You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ronald Spiers <no...@gmail.com> on 2007/06/11 16:20:47 UTC
Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Hi, I am preparing a self enrollment webapp for generating client
certificates and adding them to the server keystore. I know that
Tomcat won't reload keystore unless the server is restarted, so I did
look for alternatives, and the JSSE guide explains an approach to this
in the section "Creating Your Own X509TrustManager".
My question is: Does anybody in this list have some experience solving
this problem?, providing tomcat a custom trust manager to dynamically
add a client certificate to the verification path when client
credentials are presented?
Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
done I am just wasting my time ;) I have searched a lot in the last 3
days, tomcat list archives and other materials, I have not found a
single solution to this problem, except for the JSSE guide and this
article, that explains how to create a trustManager and a SSLContext
for implementing S/MIME with JavaMail:
* http://www.javaworld.com/javatips/jw-javatip115.html
Thanks a lot for any feedback you can provide.
Regards,
Martin
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Mark Claassen <mc...@ocie.net>.
I would have thought that the Java APIs would have allowed you to do this.
As far as openssl in concerned, it is just command line stuff, so you can
always use the Runtime.exec() to run openssl. I think there is a -dname
option for openssl so you can just put the cert request answers on the
command-line as well, and not have to answer these through
standardin/standardout.
Good luck.
-----Original Message-----
From: Ronald Spiers [mailto:nogermanpows@gmail.com]
Sent: Monday, June 11, 2007 11:15 AM
To: Tomcat Users List
Subject: Re: Reloading keystore - how to register a new TrusStore Manager
for Tomcat?
Hi Mark, thans a lot for your comments.
The problem is that I found a way to generate via API a PKCS12 keystore for
my client, but it won't be based on my server's certificate.
I could not find a way to auto-enroll users using openssl and Java, I mean
control openssl commands from Java to create PKCS12 keystores they can
import, already signed by my server certificate, so that my server will
trust in them without having to reload the Truststore (if I understood well
you last paragraph).
That's why I was looking into this problem, once I was able to create these
clients certificates via API (
CertAndKeyGen.getSelfCertificate() ) and store the client certificates into
my truststore, I thought the natural next step was to reload the truststore
in some way, because these certificates are not linked to my
server-certificate and the server must verify them. It seems I have to
resort to openssl to sign them with my server's certificate, but I don't
know how to do that programatically with Java.
I searched the tomcat archives and found that others comfronted this problem
and probably shared my misconception of the certificate system, but no one
reported it as solved, either by doing it the right way via openssl or
finally implementing a trustManager, or something like that using JSSE APIs
(which is what I would prefer).
Thanks for the links anyway, if you have some resource about controlling the
process via openssl with Java, please share it with me.
Regards.
On 6/11/07, Mark Claassen <mc...@ocie.net> wrote:
> Humm. I don't think this is how the certificate system is supposed to
> be used. The intention is that the truststore handles certificates
> authorities you trust.
>
> For an example, let's switch to the browser.
>
> Browsers generally trust Verisgn and Thwart out of the box. You can
> see these certificates in your browser's options pages.
>
> So, let's say you go to amazon.com. Amazon will have a certificate
> that was created for them by, say, Verisign. Your browser will get
> the amazon certificate and see that it was created by verisign. Since
> your browser already trusts verisign, it will trust that amazon is who it
says it is.
> (Verifying identity is the certificate's primary function.)
>
> Tomcat works the same way. So, in your case, maybe you want to create
> your own certificate and put it into your truststore. Then, as you
> create certificates for other's, you create them based on the
> certificate you loaded into your truststore. Since Tomcat already
> trusts this one, all the certificates you create and give to others
> will also be trusted...no reconfiguration necessary.
>
> Mark
>
> Some helpful links:
>
> http://www.tc.umn.edu/~brams006/selfsign.html
> http://www.openssl.org/docs/apps/x509.html
> http://www.openssl.org/docs/apps/pkcs12.html
>
>
> -----Original Message-----
> From: Ronald Spiers [mailto:nogermanpows@gmail.com]
> Sent: Monday, June 11, 2007 10:21 AM
> To: users@tomcat.apache.org
> Subject: Reloading keystore - how to register a new TrusStore Manager
> for Tomcat?
