Server certificate:
The certificate for the engine with alias "tomcat"
The certificate for a specific host
The certificate for a specific web-app
If a web-app doesn't have a certificate, it can be configured to use the
certificate of the host. Similarly, if a host doesn't have a certificate, it
can be configured to use the certificate of the engine. However, when a
web-app has a certificate, then this one should be used rather than always
using "tomcat".
clientAuth of https connector is not relevant, at this level (engine), ask
for a client's certificate, what is it for? It should be like this: If the
client is requesting a server resource that requires client authentication,
the server requests the client's certificate. If we don't ask for
certificate, then truststore config is irrelevant. "clientAuth" should be a
property of a web-app. Since web.xml doesn't specify it, it can be include
into the web-app context, context.xml.
At the host level, we have the same question, too.
At the web-app level, it is reasonable. This web-app asks for a client
certificate. And the UserManager will consult the usercontext of this
web-app for keystore & truststore information.
At present, what component does the verification of a client's certificate?
The connector/sslsupport should call the UserManager to do so.
Here, I don't know the reason why many people say the design of SSL doesn't
allow several domain name based certificates on the single IP.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
