RE: SSL certificate help!
Here is what worked for me: STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=FULL PATH TO KEYSTORE FILE keystorePass=PASSWORD HERE/ /Connector 2) Stop and start the tomcat server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, May 06, 2002 6:27 AM To: [EMAIL PROTECTED] Subject: SSL certificate help! Hello all, I have got a Trial SSL Server Digital ID from Verisign . I would like to know how to configure it with tomcat(3.2.1) . i'm trying to enable ssl with tomcat. any help in this regard would be most welcome. thanks in advance Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Possible to deploy pre-compiled JSPs with tomcat?
Is it possible to deploy pre-compiled (ie. binary) JSPs with tomcat? We're going to potentially deploying our app to many sites that we don't have full control over where we'd like to keep the source hidden. I did some digging with other engines (specifically oracle) and found this...Just wondering if the same is possible with tomcat. Thanks Dave Deployment of Binary Files Only If your JSP source is proprietary, you can avoid exposing the source by pre-translating JSP pages and deploying only the translated and compiled binary files. Pages that are pre-translated, either from previous execution in an on-demand translation scenario or by using ojspc, can be deployed to any environment that supports the OracleJSP container. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
List manager busted?
I've sent an email to the list owner, but no reply yet. It seems the unsubscribe function isn't working. Can anyone here help out? Thanks Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 01, 2002 5:26 PM To: Dave North Subject: failure notice Hi. This is the qmail-send program at nagoya.betaversion.org. I'm afraid I wasn't able to deliver your message to the following addresses. This is a permanent error; I've given up. Sorry it didn't work out. [EMAIL PROTECTED]: Sorry, no mailbox here by that name. (#5.1.1) --- Below this line is a copy of the message. Return-Path: [EMAIL PROTECTED] Received: (qmail 772 invoked by uid 98); 1 May 2002 21:26:26 - Delivered-To: [EMAIL PROTECTED] X-Antivirus: nagoya (v4198 created Apr 24 2002) Received: (qmail 753 invoked from network); 1 May 2002 21:26:25 - Received: from daedalus.apache.org (HELO apache.org) (63.251.56.142) by nagoya.betaversion.org with SMTP; 1 May 2002 21:26:25 - Received: (qmail 94652 invoked by uid 500); 1 May 2002 21:26:18 - Delivered-To: [EMAIL PROTECTED] Received: (qmail 94644 invoked from network); 1 May 2002 21:26:18 - Received: from unknown (HELO mail.signiant.com) (66.48.39.38) by daedalus.apache.org with SMTP; 1 May 2002 21:26:18 - X-MimeOLE: Produced By Microsoft Exchange V6.0.4417.0 content-class: urn:content-classes:message MIME-Version: 1.0 Subject: Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Date: Wed, 1 May 2002 17:26:24 -0400 Message-ID: [EMAIL PROTECTED] X-MS-Has-Attach: X-MS-TNEF-Correlator: Thread-Index: AcHxVtW3Tzuj8saZRhmhjnk8R8HELA== From: Dave North [EMAIL PROTECTED] To: tomcat-user-uc.1020288367.deebcnlbhphdailhcjkc-Dave.North= [EMAIL PROTECTED] X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: tomcat and SSL (keyfile password)
It's because you've not imported their root level cert...you need to do that before you import your cert. You also need their too level cert in your browser. BTW: I tested all my stuff on JDK 1.3.1 - I have no idea if this will work with earlier versions (based on what you've said though my guess is not!) D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 7:25 PM To: Tomcat Users List; Dave North Subject: Re: tomcat and SSL (keyfile password) Hi dave i resolved this by moving to jdk1.4 but now my browser says it is self signed ..verisign info is not really imported why ?? thanks in advance bm [EMAIL PROTECTED] wrote: Hi Dave thanks for document. Now I got struck when i try to import the verisign certificate. the error mesg is keytool error: java.lang.Exception: Input not an X.509 certificate I attached my certificate also..can you help me please ? it is trial cert from verisign Reg BM Dave North wrote: OK, here's what I did (this was using a test versign cert but the procedure is the same for a real production cert): STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=FULL PATH TO KEYSTORE FILE keystorePass=PASSWORD HERE/ /Connector 2) Stop and start the tomcat server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 2:29 PM To: Tomcat Users List Subject: Re: tomcat and SSL (keyfile password) Hi Dave ohhh...good to know that. I need to set up the tomcat 4.0.3 with verisign. Can you please send those doc to me ? I appreciate your help thanks in advance BM Dave North wrote: Hello, After a few hours trying to get this working, I've finally got my tomcat server working with a certificate signed by Verisign. This all works great. However, to do this, I need to configure the keyfilePass into the server.xml file. This is bad as our security policy is thou shall not have any passwords in plain text. We also use SSL on our iPlanet server and it prompts at start time for the password (they use the term software token but it's the same). So, the question is: is it possible to have tomcat prompt for this and/or how have others got around keeping this in plain text? BTW: if anyone's interested, I have the complete step-by-step of how I got the versign cert working...the info is out there but it seems to be all over the place. Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Mobile: 613-294-3231 Fax: 613-761-3629 Email: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe
RE: tomcat and SSL (keyfile password)
H...are you copying the FULL text of the cert (ie. the BEGIN...END stuff as well?). You need EVERYTHING that VS returns to you. That's all I can think of that might be wrong there. The verisign root cert might not be in the correct format...if so, load it into IE and then export it as a base64 cert (in IE6 Tools-intenet options-Content-certificates-Trusted Root authorities-For Verisign authorized testing...) Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 6:26 PM To: Tomcat Users List Cc: Dave North Subject: Re: tomcat and SSL (keyfile password) Hi Dave thanks for document. Now I got struck when i try to import the verisign certificate. the error mesg is keytool error: java.lang.Exception: Input not an X.509 certificate I attached my certificate also..can you help me please ? it is trial cert from verisign Reg BM Dave North wrote: OK, here's what I did (this was using a test versign cert but the procedure is the same for a real production cert): STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=FULL PATH TO KEYSTORE FILE keystorePass=PASSWORD HERE/ /Connector 2) Stop and start the tomcat server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 2:29 PM To: Tomcat Users List Subject: Re: tomcat and SSL (keyfile password) Hi Dave ohhh...good to know that. I need to set up the tomcat 4.0.3 with verisign. Can you please send those doc to me ? I appreciate your help thanks in advance BM Dave North wrote: Hello, After a few hours trying to get this working, I've finally got my tomcat server working with a certificate signed by Verisign. This all works great. However, to do this, I need to configure the keyfilePass into the server.xml file. This is bad as our security policy is thou shall not have any passwords in plain text. We also use SSL on our iPlanet server and it prompts at start time for the password (they use the term software token but it's the same). So, the question is: is it possible to have tomcat prompt for this and/or how have others got around keeping this in plain text? BTW: if anyone's interested, I have the complete step-by-step of how I got the versign cert working...the info is out there but it seems to be all over the place. Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Mobile: 613-294-3231 Fax: 613-761-3629 Email: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto
RE: How to enforce SSL???
You can do this by setting up a connector for your application in server.xml that is HTTPS only. Dave -Original Message- From: Steve D George [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 12:04 PM To: [EMAIL PROTECTED] Subject: How to enforce SSL??? Hi, I'm working with a standalone Tomcat 4.0.2 on W2K. I've just gone through the SSL How To and created myself a little certificate and got everything working over SSL. I can access all my pages over HTTP or HTTPS. My question now is how to enforce the use of HTTPS for a given page. The SSL How To says that any page that absolutely requires SSL should check the protocol of the request and take the appropriate action, by which I presume it means that you code a redirect to the same page but over https. Is this the standard way to enforce it though. I sort of imagined that you would be able to say that any page in a certain directory should be served over HTTPS and just let tomcat handle it for you? Thanks for any help, Have a great weekend everyone! Cheers, Steve. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: tomcat and SSL (keyfile password)