>
> Hi, I am preparing a self enrollment webapp for generating client
> certificates and adding them to the server keystore. I know that
> Tomcat won't reload keystore unless the server is restarted, so I did
> look for alternatives, and the JSSE guide explains an approach to this
> in the section "Creating Your Own X509TrustManager".
>
> My question is: Does anybody in this list have some experience solving
> this problem?, providing tomcat a custom trust manager to dynamically
> add a client certificate to the verification path when client
> credentials are presented?
>
> Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
> done I am just wasting my time ;) I have searched a lot in the last 3
> days, tomcat list archives and other materials, I have not found a
> single solution to this problem, except for the JSSE guide and this
> article, that explains how to create a trustManager and a SSLContext
> for implementing S/MIME with
> JavaMail:
>
> * http://www.javaworld.com/javatips/jw-javatip115.html
>
> Thanks a lot for any feedback you can provide.
>
> Regards,
> Martin
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Ronald Spiers <no...@gmail.com>.
Hi Mark, thans a lot for your comments.
The problem is that I found a way to generate via API a PKCS12
keystore for my client, but it won't be based on my server's
certificate.
I could not find a way to auto-enroll users using openssl and Java, I
mean control openssl commands from Java to create PKCS12 keystores
they can import, already signed by my server certificate, so that my
server will trust in them without having to reload the Truststore (if
I understood well you last paragraph).
That's why I was looking into this problem, once I was able to create
these clients certificates via API (
CertAndKeyGen.getSelfCertificate() ) and store the client certificates
into my truststore, I thought the natural next step was to reload the
truststore in some way, because these certificates are not linked to
my server-certificate and the server must verify them. It seems I have
to resort to openssl to sign them with my server's certificate, but I
don't know how to do that programatically with Java.
I searched the tomcat archives and found that others comfronted this
problem and probably shared my misconception of the certificate
system, but no one reported it as solved, either by doing it the right
way via openssl or finally implementing a trustManager, or something
like that using JSSE APIs (which is what I would prefer).
Thanks for the links anyway, if you have some resource about
controlling the process via openssl with Java, please share it with
me.
Regards.
On 6/11/07, Mark Claassen <mc...@ocie.net> wrote:
> Humm. I don't think this is how the certificate system is supposed to be
> used. The intention is that the truststore handles certificates authorities
> you trust.
>
> For an example, let's switch to the browser.
>
> Browsers generally trust Verisgn and Thwart out of the box. You can see
> these certificates in your browser's options pages.
>
> So, let's say you go to amazon.com. Amazon will have a certificate that was
> created for them by, say, Verisign. Your browser will get the amazon
> certificate and see that it was created by verisign. Since your browser
> already trusts verisign, it will trust that amazon is who it says it is.
> (Verifying identity is the certificate's primary function.)
>
> Tomcat works the same way. So, in your case, maybe you want to create your
> own certificate and put it into your truststore. Then, as you create
> certificates for other's, you create them based on the certificate you
> loaded into your truststore. Since Tomcat already trusts this one, all the
> certificates you create and give to others will also be trusted...no
> reconfiguration necessary.
>
> Mark
>
> Some helpful links:
>
> http://www.tc.umn.edu/~brams006/selfsign.html
> http://www.openssl.org/docs/apps/x509.html
> http://www.openssl.org/docs/apps/pkcs12.html
>
>
> -----Original Message-----
> From: Ronald Spiers [mailto:nogermanpows@gmail.com]
> Sent: Monday, June 11, 2007 10:21 AM
> To: users@tomcat.apache.org
> Subject: Reloading keystore - how to register a new TrusStore Manager for
> Tomcat?
>
> Hi, I am preparing a self enrollment webapp for generating client
> certificates and adding them to the server keystore. I know that Tomcat
> won't reload keystore unless the server is restarted, so I did look for
> alternatives, and the JSSE guide explains an approach to this in the section
> "Creating Your Own X509TrustManager".
>
> My question is: Does anybody in this list have some experience solving this
> problem?, providing tomcat a custom trust manager to dynamically add a
> client certificate to the verification path when client credentials are
> presented?
