Il giorno 30/mar/2012, alle ore 14.55, Bob Lannoy ha scritto: > Hi, > > I think the connector element is to connect to the webapp, it's not to > specify the truststore that a webapp can use to connect to another > server
Ops, you are right. The only chance you have is to use the default jvm truststore (probably $JAVA_HOME/jre/lib/security/cacerts). Sorry for the misunderstanding. Regards, F. > > Bob > > On 30 March 2012 14:53, Fabio Martelli <[email protected]> wrote: >> >> Il giorno 30/mar/2012, alle ore 14.49, Bob Lannoy ha scritto: >> >>> Hi Fabio, >>> >>> what do you mean by "configure your tomcat container with syncope >>> console deployed inside in order to use the new truststore." >>> I guess this is what I did by specifying de JAVA_OPTS on startup of tomcat? >> >> You can modify your server.xml in order to add truststore file and password >> inside the right "Connector" element. >> >> F. >> >>> >>> Bob >>> >>> On 30 March 2012 14:18, Fabio Martelli <[email protected]> wrote: >>>> >>>> Il giorno 30/mar/2012, alle ore 09.50, Bob Lannoy ha scritto: >>>> >>>>> Hi Francesco, >>>>> >>>>> indeed it works ;) >>>>> I did it on a Tomcat 6 instance. >>>>> * enabled SSL for core >>>>> * referenced the truststore for console through JVM params >>>>> -Djavax.net.ssl.trustStore="...mykeystore.jks" >>>>> -Djavax.net.ssl.trustStorePassword="mykeystore" >>>>> * put the right params in configuration.properties (https, hostname as >>>>> in certificate) >>>>> I'll be happy to put up a wiki page for that. >>>>> There's one thing I didn't like and that's I have to pass the >>>>> truststore params to the VM in command line. >>>>> Perhaps there's a way to specify the truststore in the configuration >>>>> somewhere? >>>> >>>> Hi Bob, >>>> you can configure your tomcat container with syncope console deployed >>>> inside in order to use the new truststore. >>>> Alternatively you can add CA certificate in the default jvm truststore. >>>> >>>> Regards, >>>> F. >>>> >>>>> >>>>> regards >>>>> >>>>> Bob >>>>> >>>>> 2012/3/29 Francesco Chicchiriccò <[email protected]>: >>>>>> On 29/03/2012 09:25, Bob Lannoy wrote: >>>>>>> Hi, >>>>>>> >>>>>>> with the remark about the use of MD5, I thought of something else. >>>>>>> If I'm not mistaken the connection between console and core is over >>>>>>> plain HTTP. >>>>>>> Do you plan supporting SSL connections between both? I put core behind >>>>>>> SSL but then the console didn't connect. >>>>>>> I saw in the trunk that in the configuration properties for the >>>>>>> console the protocol (scheme) option has been split out so maybe >>>>>>> you're already planning this? >>>>>> >>>>>> Hi Bob, >>>>>> there is nothing, in principle, that will obstacle core webapp to be >>>>>> available in HTTPS only (and hence the console to connect via HTTPS to >>>>>> the core): only, be sure to overcome usual issues arising when using >>>>>> self-signed certificates in Java: here is a brief checklist I would >>>>>> suggest: >>>>>> >>>>>> 1. put the servlet container with core webapp deployed inside in HTTPS >>>>>> 2. add the certificate of the CA you have used to sign the certificate >>>>>> for the step above in a trustore >>>>>> 3. reference the trustore above when launching the servlet container >>>>>> with console webapp deployed inside >>>>>> >>>>>> This should work: please, let us know whether you succeed. >>>>>> It could also be the case to add a page on our wiki about this. >>>>>> >>>>>> Regards. >>>>>> >>>>>> -- >>>>>> Francesco Chicchiriccò >>>>>> >>>>>> Apache Cocoon PMC and Apache Syncope PPMC Member >>>>>> http://people.apache.org/~ilgrosso/ >>>>>> >>>> >>