There could be several problems here: 1) no root level cert import BEFORE. When you get the test cert from verisign, they talk about getting the root level certs for tests. You can download it from here: http://www.verisign.com/server/trial/faq/index.html you MUST import this first into your keystore with the command I provided: ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 2) I made this mistake several times - make sure you're always importing to the same keystore. By this I mean I kept forgetting to add the -keystore parameter to the keytool command line and so it wasn't applying the new cert to the tomcat alias in the keystore file. Dave -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Friday, April 26, 2002 1:57 PM To: Dave North Cc: Tomcat Users List Subject: Re: tomcat and SSL (keyfile password) Hi dave you're correct !!! it is not becos of jdk1.3 I found later on that any line space in top on the .cer file from verisign is causing this problem...but if you save that verisign id into .txt file then it accepts that line space in top !!! So magic !! Now It says me that cert is imported and added to the key..but when i go and see the cert detail in my browser shows my old finger print (mine) CA is also mine.I loaded the brower piece already as per verissign instruction.I am not able to understand the rool level cert and import... can you please make me understand that concept... here is the IP https://63.118.43.23:8443 I appreciate your feedback thanks in advance BM Did you load the verisign trail id Dave North wrote: It's because you've not imported their root level cert...you need to do that before you import your cert. You also need their too level cert in your browser. BTW: I tested all my stuff on JDK 1.3.1 - I have no idea if this will work with earlier versions (based on what you've said though my guess is not!) D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 7:25 PM To: Tomcat Users List; Dave North Subject: Re: tomcat and SSL (keyfile password) Hi dave i resolved this by moving to jdk1.4 but now my browser says it is self signed ..verisign info is not really imported why ?? thanks in advance bm [EMAIL PROTECTED] wrote: Hi Dave thanks for document. Now I got struck when i try to import the verisign certificate. the error mesg is keytool error: java.lang.Exception: Input not an X.509 certificate I attached my certificate also..can you help me please ? it is trial cert from verisign Reg BM Dave North wrote: OK, here's what I did (this was using a test versign cert but the procedure is the same for a real production cert): STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory
tomcat and SSL (keyfile password)
Hello, After a few hours trying to get this working, I've finally got my tomcat server working with a certificate signed by Verisign. This all works great. However, to do this, I need to configure the keyfilePass into the server.xml file. This is bad as our security policy is thou shall not have any passwords in plain text. We also use SSL on our iPlanet server and it prompts at start time for the password (they use the term software token but it's the same). So, the question is: is it possible to have tomcat prompt for this and/or how have others got around keeping this in plain text? BTW: if anyone's interested, I have the complete step-by-step of how I got the versign cert working...the info is out there but it seems to be all over the place. Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Mobile: 613-294-3231 Fax: 613-761-3629 Email: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: tomcat and SSL (keyfile password)
OK, here's what I did (this was using a test versign cert but the procedure is the same for a real production cert): STEP A - generate your private key Pre-req: JDK must be installed 1) cd to $JAVA_HOME/jre/bin 2) run ./keytool -genkey -alias tomcat -keyalg RSA -keystore FULL PATH TO KEYSTORE 3) You will be prompted for a password for the keystore 3) at the prompts, enter: What is your first and last name? [Unknown]: DO NOT USE NAME - ENTER THE NAME OF YOUR MACHINE AS IT'S KNOWN TO VISITORS What is the name of your organizational unit? [Unknown]: WHATEVER YOU LIKE What is the name of your organization? [Unknown]: TYPICALLY COMPANY NAME What is the name of your City or Locality? [Unknown]: YOUR CITY What is the name of your State or Province? [Unknown]: STATE OR PROV What is the two-letter country code for this unit? [Unknown]: COUNTRY CODE 4) You will then be prompted for another password - use the same (ie. Press ENTER) STEP B - Generate a Certificate Request 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -certreq -alias tomcat -file csr.txt -keystore FULL PATH TO SAME KEYSTORE CREATED IN STEP A STEP C - Get the new cert from Verisign www.versign.com has all the info here STEP D - Install the Verisign ROOT CA cert AND your server cert When you get your cert in step C, they will provide you with the root cert 1) cd to $JAVA_HOME/jre/bin 2) ./keytool -import -alias verisign -file FILE THAT CONTAINS THE VERSIGN ROOT CA CERT -keystore PATH TO KEYSTORE 3) ./keytool -import -trustcacerts -alias tomcat -file FILE THAT CONTAINS YOUR CERT FROM VERISIGN -keystore PATH TO KEYSTORE STEP E - Configure an SSL listener for tomcat 1) edit $JAKARTA_HOME/conf/server.xml and add the following: !