hgomez 00/12/11 07:05:22
Modified: src/doc tomcat-ssl-howto.html
Log:
Updated documentation on SSL (SSLVars)
Revision Changes Path
1.3 +270 -259 jakarta-tomcat/src/doc/tomcat-ssl-howto.html
Index: tomcat-ssl-howto.html
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/tomcat-ssl-howto.html,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -r1.2 -r1.3
--- tomcat-ssl-howto.html 2000/11/30 07:32:46 1.2
+++ tomcat-ssl-howto.html 2000/12/11 15:05:21 1.3
@@ -1,259 +1,270 @@
-<html>
-<head>
- <!-- $Id $ -->
- <!-- Copyright 1999, Apache Software Foundation -->
-
- <meta http-equiv=Content-Type content="text/html">
- <link rel="stylesheet" href="style.css">
- <style type="text/css">
- .inlinetd {
- background-color: #E0E0E0;
- vertical-align: text-top;
- border-top: thick black;
- border-right: thick black;
- border-bottom: thick black;
- border-left: thick black;
- }
- .inlineth {
- background-color: #d0d0d0;
- border-top: thick black;
- border-right: thick black;
- border-bottom: thick black;
- border-left: thick black;
- }
- .inlinetable {
- width: 75%;
- border: thick;
- background-color: #000000;
- }
- .subsection { margin:20pt; }
- .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
-
- </style>
-
-<title>Tomcat and SSL</title>
-</head>
-
-<body>
-<!-- Banner element, all hail the Project! -->
-<table border="0" width="100%" cellspacing="0" cellpadding="0">
- <tr>
- <td width="50%" align="left"> <a href="http://jakarta.apache.org/index.html">
- <img src="uguide/images/banner.gif" width="350" height="100" alt="The Jakarta
Project" border="0">
- </a> </td>
- <td width="50%" align="right"> <img border="0" src="uguide/images/tomcat.gif"
width="100" height="71" alt="The mighty Tomcat - Meow!">
- </td>
- </tr>
-</table>
-<h1>Tomcat and SSL</h1>
-<p>By Gomez Henri <tt><<a
href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>></tt></p>
-<h2>Table of Contents</h2>
-<ul>
- <li><a href="#s2">Tomcat and SSL</a></li>
- <li><a href="#s3">Building tomcat with SSL support</a></li>
- <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
- <li><a href="#s5">SSL via apache</a></li>
- <li><a href="#s6">SSL direct</a></li>
- <li><a href="#s7">Credits</a></li>
-</ul>
-<hr>
-<h2><a name=s2>Tomcat and SSL</a></h2>
-<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via
- an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or
apache-mod_ssl)
- with the mod_jk connector.</p>
-<hr>
-<h2><a name=s3>Building tomcat with SSL support</a></h2>
-<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH.
- I used to clear the CLASSPATH env var to avoid conflict in jar. A common case
- of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser
- like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
-<p>At build time, (via ant), tomcat will check for some libs and will then included
- more or less options. It's the case of SSL support. If you have the JSSE 1.0.2
- jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat
- will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T
- BE INCLUDED in tomcat. You'll have to go to <a
href="http://java.sun.com/products/jsse/%20">jsse
- home page </a>and download from there the domestic (US/Canada) or global archive.
- Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
-<hr>
-<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
-<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector
- mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL
- directive is present in your httpd.conf. </p>
-<p>Informations are :</p>
-<table width="75%" border="1">
- <tr>
- <td>HTTPS</td>
- <td>apache redirect to tomcat from an SSL area</td>
- </tr>
- <tr>
- <td>SSL_SESSION_ID</td>
- <td>SSL session ID</td>
- </tr>
- <tr>
- <td>SSL_CIPHER</td>
- <td>SSL CIPHER used</td>
- </tr>
- <tr>
- <td>SSL_CLIENT_CERT</td>
- <td>SSL Certificate of client</td>
- </tr>
-</table>
-<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt
- SSL vars via the following JK vars </p>
-<ul>
- <li>JkExtractSSL</li>
- <li>JkHTTPSIndicator</li>
- <li>JkSESSIONIndicator</li>
- <li>JkCIPHERIndicator</li>
- <li>JkCERTSIndicator: </li>
-</ul>
-<p>here is an example of directive to include in httpd.conf for use with mod_ssl
-</p>
-<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL
- information to Tomact (default is On)<br>
- JkExtractSSL On <br>
- # What is the indicator for SSL (default is HTTPS)<br>
- JkHTTPSIndicator HTTPS <br>
- # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
- JkSESSIONIndicator SSL_SESSION_ID <br>
- # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
- JkCIPHERIndicator SSL_CIPHER <br>
- # What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
- <br>
- JkCERTSIndicator SSL_CLIENT_CERT </font></p>
-<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and
- ajp13, only ajp13 could forward SSL informations to tomcat.</p>
-<hr>
-<h2><a name=s5>SSL via apache</a></h2>
-<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy
- usefull when using an apache-mod_ssl with tomcat.<br>
- This config will easily secure your webapps via Apache SSL support. Just take
- care of setting these jk vars outside VirtualHost directives :</p>
-<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile
/etc/httpd/conf/workers.properties<br>
- JkLogFile /var/log/httpd/mod_jk.log <br>
- JkLogLevel warn</font> </p>
-<p>The jk redirect stuff could be set in virtual hosts : <virtualhost
_default_:443></p>
-<p><font face="Courier New, Courier, mono" size="-1"><VirtualHost
_default_:443><br>
- SSLEngine on <br>
- SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- <br>
- <br>
- </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
- </font><font face="Courier New, Courier, mono" size="-1"><br>
- Alias /alesia "/var/tomcat/webapps/alesia" <directory
"/var/tomcat/webapps/alesia">
- <br>
- <Directory "/var/tomcat/webapps/alesia"></directory><br>
- <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks
</directory>
- <br>
- </Directory> <br>
- <br>
- JkMount /alesia/servlet/* ajp13 <br>
- JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
- </location><br>
- <Location "/alesia/WEB-INF/"><br>
- AllowOverride None<br>
- Deny from all<br>
- </Location> </font></p>
-<p><font face="Courier New, Courier, mono"
size="-1"></VirtualHost></font><virtualhost _default_:443></virtualhost></p>
-<hr>
-<h2><a name=s6>SSL direct</a></h2>
-<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For
- more informations about SSL and certificates, I suggest you could take a look
- at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)
- and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
-<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
file</font></a></h3>
-<blockquote>
- <p> <font face="Courier New, Courier, mono" size="-1">To use the HTTP with SSL
- connector in tomcat, verify that it is activated in server.xml</font></p>
- <p><font face="Courier New, Courier, mono" size="-1"><Connector
className="org.apache.tomcat.service.PoolTcpConnector"><br>
- <Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/><br>
- <Parameter name="port" value="8443"/><br>
- <Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory"
- /> <br>
- </Connector> </font></p>
-</blockquote>
-<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
-<blockquote>
- <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
-</blockquote>
-<ul>
- <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext
- (JAVA > 1.2)<br>
- </b><br>
- </li>
- <li> from server.xml doc.You _need_ to set up a server certificate if you want
- this to work, and you need JSSE. <br>
- <br>
- <ul>
- <li> Add JSSE jars to CLASSPATH </li>
- <li> Edit $JAVA_HOME/jre/lib/security/java.security Add:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
- <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey
- -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape
- and IIS. Use "changeit" as password. ( or add keypass attribute ) You
- don't need to sign the certificate. You can set parameter keystore and
- keypass if you want to change the default ( user.home/.keystore with
changeit
- )<br>
- <br>
- </li>
- </ul>
- </li>
- <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in
$JAVA_HOME/jre/lib/ext
- and then add them to CLASSPATH export <br>
- <br>
- <font size="-1" face="Courier New, Courier,
mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
- export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export
CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
- <br>
- You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically
- added to CLASSPATH at tomcat startup (tomcat.sh).</li>
-</ul>
-<p> </p>
-<h3><a name=s63>Importing SSL certificates</a></h3>
-<p>It's possible to import certificates generated with <a
href="http://www.openssl.org">OpenSSL</a>.