>
> Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I
> am just wasting my time ;) I have searched a lot in the last 3 days, tomcat
> list archives and other materials, I have not found a single solution to
> this problem, except for the JSSE guide and this article, that explains how
> to create a trustManager and a SSLContext for implementing S/MIME with
> JavaMail:
>
> * http://www.javaworld.com/javatips/jw-javatip115.html
>
> Thanks a lot for any feedback you can provide.
>
> Regards,
> Martin
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
> e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Mark Claassen <mc...@ocie.net>.
Humm. I don't think this is how the certificate system is supposed to be
used. The intention is that the truststore handles certificates authorities
you trust.
For an example, let's switch to the browser.
Browsers generally trust Verisgn and Thwart out of the box. You can see
these certificates in your browser's options pages.
So, let's say you go to amazon.com. Amazon will have a certificate that was
created for them by, say, Verisign. Your browser will get the amazon
certificate and see that it was created by verisign. Since your browser
already trusts verisign, it will trust that amazon is who it says it is.
(Verifying identity is the certificate's primary function.)
Tomcat works the same way. So, in your case, maybe you want to create your
own certificate and put it into your truststore. Then, as you create
certificates for other's, you create them based on the certificate you
loaded into your truststore. Since Tomcat already trusts this one, all the
certificates you create and give to others will also be trusted...no
reconfiguration necessary.
Mark
Some helpful links:
http://www.tc.umn.edu/~brams006/selfsign.html
http://www.openssl.org/docs/apps/x509.html
http://www.openssl.org/docs/apps/pkcs12.html
-----Original Message-----
From: Ronald Spiers [mailto:nogermanpows@gmail.com]
Sent: Monday, June 11, 2007 10:21 AM
To: users@tomcat.apache.org
Subject: Reloading keystore - how to register a new TrusStore Manager for
Tomcat?
Hi, I am preparing a self enrollment webapp for generating client
certificates and adding them to the server keystore. I know that Tomcat
won't reload keystore unless the server is restarted, so I did look for
alternatives, and the JSSE guide explains an approach to this in the section
"Creating Your Own X509TrustManager".
My question is: Does anybody in this list have some experience solving this
problem?, providing tomcat a custom trust manager to dynamically add a
client certificate to the verification path when client credentials are
presented?
Can self-enrollment be done using Tomcat and JSSE? maybe it can't be done I
am just wasting my time ;) I have searched a lot in the last 3 days, tomcat
list archives and other materials, I have not found a single solution to
this problem, except for the JSSE guide and this article, that explains how
to create a trustManager and a SSLContext for implementing S/MIME with
JavaMail:
* http://www.javaworld.com/javatips/jw-javatip115.html
Thanks a lot for any feedback you can provide.
Regards,
Martin
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe,
e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Ronald Spiers <no...@gmail.com>.
Hi Bill:
Indeed. Mark's comments put me on the track again, searching for
something simpler and more direct than calling openssl or subclassing
a provider, and I found this article, which demonstrates how to create
a client certificate and sign it using a self-signed root certificate,
like the ones you produce with keytool:
http://www.mayrhofer.eu.org/Default.aspx?pageindex=4&pageid=39
I made some minor adjustments to the code, and it worked fine, still
have to test several things, but the client certificate was generated
and the issuer was set as expected. I still have to test the
client-cert verification.
The article's author (Rene Mayrhofer) used Bounce Castle component
along with JCE. The code can be easily encapsulated to be used in a
web application.
Thanks to all for your comments and suggestions, especially Mark. I
must say that judging by what I found in the tomcat-list archives,
this time the question got a lot more [useful] feedback than in the
recent past. Lucky I am.
Regards.
On 6/11/07, Bill Barker <wb...@wilshire.com> wrote:
>
> "Ronald Spiers" <no...@gmail.com> wrote in message
> news:fb5447930706111041i77c677a5r8600e76a5d0766c4@mail.gmail.com...
> > Hi Pulkit, assuming that I can create the trustManager, I am not sure
> > about how to register it with Tomcat, and if I need to implement more
> > interfaces, etc.
> >
> > In short, I suspect other people already solved this problem, and
> > since it will be my first time, I am trying to obtain their feedback
> > and suggestions to avoid common pitfalls.
> >
> > You are right, I already have a clue in the JSSE docs, but I am
> > looking for a little bit more advice - if possible.
> >
> > And as Mark's reply pointed out, I may not be using the certificate
> > mechanism in the best way. That's also the kind of feedback I am
> > looking for.