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=10 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS keystoreFile=FULL PATH TO KEYSTORE FILE keystorePass=PASSWORD HERE/ /Connector 2) Stop and start the tomcat server -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Thursday, April 25, 2002 2:29 PM To: Tomcat Users List Subject: Re: tomcat and SSL (keyfile password) Hi Dave ohhh...good to know that. I need to set up the tomcat 4.0.3 with verisign. Can you please send those doc to me ? I appreciate your help thanks in advance BM Dave North wrote: Hello, After a few hours trying to get this working, I've finally got my tomcat server working with a certificate signed by Verisign. This all works great. However, to do this, I need to configure the keyfilePass into the server.xml file. This is bad as our security policy is thou shall not have any passwords in plain text. We also use SSL on our iPlanet server and it prompts at start time for the password (they use the term software token but it's the same). So, the question is: is it possible to have tomcat prompt for this and/or how have others got around keeping this in plain text? BTW: if anyone's interested, I have the complete step-by-step of how I got the versign cert working...the info is out there but it seems to be all over the place. Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Mobile: 613-294-3231 Fax: 613-761-3629 Email: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Apache/WARP connector/trailing slash
OK, I searched the list archive for this but couldn't find a solution. Tomcat 4.0.1 running on RedHat 7.1 Apache 1.3.2 WARP connector How can I setup apache/tomcat/WARP so I don't need the trailing slash? ie. http://myhost.acme.com/examples I'm sure it must be possible but I don't see an obvious way to do it. Cheers Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613-761-3629 EMail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
why use mod_webapp?
Hi Folks, I'm already using mod_webapp for handling my tomcat traffic via apache. My question from a guy here is why do we do this and not just create a simple re-direct page? ie. create a directory with a 1 line HTML page in it that re-directs to the tomcat HTTP server. Are there other advantages to using the WARP connector? Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613-761-3629 EMail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: why use mod_webapp?
Well, ya I know this. But you could still have apache do a re-direct to tomcat on whatever port it's lisening on (say 8080) and get the same result. My own personal opinion is mod_webapp is cleaner but I'm under some pressue to say WHY it's better. Can't really think of any good reasons really. Dave -Original Message- From: Brian Adams [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 3:23 PM To: 'Tomcat Users List' Subject: RE: why use mod_webapp? same port! port 80 is http (apache) tomcat would then have to run alone on another machine or Virtual IP. the beauty is that we can now SSI jsp/servlet in html and you never bounce to another port or have to add DNS entrees... just a few reasons, you'll get more and better explained. B -Original Message- From: Dave North [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 31, 2002 2:21 PM To: [EMAIL PROTECTED] Subject: why use mod_webapp? Hi Folks, I'm already using mod_webapp for handling my tomcat traffic via apache. My question from a guy here is why do we do this and not just create a simple re-direct page? ie. create a directory with a 1 line HTML page in it that re-directs to the tomcat HTTP server. Are there other advantages to using the WARP connector? Thanks Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613-761-3629 EMail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
Hi Denny, Just tried that - no joy. It then complains about the webAppDeploy lines being an invalid serverName. Cheers Dave -Original Message- From: Denny Chambers [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 4:52 PM To: Tomcat Users List Subject: Re: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 Have you tried it with out the ServerName directive set in the VirtualHost _default_:443 directive? Chambers, Norman (Denny) wrote: If tomcat and apache are running on the try using localhost:8080 here: WebAppConnection myconn warp ottas13a.ott.signiant.com:8008 Also do you have the ServerName and Port directive set in the httpd.conf? The directives are required by SSL. Dave North wrote: sure. Actually, back in the mailing list archive I just found someone who had the exact same problem...no solution alas. The server.xml file is the bog standard one with no changes from a tomcat install. My httpd.conf info (basically the standard mod_ssl config with the webAppDeploy stuff bolted in): ## ## SSL Virtual Host Context ## VirtualHost _default_:443 # General setup for the virtual host DocumentRoot /usr/local/apache/htdocs ServerName ottas13a.ott.signiant.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key #SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /usr/local/apache/conf/ssl.crt #SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /usr/local/apache/conf/ssl.crl #SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL
RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
overridden at lower levels -- Logger className=org.apache.catalina.logger.FileLogger prefix=apache_log. suffix=.txt timestamp=true/ !-- Because this Realm is here, an instance will be shared globally -- Realm className=org.apache.catalina.realm.MemoryRealm / /Engine /Service /Server -Original Message- From: Denny Chambers [mailto:[EMAIL PROTECTED]] Sent: Tuesday, January 22, 2002 10:11 AM To: Tomcat Users List Subject: Re: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 This is really strange. I have the same setup. I set the Server Name directive once in the main portion of the httpd.conf. My VirtualHost _default_:443 context is very similar to yours, except I don't have the Server Name defined with in it. My WebAppConnection and WebAppDeploy line are similar as well, I use localhost as my server name in the WebAppConnection directive. What about your server.xml, let's see what that looks like. I kind of running out of suggestions. sorry! Dave North wrote: Hi Denny, Just tried that - no joy. It then complains about the webAppDeploy lines being an invalid serverName. Cheers Dave -Original Message- From: Denny Chambers [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 4:52 PM To: Tomcat Users List Subject: Re: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 Have you tried it with out the ServerName directive set in the VirtualHost _default_:443 directive? Chambers, Norman (Denny) wrote: If tomcat and apache are running on the try using localhost:8080 here: WebAppConnection myconn warp ottas13a.ott.signiant.com:8008 Also do you have the ServerName and Port directive set in the httpd.conf? The directives are required by SSL. Dave North wrote: sure. Actually, back in the mailing list archive I just found someone who had the exact same problem...no solution alas. The server.xml file is the bog standard one with no changes from a tomcat install. My httpd.conf info (basically the standard mod_ssl config with the webAppDeploy stuff bolted in): ## ## SSL Virtual Host Context ## VirtualHost _default_:443 # General setup for the virtual host DocumentRoot /usr/local/apache/htdocs ServerName ottas13a.ott.signiant.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key #SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /usr/local/apache/conf/ssl.crt #SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client
wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
Hello all, I have the following config: apache 1.3.2.2 using mod_ssl and mod_webapp tomcat 4.0.1 RH Linux 7.1 I had successfully configured apache to talk via the warp connector to tomcat for our JSP application. Now I wanted to add SSL support so I downloaded and installed mod_ssl. No problems so far. However, when I go to https://myhost/myapp/ it fails because it's re-directed me to http://myhost:443/myapp/index.jsp. I have the same problem with the examples. When served from tomcat directly (in http, no problems. I can't seem to find anything on this problem and it's driving me crazy! :) Snippet from my httpd.conf: # DN for tomcat WebAppConnection myconn warp localhost:8008 WebAppDeploy examples myconn /examples/ WebAppDeploy myapp myconn /myapp/ WebAppInfo /webapp-info I'm just using the standard server.xml for tomcat. Any help is MUCH appreciated. Cheers Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613-761-3629 EMail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
nope, I just used the default config. As I said, it works just fine under HTTP but I get these zany redirects when it's HTTPS...it almost seems like I need to somehow tell tomcat to use the keyword HTTPS instead of the HTTP keyword (as it just puts in the 443 port). Very weird. Dave -Original Message- From: Tamim, Samir [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 3:48 PM To: 'Tomcat Users List' Subject: RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 Hi Dave, Do you have a special config on linux, I have problems requesting the /examples via the connector on Solaris 8. Did you change something, or it was straight forward as documented. Thanks Sam -Original Message- From: Dave North [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 15:46 To: [EMAIL PROTECTED] Subject: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 Hello all, I have the following config: apache 1.3.2.2 using mod_ssl and mod_webapp tomcat 4.0.1 RH Linux 7.1 I had successfully configured apache to talk via the warp connector to tomcat for our JSP application. Now I wanted to add SSL support so I downloaded and installed mod_ssl. No problems so far. However, when I go to https://myhost/myapp/ it fails because it's re-directed me to http://myhost:443/myapp/index.jsp. I have the same problem with the examples. When served from tomcat directly (in http, no problems. I can't seem to find anything on this problem and it's driving me crazy! :) Snippet from my httpd.conf: # DN for tomcat WebAppConnection myconn warp localhost:8008 WebAppDeploy examples myconn /examples/ WebAppDeploy myapp myconn /myapp/ WebAppInfo /webapp-info I'm just using the standard server.xml for tomcat. Any help is MUCH appreciated. Cheers Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613-761-3629 EMail: [EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
