Thanks it makes sense now, i have made lots of progress. But of course, like usual, there are some complications. The application I am developing uses tomcat on the back end and a swing client on the front with the Spring HttpInvoker.
So first I got it working without apr. After I set up the connector I changed it so when i ran my java client using this vm parameter -Djavax.net.ssl.trustStore="keystore.jks" Everything worked. So next, I moved on to APR. I got apr properly compiled/installed. Then I set up the connector like so: <Connector protocol="org.apache.coyote.http11.Http11AprProtocol" port="8443" minSpareThreads="5" maxSpareThreads="75" enableLookups="true" disableUploadTimeout="true" acceptCount="100" maxThreads="200" scheme="https" secure="true" SSLEnabled="true" SSLCertificateFile="certfile" SSLCertificateKeyFile="key" SSLPassword="password" clientAuth="false" sslProtocol="TLS"/ Tomcat starts and acknowledges that apr is working without a problem. I thought that with apr I could just run the client without the trustStore parameter set. But i get this error: Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target So how do I tell the client about the cert? I tried the trustStore="pathtocert" but that didn't work. thanks -ryan > From: chuck.caldar...@unisys.com > To: users@tomcat.apache.org > Date: Thu, 12 Feb 2009 21:47:45 -0600 > Subject: RE: ssl connector > > > From: epicwin...@hotmail.com [mailto:epicwin...@hotmail.com] > > Subject: RE: ssl connector > > > > So I don't understand the docs where they suggest > > defining connectors with apr and without. > > APR is an additional, non-Java Tomcat component that utilizes code from httpd > for increased SSL performance. It uses OpenSSL, not Java, for the SSL > negotiation and encryption, so there's no keystore file, and the <Connector> > configuration is very different from that for the standard or NIO options. > The drawback of APR is that you typically have to compile it from source for > the specific platform you're running on (some binary downloads are > available), so it's not something for the casual or first-time Tomcat > administrator. > > The table at the bottom of this page: > http://tomcat.apache.org/tomcat-6.0-doc/config/http.html > gives you a comparison of the three forms of connector; pick just one for > your usage. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you received > this in error, please contact the sender and delete the e-mail and its > attachments from all computers. > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > _________________________________________________________________ Windows Liveā¢: E-mail. Chat. Share. Get more ways to connect. http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009