> >
>
> Yes, as Mark has pointed out the usual way to solve this is to have your own
> CA certificate imported into the truststoreFile, and use that to sign all of
> the certificates that you issue. Then any certificate that you issue will
> be verified without you having to do anything fancy.
>
> To do this the hard way, you can either:
> a) implement your own trust management algorithm, and pass that as the
> truststoreAlgorithm on the <Connector />
> b) implement your own SSLImplementation (probably by extending the JSSE one
> in Tomcat), and override JSSE14SocketFactory.getTrustManagers
>
>
>
>
> > Thans for your reply.
> >
> >
> > On 6/11/07, Pulkit Singhal <pu...@gmail.com> wrote:
> >> Hello,
> >>
> >> I am not sure what you are asking for here. You say that you fond some
> >> instructions on "Creating Your Own X509TrustManager" ... thats good.
> >> 1) Given that you have these instructions, whats the issue at hand?
> >> Conceptually (and without even looking at any content other than the
> >> title)
> >> I would chime-in and say that it sounds like ... if you can create your
> >> own
> >> TrustManager then you most likely make dynamic additions to it.
> >> 2) Or may be you have yet to implement any such solution and are still
> >> lookign for pre-provided alternatives?
> >>
> >> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that
> >> you
> >> might want to have a look at, I think it can be deployed on Tomcat.
> >>
> >> On 6/11/07, Ronald Spiers <no...@gmail.com> wrote:
> >> >
> >> > Hi, I am preparing a self enrollment webapp for generating client
> >> > certificates and adding them to the server keystore. I know that
> >> > Tomcat won't reload keystore unless the server is restarted, so I did
> >> > look for alternatives, and the JSSE guide explains an approach to this
> >> > in the section "Creating Your Own X509TrustManager".
> >> >
> >> > My question is: Does anybody in this list have some experience solving
> >> > this problem?, providing tomcat a custom trust manager to dynamically
> >> > add a client certificate to the verification path when client
> >> > credentials are presented?
> >> >
> >> > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
> >> > done I am just wasting my time ;) I have searched a lot in the last 3
> >> > days, tomcat list archives and other materials, I have not found a
> >> > single solution to this problem, except for the JSSE guide and this
> >> > article, that explains how to create a trustManager and a SSLContext
> >> > for implementing S/MIME with JavaMail:
> >> >
> >> > * http://www.javaworld.com/javatips/jw-javatip115.html
> >> >
> >> > Thanks a lot for any feedback you can provide.
> >> >
> >> > Regards,
> >> > Martin
> >> >
> >> > ---------------------------------------------------------------------
> >> > To start a new topic, e-mail: users@tomcat.apache.org
> >> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> > For additional commands, e-mail: users-help@tomcat.apache.org
> >> >
> >> >
> >>
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Bill Barker <wb...@wilshire.com>.
"Ronald Spiers" <no...@gmail.com> wrote in message
news:fb5447930706111041i77c677a5r8600e76a5d0766c4@mail.gmail.com...
> Hi Pulkit, assuming that I can create the trustManager, I am not sure
> about how to register it with Tomcat, and if I need to implement more
> interfaces, etc.
>
> In short, I suspect other people already solved this problem, and
> since it will be my first time, I am trying to obtain their feedback
> and suggestions to avoid common pitfalls.
>
> You are right, I already have a clue in the JSSE docs, but I am
> looking for a little bit more advice - if possible.
>
> And as Mark's reply pointed out, I may not be using the certificate
> mechanism in the best way. That's also the kind of feedback I am
> looking for.
>
Yes, as Mark has pointed out the usual way to solve this is to have your own
CA certificate imported into the truststoreFile, and use that to sign all of
the certificates that you issue. Then any certificate that you issue will
be verified without you having to do anything fancy.
To do this the hard way, you can either:
a) implement your own trust management algorithm, and pass that as the
truststoreAlgorithm on the <Connector />
b) implement your own SSLImplementation (probably by extending the JSSE one
in Tomcat), and override JSSE14SocketFactory.getTrustManagers
> Thans for your reply.
>
>
> On 6/11/07, Pulkit Singhal <pu...@gmail.com> wrote:
>> Hello,
>>
>> I am not sure what you are asking for here. You say that you fond some
>> instructions on "Creating Your Own X509TrustManager" ... thats good.