- Here are the steps needed to generate such certs with OpenSSL : </p>
-<ul>
- <li>To generate a new request and a new key <br>
- <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem
-keyout KEY.pem</font> </pre>
- </li>
- <li>To generate a self signed x509 certificate from a certificate request using
- a supplied key, and we want to see the text form of the output certificate
- (which we will put in the file selfSign.pem
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509 -in
- REQ.pem -key KEY.pem -out CERT.pem</font> </p>
- </li>
- <li>Verify that the signature is correct on a certificate request.
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem</font> </p>
- </li>
- <li>Verify that the signature was made using a specified public key
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem -key KEY.pem</font> </p>
- </li>
- <li>Print the contents of a certificate request
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -text -in
- REQ.pem</font> </p>
- </li>
- <li>To import the CERT in keystore, you just do next :
- <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v
-trustcacerts
- -alias tomcat -file</font> <font size="-1" face="Courier New, Courier,
mono">CERT.pem</font>
- </p>
- </li>
-</ul>
-<hr>
-<h2><a name=s7>Credits</a></h2>
-<p>This document was created by <a href="mailto:[EMAIL PROTECTED]">Gomez Henri</a>.
- Thanks to [EMAIL PROTECTED] for import info. Feel free to contact me for more
- updates.</p>
-<table width="100%" border="0" cellpadding="10" cellspacing="0">
- <tr>
- <td>
- <p class="fineprint"> Copyright ©1999-2000 The Apache Software
Foundation<br>
- <a href="http://jakarta.apache.org/legal.html">Legal Stuff They Make Us
- Say</a><br>
- <a href="http://jakarta.apache.org/contact.html">Contact Information</a>
- </p>
- </td>
- </tr>
-</table>
-</body>
-</html>
-
+<html>
+<head>
+ <!-- $Id $ -->
+ <!-- Copyright 1999, Apache Software Foundation -->
+
+ <meta http-equiv=Content-Type content="text/html">
+ <link rel="stylesheet" href="style.css">
+ <style type="text/css">
+ .inlinetd {
+ background-color: #E0E0E0;
+ vertical-align: text-top;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlineth {
+ background-color: #d0d0d0;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlinetable {
+ width: 75%;
+ border: thick;
+ background-color: #000000;
+ }
+ .subsection { margin:20pt; }
+ .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
+
+ </style>
+
+<title>Tomcat and SSL</title>
+</head>
+
+<body>
+<!-- Banner element, all hail the Project! -->
+<table border="0" width="100%" cellspacing="0" cellpadding="0">
+ <tr>
+ <td width="50%" align="left"> <a href="http://jakarta.apache.org/index.html">
+ <img src="uguide/images/banner.gif" width="350" height="100" alt="The Jakarta
Project" border="0">
+ </a> </td>
+ <td width="50%" align="right"> <img border="0" src="uguide/images/tomcat.gif"
width="100" height="71" alt="The mighty Tomcat - Meow!">
+ </td>
+ </tr>
+</table>
+<h1>Tomcat and SSL</h1>
+<p>By Gomez Henri <tt><<a
href="mailto:[EMAIL PROTECTED]">[EMAIL PROTECTED]</a>></tt></p>
+<h2>Table of Contents</h2>
+<ul>
+ <li><a href="#s2">Tomcat and SSL</a></li>
+ <li><a href="#s3">Building tomcat with SSL support</a></li>
+ <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
+ <li><a href="#s5">SSL via apache</a></li>
+ <li><a href="#s6">SSL direct</a></li>
+ <li><a href="#s7">Credits</a></li>
+</ul>
+<hr>
+<h2><a name=s2>Tomcat and SSL</a></h2>
+<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via
+ an Apache SSLified (<a href="http://www.apachessl.org">Apache-SSL</a> or
apache-mod_ssl)
+ with the mod_jk connector.</p>
+<hr>
+<h2><a name=s3>Building tomcat with SSL support</a></h2>
+<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH.
