Thanks Felix. You're correct for a single auth SSL connection the password was not required (I assume a mutual auth connection would work as well if the keystore for the client cert was physically different). I assumed that since it was provided in the connector config (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) it would be required, but not the case!
Thanks again, Jon -----Original Message----- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Thursday, March 28, 2013 6:52 AM To: Tomcat Users List Subject: Re: Tomcat support for JNDIRealm LDAPS connections Hi Jon, first of all, it seems that you have hijacked a thread by replying to a mail from this mailing list and changing the subject of the thread. That might be a reason, why you have not got any answers to your question yet. Am 27.03.2013 17:03, schrieb Wilmoth, Jon: > After searching through the Tomcat user forums and bug list it > appears there are only two options to enable ldaps connections, > without modification to the Tomcat JNDI Realm itself: > > 1) Start Tomcat using system properties that specify the default > trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to > truststore> -Djavax.net.ssl.trustStorePassword=<password>). The > problem with this is it requires the password to the trust keystore be > provided on the command line. I don't think that you need to give a trustStorePassword, when all you need is a secure connection to a tls/ssl based service. You only need the password, if you want to access private keys in the truststore, for example when you want to use client certificates. HTH Felix > 2) Add the CA cert to the <java-home>/lib/security/cacerts file (or > <java-home>/lib/security/jssecacerts which has higher precedence) > which is used as the default trust store. This has the downside of > tying the CA cert maintenance lifecycle to the JVM maintenance > lifecycle (e.g. upgrades). It also limits the reuse of a JDK > installation across applications/Tomcat instances. > > Are there any plans for org.apache.catalina.realm.JNDIRealm to > address these items via support for configuring the trust store > path/password like org.apache.tomcat.util.net.AbstractEndpoint? > > Thanks, > Jon > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