>> 1) Given that you have these instructions, whats the issue at hand?
>> Conceptually (and without even looking at any content other than the
>> title)
>> I would chime-in and say that it sounds like ... if you can create your
>> own
>> TrustManager then you most likely make dynamic additions to it.
>> 2) Or may be you have yet to implement any such solution and are still
>> lookign for pre-provided alternatives?
>>
>> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that
>> you
>> might want to have a look at, I think it can be deployed on Tomcat.
>>
>> On 6/11/07, Ronald Spiers <no...@gmail.com> wrote:
>> >
>> > Hi, I am preparing a self enrollment webapp for generating client
>> > certificates and adding them to the server keystore. I know that
>> > Tomcat won't reload keystore unless the server is restarted, so I did
>> > look for alternatives, and the JSSE guide explains an approach to this
>> > in the section "Creating Your Own X509TrustManager".
>> >
>> > My question is: Does anybody in this list have some experience solving
>> > this problem?, providing tomcat a custom trust manager to dynamically
>> > add a client certificate to the verification path when client
>> > credentials are presented?
>> >
>> > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
>> > done I am just wasting my time ;) I have searched a lot in the last 3
>> > days, tomcat list archives and other materials, I have not found a
>> > single solution to this problem, except for the JSSE guide and this
>> > article, that explains how to create a trustManager and a SSLContext
>> > for implementing S/MIME with JavaMail:
>> >
>> > * http://www.javaworld.com/javatips/jw-javatip115.html
>> >
>> > Thanks a lot for any feedback you can provide.
>> >
>> > Regards,
>> > Martin
>> >
>> > ---------------------------------------------------------------------
>> > To start a new topic, e-mail: users@tomcat.apache.org
>> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> > For additional commands, e-mail: users-help@tomcat.apache.org
>> >
>> >
>>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Ronald Spiers <no...@gmail.com>.
Hi Pulkit, assuming that I can create the trustManager, I am not sure
about how to register it with Tomcat, and if I need to implement more
interfaces, etc.
In short, I suspect other people already solved this problem, and
since it will be my first time, I am trying to obtain their feedback
and suggestions to avoid common pitfalls.
You are right, I already have a clue in the JSSE docs, but I am
looking for a little bit more advice - if possible.
And as Mark's reply pointed out, I may not be using the certificate
mechanism in the best way. That's also the kind of feedback I am
looking for.
Thans for your reply.
On 6/11/07, Pulkit Singhal <pu...@gmail.com> wrote:
> Hello,
>
> I am not sure what you are asking for here. You say that you fond some
> instructions on "Creating Your Own X509TrustManager" ... thats good.
> 1) Given that you have these instructions, whats the issue at hand?
> Conceptually (and without even looking at any content other than the title)
> I would chime-in and say that it sounds like ... if you can create your own
> TrustManager then you most likely make dynamic additions to it.
> 2) Or may be you have yet to implement any such solution and are still
> lookign for pre-provided alternatives?
>
> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that you
> might want to have a look at, I think it can be deployed on Tomcat.
>
> On 6/11/07, Ronald Spiers <no...@gmail.com> wrote:
> >
> > Hi, I am preparing a self enrollment webapp for generating client
> > certificates and adding them to the server keystore. I know that
> > Tomcat won't reload keystore unless the server is restarted, so I did
> > look for alternatives, and the JSSE guide explains an approach to this
> > in the section "Creating Your Own X509TrustManager".
> >
> > My question is: Does anybody in this list have some experience solving
> > this problem?, providing tomcat a custom trust manager to dynamically
> > add a client certificate to the verification path when client
> > credentials are presented?
> >
> > Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
> > done I am just wasting my time ;) I have searched a lot in the last 3
> > days, tomcat list archives and other materials, I have not found a
> > single solution to this problem, except for the JSSE guide and this
> > article, that explains how to create a trustManager and a SSLContext
> > for implementing S/MIME with JavaMail:
> >
> > * http://www.javaworld.com/javatips/jw-javatip115.html
> >
> > Thanks a lot for any feedback you can provide.
