My favorites | Sign in
Project Logo
Project Home
  
Downloads
  
Wiki
  
Issues
  
Source
    
Search
for
Updated Feb 25, 2009 by Bruno.Ha...@manchester.ac.uk
Labels: Featured, Phase-Deploy
ApacheTomcatUsage  
Using jSSLutils with Apache Tomcat.

Introduction

By default, Apache Tomcat uses JSSE and builds an SSLContext with default trust-managers based on the keystore and truststore attributes in the <Connector /> configuration.

There is a way to customise this, via the SSLImplementation attribute. This option is no longer mentioned in the documentation after Tomcat 3.3, but it has been consistently updated and it still works with Tomcat 6.

Sample SSLImplementation based on jSSLutils

This mechanism is quite flexible and allows you to specify additional options in the connector.

The jsslutils-extra-apachetomcat6 Maven module, available in the code repository of jSSLutils is an example that shows how to use it to achieve two goals:

  • accept any certificate (for example, if you wish to accept self-signed certificates -- to be used carefully),
  • accept GSI proxy certificates.
You could do add other options if you wanted to customise the jSSLutils wrappers, or more generally the SSLContext, in a different way.

To use it, place the jar file compiled from this code and the main jSSLutils jar file in the lib directory of Tomcat.

Configuration to accept any certificate

In the same way as you would configure the SSL connector in the server configuration file, add the SSLImplementation and acceptAnyCert as follows: 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="..." keystoreType="..." keystorePass="..."
               truststoreType="..." truststoreFile="..." truststorePass="..." SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
acceptAnyCert="true" clientAuth="want" sslProtocol="TLS" />

(When this says, "any certificate", the client still needs the corresponding private key.)

Configuration to accept GSI proxy certificates

Similarly, use the SSLImplementation and acceptProxyCerts option, as follows: 

<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               keystoreFile="..." keystoreType="..." keystorePass="..."
               truststoreType="..." truststoreFile="..." truststorePass="..." SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
acceptAnyCert="false" acceptProxyCerts="true" clientAuth="want" sslProtocol="TLS" />

Licence

This module is released under the Apache License 2, since it is based on the JSSESocketFactory and JSSEImplementation in Apache Tomcat's org.apache.tomcat.util.net.jsse package which is distributed under this licence.


Sign in to add a comment
Hosted by Google Code