of the # server (always existing) and the client (only existing when client # authentication is used). This can be used to import the certificates # into CGI scripts. # o StdEnvVars: # This exports the standard SSL/TLS related `SSL_*' environment variables. # Per default this exportation is switched off for performance reasons, # because the extraction step is an expensive operation and is usually # useless for serving static content. So one usually enables the # exportation for CGI and SSI requests only. # o CompatEnvVars: # This exports obsolete environment variables for backward compatibility # to Apache-SSL 1.x, mod_ssl 2.0.x, Sioux 1.0 and Stronghold 2.x. Use this # to provide compatibility to existing CGI scripts. # o StrictRequire: # This denies access when SSLRequireSSL or SSLRequire applied even # under a Satisfy any situation, i.e. when it applies access is denied # and no other module can change it. # o OptRenegotiate: # This enables optimized SSL connection renegotiation handling when SSL # directives are used in per-directory context. #SSLOptions +FakeBasicAuth +ExportCertData +CompatEnvVars +StrictRequire Files ~ \.(cgi|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files Directory /usr/local/apache/cgi-bin SSLOptions +StdEnvVars /Directory # SSL Protocol Adjustments: # The safe and default but still SSL/TLS standard compliant shutdown # approach is that mod_ssl sends the close notify alert but doesn't wait for # the close notify alert from client. When you need a different shutdown # approach you can use one of the following variables: # o ssl-unclean-shutdown: # This forces an unclean shutdown when the connection is closed, i.e. no # SSL close notify alert is send or allowed to received. This violates # the SSL/TLS standard but is needed for some brain-dead browsers. Use # this when you receive I/O errors because of the standard approach where # mod_ssl sends the close notify alert. # o ssl-accurate-shutdown: # This forces an accurate shutdown when the connection is closed, i.e. a # SSL close notify alert is send and mod_ssl waits for the close notify # alert of the client. This is 100% SSL/TLS standard compliant, but in # practice often causes hanging connections with brain-dead browsers. Use # this only for browsers where you know that their SSL implementation # works correctly. # Notice: Most problems of broken clients are also related to the HTTP # keep-alive facility, so you usually additionally want to disable # keep-alive for those clients, too. Use variable nokeepalive for this. # Similarly, one has to force some clients to use HTTP/1.0 to workaround # their broken HTTP/1.1 implementation. Use variables downgrade-1.0 and # force-response-1.0 for this. SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # Per-Server Logging: # The home of a custom SSL log file. Use this when you want a # compact non-error SSL logfile on a virtual host basis. CustomLog /usr/local/apache/logs/ssl_request_log \ %t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b # DN for tomcat WebAppConnection myconn warp ottas13a.ott.signiant.com:8008 WebAppDeploy examples myconn /examples/ WebAppDeploy signiant myconn /signiant/ WebAppInfo /webapp-info /VirtualHost -Original Message- From: Denny Chambers [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 4:10 PM To: Tomcat Users List Subject: Re: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 I have this same setup working with out any problems. Can you send the section of the httpd.conf where you setup the https server. In tomcat are you using both the http connector and the warp connector? Not sure if this would cause a problem or not, I am only using the warp connector by itself. Dave North wrote: Hello all, I have the following config: apache 1.3.2.2 using mod_ssl and mod_webapp tomcat 4.0.1 RH Linux 7.1 I had successfully configured apache to talk via the warp connector to tomcat for our JSP application. Now I wanted to add SSL support so I downloaded and installed mod_ssl. No problems so far. However, when I go to https://myhost/myapp/ it fails because it's re-directed me to http://myhost:443/myapp/index.jsp. I have the same problem with the examples. When served from tomcat directly (in http, no problems. I can't seem to find anything on this problem and it's driving me crazy! :) Snippet from my httpd.conf: # DN for tomcat WebAppConnection myconn warp localhost:8008 WebAppDeploy examples myconn /examples/ WebAppDeploy myapp myconn /myapp/ WebAppInfo /webapp-info I'm just using the standard server.xml for tomcat. Any help is MUCH appreciated. Cheers Dave Dave North SIGNIANT Inc. Trusted Data Transfer Services www.signiant.com Phone: 613-761-3623 Fax: 613
