Hi, I'm afraid I can't help much with CRLs on Tomcat. I've never done that before ;) I don't see much in the docs. I do see hits on Google, such as http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html, suggesting a custom SSLSocketFactory is in order. Tomcat of course lets you integrate whatever socket factory you want for your connector, and the one in the above links allows for CRL configuration.
Yoav Shapira Millennium Research Informatics >-----Original Message----- >From: ohaya [mailto:[EMAIL PROTECTED] >Sent: Friday, August 20, 2004 9:55 AM >To: Tomcat Users List >Subject: Re: New idea - Enable Tomcat for SSL? > >Yoav, > >The problem is that I can't find any info at all on how to configure it >to use a CRL. > >FYI, after an all-nighter, I was just able to get the client and server >SSL part working with standalone Tomcat. Very cool :)! And, best of >all, I was able to confirm that with this, I can access the client >certificate info from my JSPs. > >I'm just "so close" to what I need now, if I can just figure out how to >enable or incorporate the CRL checking, as from a security standpoint, >they won't let me deploy a PKI-enabled system if it doesn't support >CRLs. > >Jim > > > >"Shapira, Yoav" wrote: >> >> Hi, >> I don't know about CRL support -- why not just try it out? >> >> Yoav Shapira >> Millennium Research Informatics >> >> >-----Original Message----- >> >From: ohaya [mailto:[EMAIL PROTECTED] >> >Sent: Thursday, August 19, 2004 7:51 PM >> >To: Tomcat Users List >> >Subject: Re: New idea - Enable Tomcat for SSL? >> > >> > >> > >> >"Shapira, Yoav" wrote: >> >> >> >> Hi, >> >> http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html >> >> >> >> And, of course, >> >> http://jakarta.apache.org/tomcat/faq/connectors.html#integrate which >> >> should have saved you considerable time and effort. >> >> >> > >> > >> >Yoav, >> > >> >I had posted a number of messages about problems I was having, but in >> >any event, thanks for the links. >> > >> >One other question: If I configure Tomcat (5.0.27) as a standalone >> >SSL-enabled (client and server) webserver+container, will the Tomcat >> SSL >> >handling support the use of certificate revocation lists (CRLs)? >> > >> >I've been trying to research this, and so far have had no luck finding >> >anything on it, and, from the standpoint of security, support for CRLs >> >is going to be a must-have if I go this direction. >> > >> >If you or anyone knows the answer to this question, please let me know. >> > >> >Thanks again, >> >Jim >> > >> >--------------------------------------------------------------------- >> >To unsubscribe, e-mail: [EMAIL PROTECTED] >> >For additional commands, e-mail: [EMAIL PROTECTED] >> >> This e-mail, including any attachments, is a confidential business >communication, and may contain information that is confidential, >proprietary and/or privileged. This e-mail is intended only for the >individual(s) to whom it is addressed, and may not be saved, copied, >printed, disclosed or used by anyone else. If you are not the(an) intended >recipient, please immediately delete this e-mail from your computer system >and notify the sender. Thank you. >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] This e-mail, including any attachments, is a confidential business communication, and may contain information that is confidential, proprietary and/or privileged. This e-mail is intended only for the individual(s) to whom it is addressed, and may not be saved, copied, printed, disclosed or used by anyone else. If you are not the(an) intended recipient, please immediately delete this e-mail from your computer system and notify the sender. Thank you. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
