Christopher, thank you for the information. Yes, I'm trying to configure LDAPS for connection to Active Directory. Does the SSL connector need to be configured for LDAPS, or just create the JNDI realm?
-John -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Sunday, April 12, 2015 9:06 AM To: Tomcat Users List Subject: Re: SSLCertificateKeyFile directive question -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 John, On 4/10/15 5:04 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote: > I need to configure SSL in Tomcat 7.0.39, but am staled at the > SSLCertificateKeyFile directive. You should upgrade Tomcat if at all possible. There are known, advertised security problems with a version that old. http://tomcat.apache.org/security-7.html > I have been given by our info security team two trusted CA > certificates, root and intermediate, with our large company being the > CA, to use for ldap over ssl with APR in order to use OpenSSL. Are you trying to configure TLS for the Tomcat server to accept requests, or so that you can connect to your LDAP server securely? If the former, you want to configure your <Connector> appropriately and make sure to use the APR-based connector. If the latter, I don't think you can choose an OpenSSL-based client to use for making outgoing LDAP connections. > In the Tomcat docs is the directive SSLCertificateKeyFile stating it > must point to the private key. We are using keystore, and when I try > to export the private key the end result is that it cannot export the > key due to it being a trusted certificate > "KeyStoreException: TrustedCertEntry not supported". How to obtain the > key? Is there another method, or does the CA need to supply it to me? It sounds like you are trying to connect to a secure LDAP server and you just want to configure the trust store. You're getting confused between the two above cases I asked about. The documentation you are looking for is here: http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm Unfortunately, the docs look a little thin for the JNDIRealm, and I think it doesn't tell you what to do about ldaps:// connections. Checking the Javadoc for that class, there don't appear to be any settings you can put on the connector to handle the trust store, so I suspect JNDIRealm will use the JVM's default trust store which is I think just the one that ships with the JVM. So if you need to trust some other CA (i.e. not a public one), then you'll need to set the javax.net.ssl.trustStore system property to point to your own trust store which contains the lowest certificate you are willing to completely trust. You may choose to trust the whole CA or maybe just the leaf certificate for the LDAP server (which might be slightly more appropriate/safe for your purpoases). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v2 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJVKpftAAoJEBzwKT+lPKRYGB4P/RyabJxRypA7etPsVWXm5OD1 R9NS+DadHTj/2K43zik4tT9ZE5dUU8N3f/6EXbhjMQcnKT5fg8Kx1jzqtee0gGAG +zaZCiLm8UeoyVyST+aQovatgIzwwUyxIUlgH54W8MRXTFPb2cKydSlwsD9/q+i4 zpZluHTL1lMCQezQhB0/4VR7TBim7yMIxhnZGlwmQKDwJYNFkUIMf9qF9jvn/HP0 ZzCAW1FB5TbgppfOSXvLI7blDYCb+DqYecFAtzJmkQHY8ioUF3Q0bdGfYQV9jELi m9KndsZeBGrpEBROQOOQJTXl+8LSc6SicHaHFTKNH6ZiIp2hVTqfJHGxvI9E67u6 VJdtxBUwhWzxCYu40fmBonlUBBsvJKZMkYisVF5hhXnxc5H8bCxOPcghqXlnXLMM 9KQiNxRhJwqocpBgwPf/mcyAmFSraLRMAqt7XTTPtc+6RgfN0r1FBcHQjyOuFYZS cQ5N+GqwA8TVZ0+eB8z0iK87629KrDgFPih7LhOIHsLSX7MBRgnpq7T5BKByNane UOC9i7aK9ekbAVusDHjhXgR/3SoSr3tz0fjY1Y3iTrEhhYLiix9pxv2wpWlvvQtG HQK2jAKJrljMMyd5iVFGhWmfxujVFDnlENLY1IaNgRYQ218g1L2NJVMuEX7PPvA9 WM3V0X7Zw9LdINC9XbdS =C/fB -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
