We have two similar production environments which use:
request.getAttribute(javax.servlet.request.X509Certificate)
for several purposes.
These use tomcat behind IIS using the Jakarta connector (aka reverse proxy)
and have been running since 2006 and 2011 respectively without significant
issues
On Tue, Jan 28, 2014 at 12:11 PM, Konstantin Kolinko knst.koli...@gmail.com
wrote:
2014-01-28 John Palmer johnpalm...@gmail.com:
We have two similar production environments which use:
request.getAttribute(javax.servlet.request.X509Certificate)
for several purposes.
These use tomcat behind
Schultz
ch...@christopherschultz.net wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256
John,
On 1/28/14, 12:41 PM, John Palmer wrote:
We have two similar production environments which use:
request.getAttribute(javax.servlet.request.X509Certificate) for
several purposes.
These use
Our installations have been working fine for several years, but we're
having to replace the existing 32-bit Windows servers with 64-bit Windows
servers,
and I'm trying to take advantage of this effort to simply the
configuration...
we inherited this with IIS in front of Tomcat, using the Jakarta
I haven't tested it yet, but if you're on a Windows platform you MAY be
able to tell Tomcat to use the Windows Certificate Store (an thus NOT have
a password in server.xml) by adding something like this to the Java Options:
-Djavax.net.ssl.trustStoreProvider=SunMSCAPI
quot;);
sb.append(smClient.getString("errorReportValve.errorReport"));
sb.append("");
}
// move style lines outside of if(showServerInfo || showReport){
section... above
sb.append("<!--");
sb.append(org.apache.catalina.util.TomcatCSS.TOMCAT_CSS);
sb.append("--> ");
sb.append("");
...
or am I missing (or just ignorant of ) something?
John Palmer
your server.xml shows TWO connectors for port 8443; that second one (with
all the certificate entries) is then causing the errror:
> Caused by: java.net.BindException: Address already in use
As that one is probably the one you want to be using, delete or comment out
the first connector for port
I'm working with tomcat 8.5.35 to configure SSL
(current system is tomcat 7.5 using JKS keystore and truststore)..
I finally have the certificate parts working with the default (commented
out) APR connector..
it bothers me (doesn't seem intuitive) that the logging shows
"useAprConnector
I found this to be easier to accomplish (and maintain):
add to the Host section of server.xml:
(this will disable the tomcat version number and the stacktrace - the
defaults for these are "true")
On Fri, Dec 14, 2018 at 10:18 AM wrote:
> Good Morning,
> I'm encountering following scan
gt; Hi,
>
> On Mon, Apr 1, 2019 at 3:30 PM John Palmer wrote:
>
> > What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
> > tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
> > 8.5.38 using Openssl ?
>
>
> Setting `c
I might be missing,
but apparently I'm overlooking it.
helpful suggestions are welcomed.
On Wed, Apr 3, 2019 at 12:32 PM John Palmer wrote:
> I appreciate your response
>
> > Setting `certificateVerification="require"` on your Connector
>
> I changed
>
What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
I'm sure I'm missing something simple and obvious (once pointed out) but
I've been struggling with this all morning).
1) using
I'm testing to see if this might be an issue on a new tomcat 8.5.38 upgrade
I'm doing (using NIO2 and OpenSSL) before I promote this to our Production
environment :)
(Windows Server 2008R2, Java (javaC.exe) version is 1.8.0_191)
.. after some missteps (had to add some imports to get it to
using the old Connector/clientAuth="true" or the new
Connector/SSLHostConfig/ certificateVerification="REQUIRED" (tried
lowercase and without the D) format..doesn't seem to work properly.
no matter what value I use or which format... the behavior seems to be that
the client cert is
retested with tc-native 1.2.21 on the desktop... and its working as
expected.
(Still not sure what was going on previously).
thanks, again.
On Tue, Feb 12, 2019 at 12:27 PM Mark Thomas wrote:
> On 12/02/2019 17:21, John Palmer wrote:
> > using the old Connector/cli
. Glad I finally ASKED).
Thanks again.
On Mon, Feb 11, 2019 at 11:22 AM Christopher Schultz <
ch...@christopherschultz.net> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:42, John Palmer wrote:
> > I'm new to implementing APR/tc-
BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> John,
>
> On 2/11/19 10:46, John Palmer wrote:
> > (I'm new to using TC-native, interested in how to accomplish "In
> > security conscious production environments, it is recommended to
> > use separate shar
I'm new to implementing APR/tc-natiive for SSL/TLS on Windows Server
2008R2, attepting to usse tomcat 8.5.37 specifying PKCS12 format in the
SSLHostConfig/Certificate elements for the keystore and truststore..
(I would prefer to drop the JKS format for several reasons)
questions are:
is this
(I'm new to using TC-native, interested in how to accomplish "In security
conscious production environments, it is recommended to use separate shared
dlls for OpenSSL, APR, and libtcnative-1, and update them as needed
according to security bulletins. "
Apparently I need a concrete example
ess_client_certificate:certificate verify failed]
the Connector part of the server xml.config file is (ip address and server
name etc removed):
On Thu, Apr 4, 2019 at 7:47 PM John Palmer wrote:
> Well, after much research and experimentation I go
What, if anything, needs to be configured to ENABLE (preferably REQUIRE)
tomat to do CLIENT certificate revocation checking via OCSP in Tomcat
8.5.38 using Openssl ?
(will this work with NIO2 ? )
1) using Openssl (the tc-native-1.dll binary for Windows, compiled w OCSP
support - the X64 dll from
As the concern is that an erro page will show the tomcat version/patch info
AND a stacktrace,\
I found the easier/better? solution to be adding . showReport="false"
showServerInfo="false"
to the Error Report Valve section at the bottom of server.xml (and addin or
or uncommenting that valve
22 matches
Mail list logo
