You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2006/12/07 04:56:21 UTC

svn commit: r483339 - in /tomcat/container/tc5.5.x/webapps/docs: changelog.xml config/http.xml ssl-howto.xml

Author: markt
Date: Wed Dec  6 19:56:20 2006
New Revision: 483339

URL: http://svn.apache.org/viewvc?view=rev&rev=483339
Log:
Fix bug 41051 by adding info on case sensitivity to SSL HOW-TO
Update SSL configuration documentation to agree with HOW-TO.

Modified:
    tomcat/container/tc5.5.x/webapps/docs/changelog.xml
    tomcat/container/tc5.5.x/webapps/docs/config/http.xml
    tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml

Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Dec  6 19:56:20 2006
@@ -223,6 +223,10 @@
         <bug>40999</bug>: Add trust store configuration for SSL connectors to
         the admin webapp. (markt)
       </fix>
+      <fix>
+        <bug>41051</bug>: Add information on keystore aliases and case
+        sensitivity to SSL HOW-TO. (markt)
+      </fix>
     </changelog>
   </subsection> 
   <subsection name="Cluster">

Modified: tomcat/container/tc5.5.x/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/http.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/config/http.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/config/http.xml Wed Dec  6 19:56:20 2006
@@ -409,23 +409,20 @@
   <attributes>
 
     <attribute name="algorithm" required="false">
-      <p>The certificate encoding algorithm to be used.  If not
-      specified, the default value is <code>SunX509</code>.</p>
+      <p>The certificate encoding algorithm to be used. This defaults to the Sun
+      implementation (<code>SunX509</code>). For IBM JVMs you should use the
+      value <code>IbmX509</code>. For other vendors, consult the JVM
+      documentation for the correct value.</p>
     </attribute>
 
     <attribute name="clientAuth" required="false">
       <p>Set to <code>true</code> if you want the SSL stack to require a
-      valid certificate chain from the client before
- accepting a connection.
-      Set to <code>want</code> if you
- want the SSL stack to request a client
-      Certificate, but
- not fail if one isn't presented. A <code>false</code>
+      valid certificate chain from the client before accepting a connection.
+      Set to <code>want</code> if you want the SSL stack to request a client
+      Certificate, but not fail if one isn't presented. A <code>false</code>
       value (which is the default) will not require a certificate chain
-      unless
- the client requests a resource protected by a security
-      constraint
- that uses <code>CLIENT-CERT</code> authentication. See the
+      unless the client requests a resource protected by a security
+      constraint that uses <code>CLIENT-CERT</code> authentication. See the
       <a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
     </attribute>
 
@@ -455,6 +452,25 @@
     <attribute name="ciphers" required="false">
       <p>A comma seperated list of the encryption ciphers that may be used.
       If not specified, then any available cipher may be used.</p>
+    </attribute>
+
+    <attribute name="keyAlias" required="false">
+      <p>The alias used to for the server certificate in the keystore. If not
+      specified the first key read in the keystore will be used.</p>
+    </attribute>
+
+    <attribute name="truststoreFile" required="false">
+      <p>The TrustStore file to use to validate client certificates.</p>
+    </attribute>
+
+    <attribute name="truststorePass" required="false">
+      <p>The password to access the TrustStore. This defaults to the value
+      of <code>keystorePass</code>.</p>
+    </attribute>
+
+    <attribute name="truststoreType" required="false">
+      <p>Add this element if your are using a different format for the
+      TrustStore then you are using for the KeyStore.</p>
     </attribute>
 
   </attributes>

Modified: tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml Wed Dec  6 19:56:20 2006
@@ -211,6 +211,14 @@
 via (among other things) OpenSSL and Microsoft's Key-Manager.
 </p>
 
+<p>Each entry in a keystore is identified by an alias string. Whilst many
+keystore implmentations treat alaises in a case insensitive manner, case
+sensitive implementations are available. The <code>PKCS11</code> specification,
+for example, requires that aliases are case sensitive. To avoid issues related
+to the case sensitivity of aliaises, it is not recommended to use aliases that
+differ only in case.
+</p>
+
 <p>To import an existing certificate into a JKS keystore, please read the
 documentation (in your JDK documentation package) about <code>keytool</code>.
 Note that openssl often adds a readable comments before the key, <code>keytool</code>does not support that, so remove the openssl comments if they exist before importing the key using <code>keytool</code>.
@@ -360,8 +368,8 @@
   </tr>
   <tr>
     <td><code>keystoreType</code></td>
-    <td>Add this element if using a PKCS12 keystore.  The valid values are
-        <code>JKS</code> and <code>PKCS12</code>.</td>
+    <td>Add this element if using a keystore type other than
+    <code>JKS</code>.</td>
   </tr>
   <tr>
     <td><code>sslProtocol</code></td>
@@ -396,8 +404,7 @@
   <tr>
    <td><code>truststoreType</code></td>
     <td>Add this element if your are using a different format for the 
-        TrustStore then you are using for the KeyStore.  The valid values are
-        <code>JKS</code> and <code>PKCS12</code>.</td>
+        TrustStore then you are using for the KeyStore.</td>
   </tr>
   <tr>
    <td><code>keyAlias</code></td>
@@ -517,6 +524,19 @@
     file</a>.  <strong>REMINDER</strong> - Passwords are case sensitive!</p>
     </blockquote></li>
 
+<li>When Tomcat starts up, I get an exception like
+    "java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
+    available certificate or key corresponds to the SSL cipher suites which are
+    enabled."
+    <blockquote>
+    <p>A likely explanation is that Tomcat cannot find the alias for the server
+    key withinthe specified keystore. Check that the correct
+    <code>keystoreFile</code> and <code>keyAlias</code> are specified in the
+    <code>&lt;Connector&gt;</code> element in the
+    <a href="#Edit the Tomcat Configuration File">Tomcat configuration file</a>.
+    <strong>REMINDER</strong> - <code>keyAlias</code> values may be case
+    sensitive!</p>
+    </blockquote></li>
 </ul>
 
 <p>If you are still having problems, a good source of information is the



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org