John, FYI, that (Apache+SSL) was my first approach, and I spent over a week trying to get it working, and posted a bunch of times about my problems. I was able to get the SSL authentication working early on, but what I was struggling with is getting access to the client cert information from JSPs. In the end, I was able to conclude that the reason for that last problem was that the binaries that I was working with (Apache, mod_jk/jk2) were not compiled with the "--EAPI" directive, and that was preventing the SSL/client cert info from passing to Tomcat.
Besides the fact that I'm kind of running out of time to get something working, so I wouldn't have the time to build Apache, mod_ssl, mod_jk/jk2, I'm working in an environment where the binaries are controlled and single-sourced internally, and so even if I did have the time, I wouldn't be allowed to do and deploy a 'special' build. After all of that, I turned back to Tomcat, and like I said, I'm "that close" now. Also, as I indicated in an earlier msg in this thread, this is not going to be a high-volume website, at most maybe 1-2 people at a time, so performance is not a major concern. Jim John Villar wrote: > > Excuse me everyone who has talked on this thread, i haven't followed > this thread closely, but.... why aren't you using a proven software for > that matter like Apache HTTPD?..... it has years of SSL patches, > corrections and improvements, also, tomcat is just too slow to serve > static content like images or large files. If you're concerned with > security, you should never think on the first place to begin a new > development, security has to have a process of maturity before you can > decide something is *secure enough* > > Shapira, Yoav escribi�: > > >Hi, > >I'm afraid I can't help much with CRLs on Tomcat. I've never done that > >before ;) I don't see much in the docs. I do see hits on Google, such > >as > >http://proj-grid-data-build.web.cern.ch/proj-grid-data-build/edg-java-se > >curity/edg-java-security-1.5.9/tomcat/Authentication_Admin_Guide.html, > >suggesting a custom SSLSocketFactory is in order. Tomcat of course lets > >you integrate whatever socket factory you want for your connector, and > >the one in the above links allows for CRL configuration. > > > >Yoav Shapira > >Millennium Research Informatics > > > > > > > > > >>-----Original Message----- > >>From: ohaya [mailto:[EMAIL PROTECTED] > >>Sent: Friday, August 20, 2004 9:55 AM > >>To: Tomcat Users List > >>Subject: Re: New idea - Enable Tomcat for SSL? > >> > >>Yoav, > >> > >>The problem is that I can't find any info at all on how to configure it > >>to use a CRL. > >> > >>FYI, after an all-nighter, I was just able to get the client and server > >>SSL part working with standalone Tomcat. Very cool :)! And, best of > >>all, I was able to confirm that with this, I can access the client > >>certificate info from my JSPs. > >> > >>I'm just "so close" to what I need now, if I can just figure out how to > >>enable or incorporate the CRL checking, as from a security standpoint, > >>they won't let me deploy a PKI-enabled system if it doesn't support > >>CRLs. > >> > >>Jim > >> > >> > >> > >>"Shapira, Yoav" wrote: > >> > >> > >>>Hi, > >>>I don't know about CRL support -- why not just try it out? > >>> > >>>Yoav Shapira > >>>Millennium Research Informatics > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: ohaya [mailto:[EMAIL PROTECTED] > >>>>Sent: Thursday, August 19, 2004 7:51 PM > >>>>To: Tomcat Users List > >>>>Subject: Re: New idea - Enable Tomcat for SSL? > >>>> > >>>> > >>>> > >>>>"Shapira, Yoav" wrote: > >>>> > >>>> > >>>>>Hi, > >>>>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html > >>>>> > >>>>>And, of course, > >>>>>http://jakarta.apache.org/tomcat/faq/connectors.html#integrate > >>>>> > >>>>> > >which > > > > > >>>>>should have saved you considerable time and effort. > >>>>> > >>>>> > >>>>> > >>>>Yoav, > >>>> > >>>>I had posted a number of messages about problems I was having, but > >>>> > >>>> > >in > > > > > >>>>any event, thanks for the links. > >>>> > >>>>One other question: If I configure Tomcat (5.0.27) as a standalone > >>>>SSL-enabled (client and server) webserver+container, will the Tomcat > >>>> > >>>> > >>>SSL > >>> > >>> > >>>>handling support the use of certificate revocation lists (CRLs)? > >>>> > >>>>I've been trying to research this, and so far have had no luck > >>>> > >>>> > >finding > > > > > >>>>anything on it, and, from the standpoint of security, support for > >>>> > >>>> > >CRLs > > > > > >>>>is going to be a must-have if I go this direction. > >>>> > >>>>If you or anyone knows the answer to this question, please let me > >>>> > >>>> > >know. > > > > > >>>>Thanks again, > >>>>Jim > >>>> > >>>> > >>>> > >>--------------------------------------------------------------------- > >> > >> > >>>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>>For additional commands, e-mail: [EMAIL PROTECTED] > >>>> > >>>> > >>>This e-mail, including any attachments, is a confidential business > >>> > >>> > >>communication, and may contain information that is confidential, > >>proprietary and/or privileged. This e-mail is intended only for the > >>individual(s) to whom it is addressed, and may not be saved, copied, > >>printed, disclosed or used by anyone else. If you are not the(an) > >> > >> > >intended > > > > > >>recipient, please immediately delete this e-mail from your computer > >> > >> > >system > > > > > >>and notify the sender. Thank you. > >> > >> > >>>--------------------------------------------------------------------- > >>>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>>For additional commands, e-mail: [EMAIL PROTECTED] > >>> > >>> > >>--------------------------------------------------------------------- > >>To unsubscribe, e-mail: [EMAIL PROTECTED] > >>For additional commands, e-mail: [EMAIL PROTECTED] > >> > >> > > > > > > > > > >This e-mail, including any attachments, is a confidential business communication, > >and may contain information that is confidential, proprietary and/or privileged. > >This e-mail is intended only for the individual(s) to whom it is addressed, and may > >not be saved, copied, printed, disclosed or used by anyone else. If you are not > >the(an) intended recipient, please immediately delete this e-mail from your > >computer system and notify the sender. Thank you. > > > > > >--------------------------------------------------------------------- > >To unsubscribe, e-mail: [EMAIL PROTECTED] > >For additional commands, e-mail: [EMAIL PROTECTED] > > > > > > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
