This entry is a follow up to a post a few days ago quaintly titled Another Tomcat Post :: SSL. Since that post, I have made a momentous discovery regarding Tomcat encryption.
There is an annoying error message that writes to catalina.out on Tomcat restart, that it turns out is relevant to why this SSL has been such a mess.
Jun 16, 2010 8:55:14 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path:This is telling us that we are not using packages optimized for Tomcat. The message can be cleared by installing the tomcat-native RPM:
yum install -y tomcat-nativeOn restart, the irritating little message is gone.
One of the things that this package does is to include an updated crypto stack for Tomcat that includes x509. Glory to the mighty Gods of Olympus! Once installed, we modify the SSL stanza in the server.xml file:
maxThreads="150" scheme="https" secure="true"We've removed the keystore directives and used commands to point to our x509 cert and key. Restart Tomcat.
SSLCertificateFile="conf/custom.crt"
SSLCertificateKeyFile="conf/custom.key"
clientAuth="false" sslProtocol="TLS" />
To test:
echo | openssl s_client -connect localhost:8443 | \If you are not using RPMs, but Apache's Tomcat release, look in CATALINA HOME's bin directory for a tar file.
grep subj
No comments:
Post a Comment