Thanks it makes sense now, i have made lots of progress. But of course, like
usual, there are some complications. The application I am developing uses
tomcat on the back end and a swing client on the front with the Spring
HttpInvoker.
So first I got it working without apr. After I set up the connector I changed
it so when i ran my java client using this vm parameter
-Djavax.net.ssl.trustStore="keystore.jks"
Everything worked. So next, I moved on to APR. I got apr properly
compiled/installed. Then I set up the connector like so:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="certfile"
SSLCertificateKeyFile="key"
SSLPassword="password"
clientAuth="false" sslProtocol="TLS"/
Tomcat starts and acknowledges that apr is working without a problem. I
thought that with apr I could just run the client without the trustStore
parameter set. But i get this error:
Caused by: javax.net.ssl.SSLHandshakeException:
sun.security.validator.ValidatorException: PKIX path building failed:
sun.security.provider.certpath.SunCertPathBuilderException: unable to find
valid certification path to requested target
So how do I tell the client about the cert? I tried the
trustStore="pathtocert" but that didn't work.
thanks
-ryan
> From: chuck.caldar...@unisys.com
> To: users@tomcat.apache.org
> Date: Thu, 12 Feb 2009 21:47:45 -0600
> Subject: RE: ssl connector
>
> > From: epicwin...@hotmail.com [mailto:epicwin...@hotmail.com]
> > Subject: RE: ssl connector
> >
> > So I don't understand the docs where they suggest
> > defining connectors with apr and without.
>
> APR is an additional, non-Java Tomcat component that utilizes code from httpd
> for increased SSL performance. It uses OpenSSL, not Java, for the SSL
> negotiation and encryption, so there's no keystore file, and the <Connector>
> configuration is very different from that for the standard or NIO options.
> The drawback of APR is that you typically have to compile it from source for
> the specific platform you're running on (some binary downloads are
> available), so it's not something for the casual or first-time Tomcat
> administrator.
>
> The table at the bottom of this page:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> gives you a comparison of the three forms of connector; pick just one for
> your usage.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
_________________________________________________________________
Windows Liveā¢: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009
