You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Wilmoth, Jon" <Jo...@nordstrom.com> on 2013/03/27 17:03:36 UTC
Tomcat support for JNDIRealm LDAPS connections
After searching through the Tomcat user forums and bug list it appears there are only two options to enable ldaps connections, without modification to the Tomcat JNDI Realm itself:
1) Start Tomcat using system properties that specify the default trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to truststore> -Djavax.net.ssl.trustStorePassword=<password>). The problem with this is it requires the password to the trust keystore be provided on the command line.
2) Add the CA cert to the <java-home>/lib/security/cacerts file (or <java-home>/lib/security/jssecacerts which has higher precedence) which is used as the default trust store. This has the downside of tying the CA cert maintenance lifecycle to the JVM maintenance lifecycle (e.g. upgrades). It also limits the reuse of a JDK installation across applications/Tomcat instances.
Are there any plans for org.apache.catalina.realm.JNDIRealm to address these items via support for configuring the trust store path/password like org.apache.tomcat.util.net.AbstractEndpoint?
Thanks,
Jon
RE: Tomcat support for JNDIRealm LDAPS connections
Posted by "Wilmoth, Jon" <Jo...@nordstrom.com>.
Thanks Felix. You're correct for a single auth SSL connection the password was not required (I assume a mutual auth connection would work as well if the keystore for the client cert was physically different). I assumed that since it was provided in the connector config (http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support) it would be required, but not the case!
Thanks again,
Jon
-----Original Message-----
From: Felix Schumacher [mailto:felix.schumacher@internetallee.de]
Sent: Thursday, March 28, 2013 6:52 AM
To: Tomcat Users List
Subject: Re: Tomcat support for JNDIRealm LDAPS connections
Hi Jon,
first of all, it seems that you have hijacked a thread by replying to a
mail from this mailing list and changing the subject of the thread.
That might be a reason, why you have not got any answers to your
question yet.
Am 27.03.2013 17:03, schrieb Wilmoth, Jon:
> After searching through the Tomcat user forums and bug list it
> appears there are only two options to enable ldaps connections,
> without modification to the Tomcat JNDI Realm itself:
>
> 1) Start Tomcat using system properties that specify the default
> trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to
> truststore> -Djavax.net.ssl.trustStorePassword=<password>). The
> problem with this is it requires the password to the trust keystore be
> provided on the command line.
I don't think that you need to give a trustStorePassword, when all you
need is a secure connection to a tls/ssl based service.
You only need the password, if you want to access private keys in the
truststore, for example when you want to use client certificates.
HTH
Felix
> 2) Add the CA cert to the <java-home>/lib/security/cacerts file (or
> <java-home>/lib/security/jssecacerts which has higher precedence)
> which is used as the default trust store. This has the downside of
> tying the CA cert maintenance lifecycle to the JVM maintenance
> lifecycle (e.g. upgrades). It also limits the reuse of a JDK
> installation across applications/Tomcat instances.
>
> Are there any plans for org.apache.catalina.realm.JNDIRealm to
> address these items via support for configuring the trust store
> path/password like org.apache.tomcat.util.net.AbstractEndpoint?
>
> Thanks,
> Jon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat support for JNDIRealm LDAPS connections
Posted by Felix Schumacher <fe...@internetallee.de>.
Hi Jon,
first of all, it seems that you have hijacked a thread by replying to a
mail from this mailing list and changing the subject of the thread.
That might be a reason, why you have not got any answers to your
question yet.
Am 27.03.2013 17:03, schrieb Wilmoth, Jon:
> After searching through the Tomcat user forums and bug list it
> appears there are only two options to enable ldaps connections,
> without modification to the Tomcat JNDI Realm itself:
>
> 1) Start Tomcat using system properties that specify the default
> trust keystore & password (e.g. -Djavax.net.ssl.trustStore=<path to
> truststore> -Djavax.net.ssl.trustStorePassword=<password>). The
> problem with this is it requires the password to the trust keystore be
> provided on the command line.
I don't think that you need to give a trustStorePassword, when all you
need is a secure connection to a tls/ssl based service.
You only need the password, if you want to access private keys in the
truststore, for example when you want to use client certificates.
HTH
Felix
> 2) Add the CA cert to the <java-home>/lib/security/cacerts file (or
> <java-home>/lib/security/jssecacerts which has higher precedence)
> which is used as the default trust store. This has the downside of
> tying the CA cert maintenance lifecycle to the JVM maintenance
> lifecycle (e.g. upgrades). It also limits the reuse of a JDK
> installation across applications/Tomcat instances.
>
> Are there any plans for org.apache.catalina.realm.JNDIRealm to
> address these items via support for configuring the trust store
> path/password like org.apache.tomcat.util.net.AbstractEndpoint?
>
> Thanks,
> Jon
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org