After searching through the Tomcat user forums and bug list it appears there are only two options to enable ldaps connections, without modification to the Tomcat JNDI Realm itself:
1) Start Tomcat using system properties that specify the default trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to truststore> -Djavax.net.ssl.trustStorePassword=<password>). The problem with this is it requires the password to the trust keystore be provided on the command line. 2) Add the CA cert to the <java-home>/lib/security/cacerts file (or <java-home>/lib/security/jssecacerts which has higher precedence) which is used as the default trust store. This has the downside of tying the CA cert maintenance lifecycle to the JVM maintenance lifecycle (e.g. upgrades). It also limits the reuse of a JDK installation across applications/Tomcat instances. Are there any plans for org.apache.catalina.realm.JNDIRealm to address these items via support for configuring the trust store path/password like org.apache.tomcat.util.net.AbstractEndpoint? Thanks, Jon
