Thanks it makes sense now, i have made lots of progress.  But of course, like 
usual,  there are some complications.  The application I am developing uses 
tomcat on the back end and a swing client on the front with the Spring 
HttpInvoker.  

So first I got it working without apr.  After I set up the connector I changed 
it so when i ran my java client using this vm parameter
-Djavax.net.ssl.trustStore="keystore.jks" 

Everything worked.  So next, I moved on to APR.  I got apr properly 
compiled/installed.  Then I set up the connector like so:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
           port="8443" minSpareThreads="5" maxSpareThreads="75"
           enableLookups="true" disableUploadTimeout="true" 
           acceptCount="100"  maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
    SSLCertificateFile="certfile"
    SSLCertificateKeyFile="key"
    SSLPassword="password"
           clientAuth="false" sslProtocol="TLS"/

Tomcat starts and acknowledges that apr is working without a problem.  I 
thought that with apr I could just run the client without the trustStore 
parameter set.  But i get this error:
Caused by: javax.net.ssl.SSLHandshakeException: 
sun.security.validator.ValidatorException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

So how do I tell the client about the cert?  I tried the 
trustStore="pathtocert" but that didn't work.  

thanks
-ryan

> From: chuck.caldar...@unisys.com
> To: users@tomcat.apache.org
> Date: Thu, 12 Feb 2009 21:47:45 -0600
> Subject: RE: ssl connector
> 
> > From: epicwin...@hotmail.com [mailto:epicwin...@hotmail.com]
> > Subject: RE: ssl connector
> >
> > So I don't understand the docs where they suggest
> > defining connectors with apr and without.
> 
> APR is an additional, non-Java Tomcat component that utilizes code from httpd 
> for increased SSL performance.  It uses OpenSSL, not Java, for the SSL 
> negotiation and encryption, so there's no keystore file, and the <Connector> 
> configuration is very different from that for the standard or NIO options.  
> The drawback of APR is that you typically have to compile it from source for 
> the specific platform you're running on (some binary downloads are 
> available), so it's not something for the casual or first-time Tomcat 
> administrator.
> 
> The table at the bottom of this page:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> gives you a comparison of the three forms of connector; pick just one for 
> your usage.
> 
>  - Chuck
> 
> 
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
> MATERIAL and is thus for use only by the intended recipient. If you received 
> this in error, please contact the sender and delete the e-mail and its 
> attachments from all computers.
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

_________________________________________________________________
Windows Liveā„¢: E-mail. Chat. Share. Get more ways to connect. 
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009

Reply via email to