+ I used to clear the CLASSPATH env var to avoid conflict in jar. A common case
+ of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser
+ like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
+<p>At build time, (via ant), tomcat will check for some libs and will then included
+ more or less options. It's the case of SSL support. If you have the JSSE 1.0.2
+ jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat
+ will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T
+ BE INCLUDED in tomcat. You'll have to go to <a
href="http://java.sun.com/products/jsse/%20">jsse
+ home page </a>and download from there the domestic (US/Canada) or global archive.
+ Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
+<hr>
+<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
+<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector
+ mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL
+ directive is present in your httpd.conf. </p>
+<p>Informations are :</p>
+<table width="75%" border="1">
+ <tr>
+ <td>HTTPS</td>
+ <td>apache redirect to tomcat from an SSL area</td>
+ </tr>
+ <tr>
+ <td>SSL_SESSION_ID</td>
+ <td>SSL session ID</td>
+ </tr>
+ <tr>
+ <td>SSL_CIPHER</td>
+ <td>SSL CIPHER used</td>
+ </tr>
+ <tr>
+ <td>SSL_CLIENT_CERT</td>
+ <td>SSL Certificate of client</td>
+ </tr>
+</table>
+<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt
+ SSL vars via the following JK vars </p>
+<ul>
+ <li>JkExtractSSL</li>
+ <li>JkHTTPSIndicator</li>
+ <li>JkSESSIONIndicator</li>
+ <li>JkCIPHERIndicator</li>
+ <li>JkCERTSIndicator: </li>
+</ul>
+<p>here is an example of directive to include in httpd.conf for use with mod_ssl
+</p>
+<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL
+ information to Tomact (default is On)<br>
+ JkExtractSSL On <br>
+ # What is the indicator for SSL (default is HTTPS)<br>
+ JkHTTPSIndicator HTTPS <br>
+ # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
+ JkSESSIONIndicator SSL_SESSION_ID <br>
+ # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
+ JkCIPHERIndicator SSL_CIPHER <br>
+ # What is the indicator for the client SSL certificated (default is
SSL_CLIENT_CERT)
+ <br>
+ JkCERTSIndicator SSL_CLIENT_CERT </font></p>
+<p>When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions
+ +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
+ Otherwise mod_ssl will not produce the neccessary environment variables for
+ mod_jk. (Tilo Christ <[EMAIL PROTECTED]>)</p>
+<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and
+ ajp13, only ajp13 could forward SSL informations to tomcat.</p>
+<hr>
+<h2><a name=s5>SSL via apache</a></h2>
+<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy
+ usefull when using an apache-mod_ssl with tomcat.<br>
+ This config will easily secure your webapps via Apache SSL support. Just take
+ care of setting these jk vars outside VirtualHost directives :</p>
+<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile
/etc/httpd/conf/workers.properties<br>
+ JkLogFile /var/log/httpd/mod_jk.log <br>
+ JkLogLevel warn</font> </p>
+<p>The jk redirect stuff could be set in virtual hosts : <virtualhost
_default_:443></p>
+<p><font face="Courier New, Courier, mono" size="-1"><VirtualHost
_default_:443><br>
+ SSLEngine on <br>
+ SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
+ <br>
+ <br>
+ </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
+ </font><font face="Courier New, Courier, mono" size="-1"><br>
+ Alias /alesia "/var/tomcat/webapps/alesia" <directory
"/var/tomcat/webapps/alesia">
+ <br>
+ <Directory "/var/tomcat/webapps/alesia"></directory><br>
+ <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks
</directory>
+ <br>
+ </Directory> <br>
+ <br>
+ JkMount /alesia/servlet/* ajp13 <br>
+ JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
+ </location><br>
+ <Location "/alesia/WEB-INF/"><br>
+ AllowOverride None<br>
+ Deny from all<br>
+ </Location> </font></p>
+<p><font face="Courier New, Courier, mono"
size="-1"></VirtualHost></font><virtualhost _default_:443></virtualhost></p>
+<hr>
+<h2><a name=s6>SSL direct</a></h2>
+<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For
+ more informations about SSL and certificates, I suggest you could take a look
+ at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)
+ and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
+<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration
file</font></a></h3>
+<blockquote>
+ <p> To use the HTTP with SSL connector in tomcat, verify that it is activated
+ in server.xml</p>
+ <p><font face="Courier New, Courier, mono" size="-1"><Connector
className="org.apache.tomcat.service.PoolTcpConnector"><br>
+ <Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/><br>
+ <Parameter name="port" value="8443"/><br>
+ <Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory"
+ /><br>
+ <Parameter name="keystore" value="/var/tomcat/conf/keystore"
/></font><font face="Courier New, Courier, mono" size="-1">
+ <br>
+ <Parameter name="keypass" value="changeit"/><br>
+ <Parameter name="clientAuth" value="true"/> <br>
+ </Connector> </font></p>
+ <p>In this example we indicate the keystore is file
<b>/var/tomcat/conf/keystore</b>.
