Hi Bill, Well - first the reason we need to update the truststore often is because we use self signed certificates and therefore each client certifcate needs to be in there.
I've traced the code in the Http11Protocol class and noticed that I get get the desired results by calling the detroy() and start() functions from the nested Http11ConnectionHandler process() method. This will cause the JIOEndpoint JSSESocketFactory to be reinitialized. My only concern at this point is that this is not documented and I may get undesired side effects. Do you have any further insight into this matter? thanks much! Mike On Thu, Dec 18, 2008 at 5:14 AM, Bill Barker <wbar...@wilshire.com> wrote: > > "Michael Rooz" <michaelr...@gmail.com> wrote in message > news:3df1c6c00812170307m3252f89p8c58b8373142...@mail.gmail.com... > > Hi, > > > > I've successfully configured Tomcat to use Client Authentication. > > Evidently > > for Tomcat to reflect updates made to the truststore, it needs to be > > restarted. > > > > How can I get Tomcat to reload its truststore without performing a > > restart? > > > > Well, you can stop and start the Connector (e.g. via JMX). But Tomcat will > never re-load the truststore while the Connector is running on it's own. > Of > course, if you are using a dynamic truststore (e.g. card-based), then this > shouldn't be a problem. > > In general, it is very rarely that you need to update the truststore since > it just contains the trusted CA certs. Adding a user from a trusted CA > doesn't require an update, since the user's cert will be accepted at the > SSL > layer. > > > > > > If this requires writing a custom connector that would for example > > reinitialize the SSLContext, where can I find some documentation that > can > > be of some help/guidance? > > > > Not sure if this can be done from the APR Connector, but for the Java > Connectors you need to create your own SSLImplementation (from o.a.t.u.net > ) > and configure it with > sSSImplementation="com.myfirm.mypackage.MySSLImplementation" on the > <Connector .../> element. There is some information in the archives for > this list, but otherwise the Tomcat JavaDocs and/or source code. > > > > > > > Thanks, > > > > -MIke > > > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
