-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Krishna,
On 5/2/14, 4:55 AM, Aripaka, Krishna wrote: > 1. We are using Tomcat 7.0.39 in our application. > > 2. We have implemented Two Way SSL authentication using java > keytool > > 3. Issue is, when we create a new client certificate and add it to > Java Keystore(.jks), we are unable to authenticate unless we > restart the Tomcat. FYI this is the "trust store" - the things you trust, not the keystore. They have the same file format, but they are used for different things. > So, every time we add a new client certificate, we are restarting > the Tomcat. Is there any way to handle this scenario with out > restarting the Tomcat. Tomcat's connector needs to be restarted when you add something to the trust store. Can you try using something like JMX to restart the connector? There is an enhancement request to support CRL re-loading in the secure connector implementations [1]. Perhaps a similar strategy could be used to reload the trust store as well. > I have read the document thoroughly, but i didn't get any > information regarding this. Can you please help us on this. Thanks > In advance. IMHO, you shouldn't be storing individual certificates in your trust store: that's a management headache. Instead, use a trusted certificate to /sign/ your client certificates and then simply trust the single certificate. If you need to revoke a certificate, then you'll need to be able to manage your CRL properly in the same way that it's tough to maintain your trust store right now. It's a balancing act. - -chris [1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55770 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJTY66jAAoJEBzwKT+lPKRYAKAQALcWf8BSUbHcEdLR1/YXfGYJ Mnrv9h/TlCYHbhUOxKIc1m3Q0d0Ofh/sYjOaEDz2A+iMgN7xmV6EWgbPjdTJMYyA YBDfJijq7jCNt9Iv0EwLCPnmKguckh/8CWMDgKMwImy5SnwDS3Cp12RbFjJcAd76 I7SjOuDldEZCwvxQmUMc4Ihlng7tRfLVDU1cmtg0cRrcu+f/5dtD4o1jbzcwNxFG RpwblubNeM8eazDzIcaalB5IKFH95BYzxA06Hi0W4LFE9nmR1pwuNSfXHigIa5fO DIk8AyTJhkvvRW9t8iJbMGEBwjRolGnPS6xQpE0/bFIJzP6SX+Jp0UFG/t/UzBa4 scax17wm8m4Ha0slvfBgCyGzts/zptIrzHnBm/IpEuFTLtlojPUi5r7W3Ugt/Voz OUURa8ZlgsJu1ZwoAiBB1wD78yyVSEJoBedoDq/ZIHFCQN5RM7qDqPCnVoj46dRV uype8P0htwdIDKOaQZ2hf4ORaBxwQL0DfaB7Qe/rpCNrmZzY0N/hkBU/a7WEtvU/ 63YrPhMicPVnCKnjCVEj77icblQGbu2sO7g2uruD77K5B+YjKSxWJLEsttB582aw qXdx8kxyKzqmrEXaDVZrJmfnlr/ZQphfujsSwRHGkSLH19x9+67ccv2Mh9O3+cBN 8+JJPe1hYPvt90zYo9oR =t8vW -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
