[jsslutils commit] r69 - wiki
codesite...@google.com
Date: Wed Feb 25 04:44:43 2009
New Revision: 69
Added:
wiki/ApacheTomcatUsage.wiki
Log:
Created wiki page through web user interface.
Added: wiki/ApacheTomcatUsage.wiki
==============================================================================
--- (empty file)
+++ wiki/ApacheTomcatUsage.wiki Wed Feb 25 04:44:43 2009
@@ -0,0 +1,47 @@
+#summary Using jSSLutils with Apache Tomcat.
+
+= Introduction =
+
+By default, [http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html Apache
Tomcat] uses JSSE and builds an SSLContext with default trust-managers
based on the keystore and truststore attributes in the `<Connector />`
configuration.
+
+There is a way to customise this, via the `SSLImplementation` attribute.
This option is no longer mentioned in the
[http://tomcat.apache.org/tomcat-3.3-doc/tomcat-ssl-howto.html
documentation after Tomcat 3.3], but it has been consistently updated and
it still works with Tomcat 6.
+
+= Sample SSLImplementation based on jSSLutils =
+
+This mechanism is quite flexible and allows you to specify additional
options in the connector.
+
+The
[http://code.google.com/p/jsslutils/source/browse/trunk/extra/apachetomcat6/
jsslutils-extra-apachetomcat6 Maven module], available in the code
repository of jSSLutils is an example that shows how to use it to achieve
two goals:
+ * accept any certificate (for example, if you wish to accept self-signed
certificates -- to be used carefully),
+ * accept GSI proxy certificates.
+You could do add other options if you wanted to customise the jSSLutils
wrappers, or more generally the SSLContext, in a different way.
+
+To use it, place the
[http://jsslutils.googlecode.com/files/jsslutils-extra-apachetomcat6-0.5.2.jar
jar file compiled from this code] and the main jSSLutils jar file in the
`lib` directory of Tomcat.
+
+== Configuration to accept any certificate ==
+
+In the same way as you would configure the SSL connector in the server
configuration file, add the `SSLImplementation` and `acceptAnyCert` as
follows:
+
+{{{
+<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ keystoreFile="..." keystoreType="..." keystorePass="..."
+ truststoreType="..." truststoreFile="..."
truststorePass="..."
SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
+acceptAnyCert="true" clientAuth="want" sslProtocol="TLS" />
+}}}
+
+(When this says, "any certificate", the client still needs the
corresponding private key.)
+
+== Configuration to accept GSI proxy certificates ==
+
+Similarly, use the `SSLImplementation` and `acceptProxyCerts` option, as
follows:
+{{{
+<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
+ maxThreads="150" scheme="https" secure="true"
+ keystoreFile="..." keystoreType="..." keystorePass="..."
+ truststoreType="..." truststoreFile="..."
truststorePass="..."
SSLImplementation="org.jsslutils.extra.apachetomcat6.JSSLutilsImplementation"
+acceptAnyCert="false" acceptProxyCerts="true" clientAuth="want"
sslProtocol="TLS" />
+}}}
+
+= Licence =
+
+This module is released under the Apache License 2, since it is based on
the `JSSESocketFactory` and `JSSEImplementation` in Apache Tomcat's
[http://tomcat.apache.org/tomcat-6.0-doc/api/org/apache/tomcat/util/net/jsse/package-frame.html
org.apache.tomcat.util.net.jsse] package which is distributed under this
licence.
\ No newline at end of file