You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/04/30 20:06:52 UTC
[tomcat] 02/02: Add key store type section
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 899554d61cf7967e84f61d60cc107ca9c3e0f7fe
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Apr 30 21:06:21 2020 +0100
Add key store type section
---
webapps/docs/changelog.xml | 4 ++++
webapps/docs/config/http.xml | 48 +++++++++++++++++++++++++++++++++++++++-----
2 files changed, 47 insertions(+), 5 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index b58f06c..830cd63 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -174,6 +174,10 @@
Fix the saving of a Context configuration file via the scripting
interface of the Manager web application. (markt)
</fix>
+ <add>
+ Add a section to the TLS Connector documentation on different key store
+ types and how to configure them. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Other">
diff --git a/webapps/docs/config/http.xml b/webapps/docs/config/http.xml
index 6a052ef..2c5fea9 100644
--- a/webapps/docs/config/http.xml
+++ b/webapps/docs/config/http.xml
@@ -1398,7 +1398,8 @@
TLS virtual host and that certificate has a <code>keystoreType</code> that
is not <code>PKCS12</code> then the default will be the
<code>keystoreType</code> of the single certificate. If none of these
- identify a default, the default will be <code>JKS</code>.</p>
+ identify a default, the default will be <code>JKS</code>. See the notes on
+ <a href="#Key_store_types">key store types</a> below.</p>
</attribute>
</attributes>
@@ -1498,7 +1499,8 @@
If not specified, the value of the system property
<code>javax.net.ssl.keyStoreType</code> is used. If neither this attribute
nor the system property are set, a default value of "<code>JKS</code>". is
- used.</p>
+ used. See the notes on <a href="#Key_store_types">key store types</a>
+ below.</p>
</attribute>
<attribute name="type" required="false">
@@ -1562,6 +1564,42 @@
</subsection>
+ <subsection name="Key store types">
+
+ <p>In addition to the standard key store types (JKS and PKCS12), most Java
+ runtimes support additional key store types such as Windows-ROOT,
+ Windows-My, DKS as well as hardware security modules. Generally, to use
+ these additional keystore types with a TLS Conector in Tomcat:</p>
+
+ <ul>
+ <li>Set the certificateKeystoreType and/or truststoreType Connector
+ attribute (as appropriate) to the necessary type</li>
+ <li>If a configuration file is required, set the certificateKeystoreFile
+ and/or truststoreFile Connector attribute (as appropriate) to point to
+ the file</li>
+ <li>If no configuration file is required then you will almost certainly
+ need to explicitly set the certificateKeystoreFile and/or
+ truststoreFile Connector attribute (as appropriate) to the empty
+ string ("")</li>
+ <li>If a password is required, set the certificateKeystorePassword and/or
+ truststorePassword Connector attribute (as appropriate) to the
+ required password</li>
+ <li>If no password is required then you will almost certainly need to
+ explicitly set the certificateKeystorePassword and/or
+ truststorePassword Connector attribute (as appropriate) to the empty
+ string ("")</li>
+ </ul>
+
+ <p>Variations in key store implementations, combined with the key store
+ manipulation Tomcat does in the background to allow interoperability between
+ JSSE and OpenSSL configuration styles, means that some keystores may need
+ slightly different configuration. Assitance is always available from the
+ <a href="http://tomcat.apache.org/lists.html#tomcat-users">Apache Tomcat
+ users mailing list</a>. We aim to document any key stores that vary from the
+ above advice here. Currently there are none we are aware of.</p>
+
+ </subsection>
+
<subsection name="Connector Comparison">
<p>Below is a small chart that shows how the connectors differ.</p>
@@ -1569,9 +1607,9 @@
<table class="defaultTable" style="text-align: center;">
<tr>
<th />
- <th style="text-align: center;">Java Nio Connector<br />NIO</th>
- <th style="text-align: center;">Java Nio2 Connector<br />NIO2</th>
- <th style="text-align: center;">APR/native Connector<br />APR</th>
+ <th>Java Nio Connector<br />NIO</th>
+ <th>Java Nio2 Connector<br />NIO2</th>
+ <th>APR/native Connector<br />APR</th>
</tr>
<tr>
<th>Classname</th>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org