-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Jason,
On 8/10/2010 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: > I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL > into our web application due to the "authentication" process taking a while, > causing the web app to run abnormally slow. > > I am wanting to use our server certificate (PKCS12) as the keystore. I've > been doing a lot of research and it seems that I need to import the root > certificates into the keystore using OpenSSL. What I am not too clear on is > how to edit the server.xml file to accommodate these configurations. Here is > what I have thus far, however, SSL does not seem to be working. > > Copied from Notepad: > > <!-- Define a SSL HTTP/1.1 Connector on port 8443 > This connector uses the JSSE configuration, when using APR, the > connector should be using the OpenSSL style configuration > described in the APR documentation --> > > <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" > maxThreads="150" scheme="https" secure="true" > keystoreFile="C:\Program Files\Apache Software > Foundation\Tomcat 6.0\con\geo.pfx" > keystorePass="password" keystoreType="pkcs12" > clientAuth="false" sslProtocol="TLS" /> Wait, are you trying to do CLIENT-CERT authentication? If so, you'll want to do clientAuth="want" (if you want a cert, but don't want to fail otherwise, which I think is usually what one wants to do) and set the truststore* attributes on the <Connector>. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxhvGQACgkQ9CaO5/Lv0PA7xQCdGdGEwXko++Jm0t8/lJR1eAQb el0An3FjqgDbTP54DX3oSX9wscDMaqLk =jLqM -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
