Issue with SSL server/ network configuration
Hi y'all, I have a fairly complex issue regarding Tomcat server configuration, so I'll try to explain: I have two web applications that need to run in one Tomcat server. Application 1 needs client certificates, so I need to configure an SSL connector with 'clientAuth=yes' Application 2 needs NO client certificates, and users should not be bothered with questions about client certificates; so I can not use 'clientAuth=want', I have to use 'clientAuth=no' here. Now the easiest thing to do (I think) is to have two keystores, two server certificates, two domain names; one for each application. Now the problem is right now: I only have one keystore, domain name, certificate (certificates cost money you know...). My question to you peoples: is there a simple way to map one domain name to two different SSL connectors? Port-forwarding based on web context? The latter seems possible, yet a bit flakey. Any help is greatly appreciated, Eelco -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618057.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Peter Crowther wrote: From: i_am_superman [mailto:ee...@objectivation.nl] is there a simple way to map one domain name to two different SSL connectors? I don't think there is, unless you want part of your application to be accessible from a different port. So the part that doesn't need certs might be at https://www.example.com (implicitly on port 443) and the part that does need certs might be at https://www.example.com:8443. You could then set up two different connectors, with different hosts and the different security constraints. Hi Peter, Thanks for the swift reply. I agree that this will probably work, but I don't think my client will allow me to run a public SSL website any port but 443 (firewalls). But your reply confirms my hunch that there is no other way but to buy extra certificates (400 EUR for a 800 byte file That's 50 EUR cents per byte! More expensive than champagne. :-)) Thanks again, If anyone else has another idea, please respond. Eelco - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618310.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
Gregor Schneider wrote: How about a self-seigned cert? A nasty browser-window will pop up once, however, the users could import the server-cert into their browser, and then they#re done It's gonna be a public government website, so a self-signed certificate will not be an option :-) (it's tempting though) And firefox tends to be very annoying with self-signed certificates lately -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618647.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Issue with SSL server/ network configuration
awarnier wrote: i_am_superman wrote: It's gonna be a public government website, so a self-signed certificate will not be an option :-) Considering the amount of taxpayer money that governments are currently pumping into failed financial institutions and car makers, I'm sure they could afford a 400 € certificate, no ? Or is it that bad ? :-) No it's not that bad, but we have 3 environment (test, accept, prod) so we need 3 extra certificates. No big deal indeed, but I need to be sure that I really need them. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22618849.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Darren Kukulka wrote: Why not opt for a wildcard certificate for the domain, if that's applicable (e.g. *.yourcompany.com) Hi Darren, Interesting idea! What are the restrictions on wildcard certificates? If I have two subdomains with one wildcard certificate, do I still need the two IP addresses? Or is the IP address tied to the (wildcard) certificate? Best regards, Eelco -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22619652.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Issue with SSL server/ network configuration
Peter Crowther wrote: Or is the IP address tied to the (wildcard) certificate? IP addresses are never tied to certificates. Certificates allow browsers to authenticate based on the common name in the certificate, and the hostname that the browser is using to access the site. Yep, I know, I just want to be sure whether I have the same 'two certificates two IP address' issue. I know about this issue, I just don't understand it; how do hosting companies host 2 sites on one box with a certificate each? That'll be a lot of IP address juggling.. But let's not get carried away, this is a Tomcat mailing list :-) -- View this message in context: http://www.nabble.com/Issue-with-SSL-server--network-configuration-tp22618057p22619885.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
