You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by david w <da...@gmail.com> on 2024/04/08 09:46:56 UTC
Tomcat on Windows : new keystore possibilities
Hello
Referring to the documentation on Apache Tomcat 9 Configuration Reference (9.0.87) - The HTTP Connector<https://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Key_store_types> keystore types, i wanted to get mentioned that a new set of possibilities is available with newer java builds, when using Tomcat in a Windows environment.
As mentioned on the OpenJDK bug tracker: https://bugs.openjdk.org/browse/JDK-8286790
The Windows KeyStore support in the SunMSCAPI provider has been expanded to include access to the local machine location. The new keystore types are:
Windows-MY-LOCALMACHINE
Windows-ROOT-LOCALMACHINE
The following keystore types were also added, allowing developers to make it clear they map to the current user:
Windows-MY-CURRENTUSER (same as "Windows-MY")
Windows-ROOT-CURRENTUSER (same as "Windows-ROOT")
Alongside other configurations possible on the server side, web certificates can be automatically published, renewed and managed with a company's internal Active Directory CA. The account running the Tomcat Windows Service needs local Administrator rights to be able to refernce these certificate stores.
With this enabled, and setting the server.xml Connector like shown below can make certificate management a lot easier.
<Connector name="whatever_name"
port="443"
protocol="HTTP/1.1"
connectionTimeout="20000"
URIEncoding="UTF-8"
SSLEnabled="true"
maxThreads="1500"
scheme="https"
secure="true"
clientAuth="false"
sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation"
sslProtocol="TLS"
sslEnabledProtocols="TLSv1.2+TLSv1.3"
ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
keyAlias="${COMPUTERNAME}.my.domain.org"
keystoreFile=""
keystoreType="Windows-MY-LOCALMACHINE"
keystorePass=""
truststoreFile=""
truststoreType="Windows-ROOT-LOCALMACHINE"
truststorePass=""
enableLookups="true"
/>
the use of a predefined Environment Variable for the system name, possible when using also this setting in catalina.properties:
#GPO Managed restricted file: TESTING
#allow_System ENVVar Usage
org.apache.tomcat.util.digester.PROPERTY_SOURCE=org.apache.tomcat.util.digester.Digester$EnvironmentPropertySource
makes it easier to maintain a common server.xml file through tools like GPO.
Could it be useful to somehow document this, as it does make our WIndows admin life easier!!
Re: Tomcat on Windows : new keystore possibilities
Posted by david w <da...@gmail.com>.
I understand, but am not looking for troubleshooting but trying to raise awareness of the new sunmscapi capabilities.
I'm testing using the private key in the windows machine store to simplify tls implementation.
For this it requires local admin rights but I am also looking how to not need this...
David Wooffindin
________________________________
From: Bill Stewart <bs...@iname.com>
Sent: Monday, April 8, 2024 5:36:47 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat on Windows : new keystore possibilities
On Mon, Apr 8, 2024 at 8:27 AM david w wrote:
If you can share a way for this to not be necessary, I'm all ears...
>
I can read computer certificates from non-privileged accounts on Windows.
(How would a user application such as a browser work otherwise?)
I'm not sure what's different on your system or why you think a privileged
account is required.
In any case, this would not be a Tomcat-specific issue but rather some kind
of configuration issue. (What I am saying is that troubleshooting this
issue on your machine is really outside the scope of this specific mailing
list.)
I would repeat my recommendation not to run a web server of any kind
(Tomcat or otherwise) using a privileged account.
Bill
Re: Tomcat on Windows : new keystore possibilities
Posted by Bill Stewart <bs...@iname.com>.
On Mon, Apr 8, 2024 at 8:27 AM david w wrote:
If you can share a way for this to not be necessary, I'm all ears...
>
I can read computer certificates from non-privileged accounts on Windows.
(How would a user application such as a browser work otherwise?)
I'm not sure what's different on your system or why you think a privileged
account is required.
In any case, this would not be a Tomcat-specific issue but rather some kind
of configuration issue. (What I am saying is that troubleshooting this
issue on your machine is really outside the scope of this specific mailing
list.)
I would repeat my recommendation not to run a web server of any kind
(Tomcat or otherwise) using a privileged account.
Bill
Re: Tomcat on Windows : new keystore possibilities
Posted by david w <da...@gmail.com>.
If you can share a way for this to not be necessary, I'm all ears...😁
David Wooffindin
________________________________
From: Bill Stewart <bs...@iname.com>
Sent: Monday, April 8, 2024 4:22:37 PM
To: Tomcat Users List <us...@tomcat.apache.org>
Subject: Re: Tomcat on Windows : new keystore possibilities
On Mon, Apr 8, 2024 at 3:49 AM david w wrote:
The account running the Tomcat Windows Service needs local Administrator
> rights to be able to refernce these certificate stores.
>
Fortunately, this statement is not correct.
I would definitely not recommend running the Tomcat service using a
privileged account.
Bill
Re: Tomcat on Windows : new keystore possibilities
Posted by Bill Stewart <bs...@iname.com>.
On Mon, Apr 8, 2024 at 3:49 AM david w wrote:
The account running the Tomcat Windows Service needs local Administrator
> rights to be able to refernce these certificate stores.
>
Fortunately, this statement is not correct.
I would definitely not recommend running the Tomcat service using a
privileged account.
Bill