Good Morning, I work on the Internet2 Shibboleth project and we've run in to an issue with client cert authentication in a stand alone Tomcat environment (i.e. without Apache HTTPD in front of it). Shibboleth clients use client cert auth when talking with the Shibboleth server, however, the certificate chains for the clients are not in a Java keystore. Instead they are in XML files that contain a large amount of metadata needed by both the client and the server. Our current, supported, deployment configuration is to have Apache HTTPD in front of Tomcat and to use "SSLVerifyClient optional_no_ca" HTTPD directive. This allows the client to send its certificate, but instead of HTTPD trying to validate the cert, it just passes the cert on to the Shibboleth server. This allows us to validate the certificate against the cert chains in the metadata files within the server code (a huge support boon for us). What we'd like to request is a similar option for the SSL connector when client cert auth is used so that we can support a stand alone Tomcat set up too. Would this be possible? -- Chad La Joie 315Q St. Mary's Hall Project Sentinel 202.687.0124
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
