>"Jack" <[EMAIL PROTECTED]> wrote in message >news:[EMAIL PROTECTED] >Hi, > >I have already gotten Tomcat to work with a (single) CRL, and as it >was a bit of a struggle have placed some info for those trying to do >this at [1]. The document is far from perfect, and any comments are >welcome. > >Now to the questions: >1. Is it possible to swap out the CRL (ie overwrite it with a newer >one) and have the changes picked up without a restart? >
Not currently. The CRL list is read at startup, and handed off to the TrustStore. >1.a. if a restart is needed is it enough to restart Tomcat or jboss be >restarted? > Actually, just the Connector needs to be restarted (so Tomcat in your case). > > >2. Is it possible to use multiple CRLs (by pointing at a directory for >example)? > Not currently. Tomcat just takes a single file at the moment. >2.a. if so would changes to this directory be dynamically read? > To avoid bouncing the Connector, it would require a specialized CertStore implementation. Neither "Collection" or "LDAP" (which Tomcat doesn't currently support either :) really do what you want. >2.b. if not where is a good place (for me) to start looking at how to >implement this? > All of the CRL code is in o.a.t.u.net.jsse.JSSE15SocketFactory (found under connectors/util in the source distro). Knock yourself out ;-). > >I would like to somehow have dynamic CRL loading (so something that >can do this without restarting either jboss or tomcat). I am not picky >as to it being a single CRL or a directory of same. > >-- >Cheers >Jack... > >The claim "natural" is not synonymous with safe. > > >[1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