+ The keystore password is <b>changeit</b> and we want client to
authentificate.</p>
+ <blockquote> </blockquote>
+</blockquote>
+<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
+<blockquote>
+ <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
+</blockquote>
+<ul>
+ <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext
+ (JAVA > 1.2)<br>
+ </b><br>
+ </li>
+ <li> from server.xml doc.You _need_ to set up a server certificate if you want
+ this to work, and you need JSSE. <br>
+ <br>
+ <ul>
+ <li> Add JSSE jars to CLASSPATH </li>
+ <li> Edit $JAVA_HOME/jre/lib/security/java.security Add:
security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
+ <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey
+ -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape
+ and IIS. Use "changeit" as password. ( or add keypass attribute ) You
+ don't need to sign the certificate. You can set parameter keystore and
+ keypass if you want to change the default ( user.home/.keystore with
changeit
+ )<br>
+ <br>
+ </li>
+ </ul>
+ </li>
+ <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in
$JAVA_HOME/jre/lib/ext
+ and then add them to CLASSPATH export <br>
+ <br>
+ <font size="-1" face="Courier New, Courier,
mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
+ export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export
CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
+ <br>
+ You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically
+ added to CLASSPATH at tomcat startup (tomcat.sh).</li>
+</ul>
+<p> </p>
+<h3><a name=s63>Importing SSL certificates</a></h3>
+<p>It's possible to import certificates generated with <a
href="http://www.openssl.org">OpenSSL</a>.
+ Here are the steps needed to generate such certs with OpenSSL : </p>
+<ul>
+ <li>To generate a new request and a new key <br>
+ <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem
-keyout KEY.pem</font> </pre>
+ </li>
+ <li>To generate a self signed x509 certificate from a certificate request using
+ a supplied key, and we want to see the text form of the output certificate
+ (which we will put in the file selfSign.pem
+ <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509 -in
+ REQ.pem -key KEY.pem -out CERT.pem</font> </p>
+ </li>
+ <li>Verify that the signature is correct on a certificate request.
+ <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
+ REQ.pem</font> </p>
+ </li>
+ <li>Verify that the signature was made using a specified public key
+ <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
+ REQ.pem -key KEY.pem</font> </p>
+ </li>
+ <li>Print the contents of a certificate request
+ <p><font face="Courier New, Courier, mono" size="-1">openssl req -text -in
+ REQ.pem</font> </p>
+ </li>
+ <li>To import the CERT in keystore, you just do next :
+ <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v
-trustcacerts
+ -alias tomcat -file</font> <font size="-1" face="Courier New, Courier,
mono">CERT.pem</font>
+ </p>
+ </li>
+</ul>
+<hr>
+<h2><a name=s7>Credits</a></h2>
+<p>This document was created by <a href="mailto:[EMAIL PROTECTED]">Gomez Henri</a>.
+ Thanks to [EMAIL PROTECTED] for import info. Feel free to contact me for more
+ updates.</p>
+<table width="100%" border="0" cellpadding="10" cellspacing="0">
+ <tr>
+ <td>
+ <p class="fineprint"> Copyright ©1999-2000 The Apache Software
Foundation<br>
+ <a href="http://jakarta.apache.org/legal.html">Legal Stuff They Make Us
+ Say</a><br>
+ <a href="http://jakarta.apache.org/contact.html">Contact Information</a>
+ </p>
+ </td>
+ </tr>
+</table>
+</body>
+</html>
+
