I'm writing software in Java that needs to be restricted to certain users and available at a URL. Communication with the program will be XML-RPC over an SSL connection, assumedly HTTPS. However, I have no expertise in this area. (Mac users, this does relate in that it will be deployed on a cluster of Xserves. :-)
Looking at mod_ssl for Apache, it seems like it could be very useful, but the answers to certain questions are not clear. For example, there is a description of how to perform client authentication using certificates issued by a known CA [1], which would be great, because we already have a CA hierarchy that could easily grant an intermediate certificate for creating leaf client certificates. This also seems much more flexible than options with Tomcat, such as these [2] [3]. Specifically, Tomcat uses a keystore file that contains the trusted certificates, but for any changes to be recognized, the file must be updated and Tomcat restarted. (Not an appealing solution for a scalable cluster of servers that should have extremely high availability.)
So, here's the wrench in the works: after client authentication, my software needs to use the client certificate further to determine authorized actions. (All permitted users may connect to the server, but they will have different roles and rights.) In essence, I'm looking to a flexible, robust way to create a client-authenticated SSL connection, such that my underlying software can access the client certificate as well.
As I mentioned, the software will be in Java, and we've been considering deploying as a servlet in Tomcat. There will be a multitude of threads for processing requests within Java, and somehow we need to handle the threads for SSL connections and feeding into a processing queue. I also need to make sure that if Tomcat spawns a thread for each connection, that each thread will be able to access the selfsame queue (one per host machine), and not an instance in a different Java VM, etc.
So, I've put forth my hefty questions. Any insight or expertise? Promising links are acceptable—I've been scouring the web myself, although the fact that few people actually use client authentication in production environments (or at least aren't talking about it) makes it difficult to find helpful information. We'd like to keep the solution lightweight if possible, since security is obviously a prime concern. Thanks in advance!
- Quinn [1] http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple [2] http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html[3] http://www.vorburger.ch/blog1/2006/08/setting-up-two-way-mutual- ssl-with.html
smime.p7s
Description: S/MIME cryptographic signature
-------------------- BYU Unix Users Group http://uug.byu.edu/ The opinions expressed in this message are the responsibility of their author. They are not endorsed by BYU, the BYU CS Department or BYU-UUG. ___________________________________________________________________ List Info: http://uug.byu.edu/cgi-bin/mailman/listinfo/uug-list
