You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jack <ja...@gmail.com> on 2006/05/05 16:31:38 UTC
Tomcat and CRL(s) Certification Revocation Lists
Hi,
I have already gotten Tomcat to work with a (single) CRL, and as it
was a bit of a struggle have placed some info for those trying to do
this at [1]. The document is far from perfect, and any comments are
welcome.
Now to the questions:
1. Is it possible to swap out the CRL (ie overwrite it with a newer
one) and have the changes picked up without a restart?
1.a. if a restart is needed is it enough to restart Tomcat or jboss be
restarted?
2. Is it possible to use multiple CRLs (by pointing at a directory for example)?
2.a. if so would changes to this directory be dynamically read?
2.b. if not where is a good place (for me) to start looking at how to
implement this?
I would like to somehow have dynamic CRL loading (so something that
can do this without restarting either jboss or tomcat). I am not picky
as to it being a single CRL or a directory of same.
--
Cheers
Jack...
The claim "natural" is not synonymous with safe.
[1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and CRL(s) Certification Revocation Lists
Posted by Bill Barker <wb...@wilshire.com>.
>"Jack" <ja...@gmail.com> wrote in message
>news:bdea7920605050731w493e4d68r464887bf7fdf4d1a@mail.gmail.com...
>Hi,
>
>I have already gotten Tomcat to work with a (single) CRL, and as it
>was a bit of a struggle have placed some info for those trying to do
>this at [1]. The document is far from perfect, and any comments are
>welcome.
>
>Now to the questions:
>1. Is it possible to swap out the CRL (ie overwrite it with a newer
>one) and have the changes picked up without a restart?
>
Not currently. The CRL list is read at startup, and handed off to the
TrustStore.
>1.a. if a restart is needed is it enough to restart Tomcat or jboss be
>restarted?
>
Actually, just the Connector needs to be restarted (so Tomcat in your case).
>
>
>2. Is it possible to use multiple CRLs (by pointing at a directory for
>example)?
>
Not currently. Tomcat just takes a single file at the moment.
>2.a. if so would changes to this directory be dynamically read?
>
To avoid bouncing the Connector, it would require a specialized CertStore
implementation. Neither "Collection" or "LDAP" (which Tomcat doesn't
currently support either :) really do what you want.
>2.b. if not where is a good place (for me) to start looking at how to
>implement this?
>
All of the CRL code is in o.a.t.u.net.jsse.JSSE15SocketFactory (found under
connectors/util in the source distro). Knock yourself out ;-).
>
>I would like to somehow have dynamic CRL loading (so something that
>can do this without restarting either jboss or tomcat). I am not picky
>as to it being a single CRL or a directory of same.
>
>--
>Cheers
>Jack...
>
>The claim "natural" is not synonymous with safe.
>
>
>[1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and CRL(s) Certification Revocation Lists
Posted by Jack <ja...@gmail.com>.
Hi Jeff,
you have the keystore type set as PKCS12 even though the CRL is a PEM
format file (and hence not PKCS12 format).
PKCS12 contains the private key as well as the cert and public key -
which is not applicable for the CRL file so this might be why it is
getting confused.
You could try removing the keystoreType field and building the
keystores as described on my page (as the method described there
definitely works).
http://jack.godau.googlepages.com/jbosscertificatesandopenssl
> <Connector port="443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="true" sslProtocol="TLS"
> keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"
> keystoreFile="/ca/ssl/idp.p12"
> keystorePass="######"
> />
<!-- SSL/TLS Connector configuration using the admin devl guide keystore-->
<Connector port="8443" address="${jboss.bind.address}"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true"
scheme="https" secure="true" clientAuth="true"
sslProtocol = "TLS"
keystoreFile="${jboss.server.home.dir}/conf/server.keystore"
keystorePass="123456"
truststoreFile="${jboss.server.home.dir}/conf/server.truststore"
truststorePass="123456"
crlFile="${jboss.server.home.dir}/conf/server.crlFile" />
On 10/05/06, Jeff Krug <to...@krugs.org> wrote:
> Fri, May 05, at 04:31:PM : Jack has proclaimed:
> > I have already gotten Tomcat to work with a (single) CRL, and as it
> > was a bit of a struggle have placed some info for those trying to do
> > this at [1]. The document is far from perfect, and any comments are
> > welcome.
> >
> > [1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
>
> Thanks for this page. I am not using JBoss, but it has been useful. I
> have client certificate authentication working correctly, but I cannot
> seem to get CRLs to work.
>
> I built my CRL by executing:
>
> $openssl ca -batch -gencrl -crldays 30 -out crl.pem
>
> This way every user certificate I revoke can be packaged in a single
> CRL. Is this type of CRL legitimate for use in Tomcat?
If it is a standard format CRL I would think so.
> Is there a way to turn on sufficient debugging within Tomcat so that I
> can try and figure out what is failing. I don't see any error messages
> in my tomcat.log file at all. I don't know if it is even trying to
> parse the crlFile, failing to parse the file, or if it is failing later
> to recognize the certificate is revoked.
Again not sure on this point. I went with the prolonged trial and
error method :(
Cheers
Jack...
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat and CRL(s) Certification Revocation Lists
Posted by Jeff Krug <to...@krugs.org>.
Fri, May 05, at 04:31:PM : Jack has proclaimed:
> I have already gotten Tomcat to work with a (single) CRL, and as it
> was a bit of a struggle have placed some info for those trying to do
> this at [1]. The document is far from perfect, and any comments are
> welcome.
>
> [1] http://jack.godau.googlepages.com/jbosscertificatesandopenssl
Thanks for this page. I am not using JBoss, but it has been useful. I
have client certificate authentication working correctly, but I cannot
seem to get CRLs to work.
I built my CRL by executing:
$openssl ca -batch -gencrl -crldays 30 -out crl.pem
This way every user certificate I revoke can be packaged in a single
CRL. Is this type of CRL legitimate for use in Tomcat?
I rebuilt tomcat-util.jar based on the directions in this message from
the mailing list:
http://threebit.net/mail-archive/tomcat-users/msg00121.html
(I can't seem to connect to the official archive, hence the link to a
3rd party copy of that email)
I am using Tomcat 5.5.17 on Linux (no Apache). My connector (in the
server.xml file) is:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreType="PKCS12" crlFile="/ca/crl/crl.pem"
keystoreFile="/ca/ssl/idp.p12"
keystorePass="######"
/>
Is there a way to turn on sufficient debugging within Tomcat so that I
can try and figure out what is failing. I don't see any error messages
in my tomcat.log file at all. I don't know if it is even trying to
parse the crlFile, failing to parse the file, or if it is failing later
to recognize the certificate is revoked.
Thanks,
Jeff Krug
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org