> >
> > Regards,
> > Martin
> >
> > ---------------------------------------------------------------------
> > To start a new topic, e-mail: users@tomcat.apache.org
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Martin Gainty <mg...@hotmail.com>.
use keytool to import the correct provider
http://ws.apache.org/xmlrpc/ssl.html
and then implement the keystore to point to this new file
http://tomcat.apache.org/tomcat-3.2-doc/tomcat-ssl-howto.html
M--
This email message and any files transmitted with it contain confidential
information intended only for the person(s) to whom this email message is
addressed. If you have received this email message in error, please notify
the sender immediately by telephone or email and destroy the original
message without making a copy. Thank you.
----- Original Message -----
From: "Pulkit Singhal" <pu...@gmail.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Sent: Monday, June 11, 2007 12:45 PM
Subject: Re: Reloading keystore - how to register a new TrusStore Manager
for Tomcat?
> Hello,
>
> I am not sure what you are asking for here. You say that you fond some
> instructions on "Creating Your Own X509TrustManager" ... thats good.
> 1) Given that you have these instructions, whats the issue at hand?
> Conceptually (and without even looking at any content other than the
> title)
> I would chime-in and say that it sounds like ... if you can create your
> own
> TrustManager then you most likely make dynamic additions to it.
> 2) Or may be you have yet to implement any such solution and are still
> lookign for pre-provided alternatives?
>
> There are always modules like EJBCA(http://ejbca.sourceforge.net/) that
> you
> might want to have a look at, I think it can be deployed on Tomcat.
>
> On 6/11/07, Ronald Spiers <no...@gmail.com> wrote:
>>
>> Hi, I am preparing a self enrollment webapp for generating client
>> certificates and adding them to the server keystore. I know that
>> Tomcat won't reload keystore unless the server is restarted, so I did
>> look for alternatives, and the JSSE guide explains an approach to this
>> in the section "Creating Your Own X509TrustManager".
>>
>> My question is: Does anybody in this list have some experience solving
>> this problem?, providing tomcat a custom trust manager to dynamically
>> add a client certificate to the verification path when client
>> credentials are presented?
>>
>> Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
>> done I am just wasting my time ;) I have searched a lot in the last 3
>> days, tomcat list archives and other materials, I have not found a
>> single solution to this problem, except for the JSSE guide and this
>> article, that explains how to create a trustManager and a SSLContext
>> for implementing S/MIME with JavaMail:
>>
>> * http://www.javaworld.com/javatips/jw-javatip115.html
>>
>> Thanks a lot for any feedback you can provide.
>>
>> Regards,
>> Martin
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reloading keystore - how to register a new TrusStore Manager for Tomcat?
Posted by Pulkit Singhal <pu...@gmail.com>.
Hello,
I am not sure what you are asking for here. You say that you fond some
instructions on "Creating Your Own X509TrustManager" ... thats good.
1) Given that you have these instructions, whats the issue at hand?
Conceptually (and without even looking at any content other than the title)
I would chime-in and say that it sounds like ... if you can create your own
TrustManager then you most likely make dynamic additions to it.
2) Or may be you have yet to implement any such solution and are still
lookign for pre-provided alternatives?
There are always modules like EJBCA(http://ejbca.sourceforge.net/) that you
might want to have a look at, I think it can be deployed on Tomcat.
On 6/11/07, Ronald Spiers <no...@gmail.com> wrote:
>
> Hi, I am preparing a self enrollment webapp for generating client
> certificates and adding them to the server keystore. I know that
> Tomcat won't reload keystore unless the server is restarted, so I did
> look for alternatives, and the JSSE guide explains an approach to this
> in the section "Creating Your Own X509TrustManager".
>
> My question is: Does anybody in this list have some experience solving
> this problem?, providing tomcat a custom trust manager to dynamically
> add a client certificate to the verification path when client
> credentials are presented?
>
> Can self-enrollment be done using Tomcat and JSSE? maybe it can't be
> done I am just wasting my time ;) I have searched a lot in the last 3
> days, tomcat list archives and other materials, I have not found a
> single solution to this problem, except for the JSSE guide and this
> article, that explains how to create a trustManager and a SSLContext
> for implementing S/MIME with JavaMail:
>
> * http://www.javaworld.com/javatips/jw-javatip115.html
>
> Thanks a lot for any feedback you can provide.
>
> Regards,
> Martin
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>