname root -chain +/source +For more advanced cases, consult the a href=http://www.openssl.org/;OpenSSL +documententation/a. +/p pTo create a new keystore from scratch, containing a single self-signed Certificate, execute the following from a terminal command line:/p pWindows:/p @@ -276,7 +288,7 @@ port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; - clientAuth=false sslprotocol=TLS/gt; + clientAuth=false sslProtocol=TLS/gt; --gt; /source @@ -333,14 +345,37 @@ password than the one Tomcat expects (codechangeit/code)./td /tr tr +tdcodekeystoreType/code/td +tdAdd this element if using a PKCS12 keystore. The valid values are +codeJKS/code and codePKCS12/code. + tr tdcodesslProtocol/code/td tdThe encryption/decryption protocol to be used on this socket. -Do not change the default value./td +It is not recommended to change this value if you are using Sun's +JVM. It is reported that IBM's 1.4.1 implementation +of the TLS protocol is not compatible with some popular browsers. +In this case, use the value codeSSL/code./td /tr tr tdcodeciphers/code/td tdThe comma separated list of encryption ciphers that this socket is allowed to use. By default, any available cipher is allowed./td + /tr + tr +tdcodealgorithm/code/td +tdThe codeX509/code algorithm to use. This defaults to the Sun +implementation (codeSunX509/code). For IBM JVMs you should use +the value codeIbmX509/code. For other vendors, consult the JVM +documentation for the correct value. +/td + /tr + tr + tdcodetruststoreFile/code/td + tdThe TrustStore file to use to validate client certificates./td
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
billbarker2003/10/05 16:53:52 Modified:webapps/docs ssl-howto.xml Log: Fix typos. I knew there was a good reason why I don't write docs :). Revision ChangesPath 1.7 +3 -2 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- ssl-howto.xml 5 Oct 2003 23:49:09 - 1.6 +++ ssl-howto.xml 5 Oct 2003 23:53:52 - 1.7 @@ -211,7 +211,7 @@ /p pTo import an existing certificate signed by your own CA into a PKCS12 keystore using OpenSSL you would execute a command like: -/sourceopenssl pkcs12 -export -infile mycert.crt -inkey mykey.key \ +sourceopenssl pkcs12 -export -infile mycert.crt -inkey mykey.key \ -outfile mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain /source @@ -347,7 +347,8 @@ tr tdcodekeystoreType/code/td tdAdd this element if using a PKCS12 keystore. The valid values are -codeJKS/code and codePKCS12/code. +codeJKS/code and codePKCS12/code./td + /tr tr tdcodesslProtocol/code/td tdThe encryption/decryption protocol to be used on this socket. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
cvs commit: jakarta-tomcat-catalina/webapps/docs ssl-howto.xml
luehe 2003/01/23 15:45:12 Modified:webapps/docs ssl-howto.xml Log: Updated SSL configuration info with appropriate connector and socket factory class names, so that it matches the info in server.xml Revision ChangesPath 1.4 +5 -5 jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml Index: ssl-howto.xml === RCS file: /home/cvs/jakarta-tomcat-catalina/webapps/docs/ssl-howto.xml,v retrieving revision 1.3 retrieving revision 1.4 diff -u -r1.3 -r1.4 --- ssl-howto.xml 15 Jan 2003 03:40:43 - 1.3 +++ ssl-howto.xml 23 Jan 2003 23:45:12 - 1.4 @@ -270,13 +270,13 @@ for an SSL connector is included in the default codeserver.xml/code file installed with Tomcat. It will look something like this:/p source -lt;-- Define an SSL HTTP/1.1 Connector on port 8443 --gt; +lt;-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 --gt; lt;!-- -lt;Connector className=org.apache.catalina.connector.http.HttpConnector +lt;Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 - enableLookups=true - acceptCount=10 debug=0 scheme=https secure=truegt; - lt;Factory className=org.apache.catalina.net.SSLServerSocketFactory + enableLookups=true disableUploadTimeout=true + acceptCount=100 debug=0 scheme=https secure=truegt; + lt;Factory className=org.apache.coyote.tomcat5.CoyoteServerSocketFactory clientAuth=false protocol=TLS/gt; lt;/Connectorgt; --gt; -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]