RE: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4
-Original Message- From: Denny Chambers [mailto:[EMAIL PROTECTED]] Sent: Monday, January 21, 2002 4:37 PM To: Tomcat Users List Subject: Re: wacky HTTPS-HTTP re-direct problem w/apache and tomcat 4 If tomcat and apache are running on the try using localhost:8080 here: WebAppConnection myconn warp ottas13a.ott.signiant.com:8008 DN: Yep tried that. In fact it was localhost and I changed it to ottas13. Also do you have the ServerName and Port directive set in the httpd.conf? The directives are required by SSL. DN: Yep. Dave North wrote: sure. Actually, back in the mailing list archive I just found someone who had the exact same problem...no solution alas. The server.xml file is the bog standard one with no changes from a tomcat install. My httpd.conf info (basically the standard mod_ssl config with the webAppDeploy stuff bolted in): ## ## SSL Virtual Host Context ## VirtualHost _default_:443 # General setup for the virtual host DocumentRoot /usr/local/apache/htdocs ServerName ottas13a.ott.signiant.com ServerAdmin [EMAIL PROTECTED] ErrorLog /usr/local/apache/logs/error_log TransferLog /usr/local/apache/logs/access_log # SSL Engine Switch: # Enable/Disable SSL for this virtual host. SSLEngine on # SSL Cipher Suite: # List the ciphers that the client is permitted to negotiate. # See the mod_ssl documentation for a complete list. SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL # Server Certificate: # Point SSLCertificateFile at a PEM encoded certificate. If # the certificate is encrypted, then you will be prompted for a # pass phrase. Note that a kill -HUP will prompt again. A test # certificate can be generated with `make certificate' under # built time. Keep in mind that if you've both a RSA and a DSA # certificate you can configure both in parallel (to also allow # the use of DSA ciphers, etc.) SSLCertificateFile /usr/local/apache/conf/ssl.crt/server.crt #SSLCertificateFile /usr/local/apache/conf/ssl.crt/server-dsa.crt # Server Private Key: # If the key is not combined with the certificate, use this # directive to point at the key file. Keep in mind that if # you've both a RSA and a DSA private key you can configure # both in parallel (to also allow the use of DSA ciphers, etc.) SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server.key #SSLCertificateKeyFile /usr/local/apache/conf/ssl.key/server-dsa.key # Server Certificate Chain: # Point SSLCertificateChainFile at a file containing the # concatenation of PEM encoded CA certificates which form the # certificate chain for the server certificate. Alternatively # the referenced file can be the same as SSLCertificateFile # when the CA certificates are directly appended to the server # certificate for convinience. #SSLCertificateChainFile /usr/local/apache/conf/ssl.crt/ca.crt # Certificate Authority (CA): # Set the CA certificate verification path where to find CA # certificates for client authentication or alternatively one # huge file containing all of them (file must be PEM encoded) # Note: Inside SSLCACertificatePath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCACertificatePath /usr/local/apache/conf/ssl.crt #SSLCACertificateFile /usr/local/apache/conf/ssl.crt/ca-bundle.crt # Certificate Revocation Lists (CRL): # Set the CA revocation path where to find CA CRLs for client # authentication or alternatively one huge file containing all # of them (file must be PEM encoded) # Note: Inside SSLCARevocationPath you need hash symlinks # to point to the certificate files. Use the provided # Makefile to update the hash symlinks after changes. #SSLCARevocationPath /usr/local/apache/conf/ssl.crl #SSLCARevocationFile /usr/local/apache/conf/ssl.crl/ca-bundle.crl # Client Authentication (Type): # Client certificate verification type and depth. Types are # none, optional, require and optional_no_ca. Depth is a # number which specifies how deeply to verify the certificate # issuer chain before deciding the certificate is not valid. #SSLVerifyClient require #SSLVerifyDepth 10 # Access Control: # With SSLRequire you can do per-directory access control based # on arbitrary complex boolean expressions containing server # variable checks and other lookup directives. The syntax is a # mixture between C and Perl. See the mod_ssl documentation # for more details. #Location / #SSLRequire (%{SSL_CIPHER} !~ m/^(EXP|NULL)/ \ #and %{SSL_CLIENT_S_DN_O} eq Snake Oil, Ltd. \ #and %{SSL_CLIENT_S_DN_OU} in {Staff, CA, Dev} \ #and %{TIME_WDAY} = 1 and %{TIME_WDAY} = 5 \ #and %{TIME_HOUR} = 8 and %{TIME_HOUR} = 20