Re: Tomcat 5 Multiple SSL certificates (virtual hosts)

Tue, 23 Mar 2004 23:45:57 -0800

Hello Arthur,
I have successfull tested those system with mulple IP Interfaces and different certs.

One thing is a good practice:
   have small Service for admin web application
   The Engine name are Catalina of this service.

Here my example configuration with one Catalina Service an two IP Service with different certs.

<Server port="7305" shutdown="SHUTDOWN" debug="0">

<!-- Enable JMX MBeans support -->

<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>

   <!-- Global JNDI resources -->
   <GlobalNamingResources>

<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>

</GlobalNamingResources>

<Service name="Catalina">

     <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
   <Connector
              port="7380"
              enableLookups="false"
              acceptCount="10"
              address="localhost"/>

<Engine name="Catalina" defaultHost="localhost" debug="0">

           <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               debug="0" resourceName="UserDatabase"/>

           <!-- Global logger unless overridden at lower levels -->
           <Logger className="org.apache.catalina.logger.FileLogger"
               prefix="catalina_log." suffix=".txt"
               timestamp="true"/>
           <!-- Developer Mode -->
           <Host
               name="localhost"
               appBase="webapps"
               unpackWARs="false"
               autoDeploy="true"
               deployXML="true"
               deployOnStartUp="true"
               >
         </Host>
        </Engine>

</Service>
<Service name="Secure-WebDev1">

<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7380"
redirectPort="7543"
address="secure1"/>
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7543" acceptCount="100" scheme="https" secure="true"
address="secure1">
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="conf/secure1.keystore"
clientAuth="false"
keystorePass="changeit"
protocol="TLS"
SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation" />
</Connector>

<Engine name="Secure-Webdev1" defaultHost="secure1" debug="0">

           <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               debug="0" resourceName="UserDatabase"/>

<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
dir="secure1/logs"
timestamp="true"/>
<!-- Developer Mode -->
<Host
name="secure1"
appBase="secure1/webapps"
unpackWARs="false"
autoDeploy="true"
deployXML="true"
deployOnStartUp="true"
>
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
--> 

         </Host>
        </Engine>

</Service>

<Service name="Secure-WebDev2">

<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7380"
redirectPort="7543"
address="secure2"/>
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7543"
scheme="https" secure="true"
address="secure2">
<Factory className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="conf/secure2.keystore"
clientAuth="false"
keystorePass="changeit2"
protocol="TLS"
SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation" />
</Connector>

<Engine name="Secure-Webdev2" defaultHost="secure2" debug="0">

           <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
               debug="0" resourceName="UserDatabase"/>

<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
dir="secure2/logs"
timestamp="true"/>
<!-- Developer Mode -->
<Host
name="secure2"
appBase="secure2/webapps"
unpackWARs="false"
autoDeploy="true"
deployXML="true"
deployOnStartUp="true"
>
<!--
<Valve className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
--> 

         </Host>
        </Engine>

</Service>

</Server>

I hope this help
Peter

--
http://tomcat.objektpark.org/


Bill Barker schrieb:

IMHO, using separate keystore files is the easiest option.  However, it
should also be possible to specify which cert to use via the 'keyAlias'
attribute on the Connector.

"D'Alessandro, Arthur" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
We'd like to implement a single Tomcat 5 server running multiple ip
address aliases, each with it's own SSL certificate assigned.  I do not
see a configuration option, other than potentially trying to utilize a
different keystore file (each with it's own tomcat alias cert) for each
virtual host.

Is there an easier way, and has anyone had any success in doing so?

-Arthur




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]









---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to