I *really* need to update the Tomcat 4.1 docs :-(. "jack lee" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Hi > > In my understanding: > > (1) Client-Auth is set to true: every client who accesses Tomcat must has > his own certificate. And the certificate of the CA who issued client > certificate must in the truststore list. The default location of the > truststore list is at JAVA_HOME/jre/lib/security/cacerts. > > Question: it is possible to set it in the different location?? >
For TC 5, this is covered in the ssl-howto. For TC 4.1: -Djavax.net.ssl.trustStore=/path/to/TrustStore \ -Djavax.net.ssl.trustStorePassword=<your-password-here> > (2) Client-Cert is set in the web application configuration file (web.xml) : > every client who accesses this web application must has his own trusted > certificate. > > <web-app> > ... > <login-config> > <auth-method>CLIENT-CERT</auth-method> > <realm-name>ClientName</realm-name> > </login-config> > ... > </web-app> > > Question: in the configuration, what is <realm-name> represents for??? Is I > can define the client list (such as using CN value in the certificate) in > the memoryrealm or some other place, to achieve the access control. In other > word, I want to only allow selected users to access the web application, of > cause, those users must has their own certificate. Can I do this?? > In this case realm-name is just for show (e.g. in the 'admin' webapp). After you enable MemoryRealm, you configure tomcat-users.xml with the cert's DN (aka Subject) as the username, and anything you want as the password (it is ignored for CLIENT-CERT auth). > Thanks > Jack > > _________________________________________________________________ > Send a QuickGreet with MSN Messenger > http://www.msnmessenger-download.com/tracking/cdp_games --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
