Tomcat & SSL

[Joy Su <js...@patkai.com>]

Hi!

I was wondering if anyone could tell me what the story with Tomcat &
SSL is.  From what I've gathered on the jakarta site, it seems like:

-- Tomcat 3.2 is the first release of Tomcat to claim "SSL support",
but client-auth is not supported (only server authentication &
encryption of data)

-- SSL is only supported for Apache, and you need Apache-SSL or
apache-mod_ssl, running with mod_jk

-- mod_jserv won't work if you want to use SSL

Is the above true?  And also, if my web server is IPlanet/Netscape or
IIS, do those redirectors provide SSL support?

Any help would be greatly appreciated!  Please cc: jsu@patkai.com.

Thanks in advance,
Joy

Re: Tomcat & SSL

[Jan Labanowski <jk...@osc.edu>]

Let say, I am not a guru... So do not ask me more... Maybe the real
guys in black skin coats cowboy boots can tell us more...

Jan


On Mon, 23 Apr 2001, Joy Su wrote:

> 
> -- Tomcat 3.2 is the first release of Tomcat to claim "SSL support",
> but client-auth is not supported (only server authentication &
> encryption of data)

This is true... Just uncomment stuff in server.xml, make sure you have
JCE and JSSE in your path and you updated security policy, and it should
work (but I did not use it)... You need to remember however, that either
you do your SSL in Apache, or in Tomcat, there is no both... If you
run Tomcat behind Apache via connector (and do not use 8080 Tomcat Web
Server port), you only can use Apache SSL stuff.

> 
> -- SSL is only supported for Apache, and you need Apache-SSL or
> apache-mod_ssl, running with mod_jk
Yes, Apache/mod_ssl support all flavors of SSL, including client certificates
Doing this is not necessarily easy, but the mod_ssl docs make you believe
it is. The problem is if you want to do client certificates with Netscape
and MSIE at the same time. They of course use different stuff to keep us
employed. The trick is to make the browser install the client certificate
which you give to the client when he/she registeres. There are some
CGI perl scripts to do it. You woul dneed to search the web.


> -- mod_jserv won't work if you want to use SSL

Why not? SSL stuff in apache is done in apache, and jserv is only a connector.
The SSL in apache works the same way in mod_ssl, and mod_jserv. The only
difference is that in Servlet Spec 2.0 (JSDK2.0 which jserv is) has no
notion of SSL (to my knowledge), and you cannot really do anything with SSL
within servlets, unless you write everything yourself. You still get
the CGI environment variables, so you probably can find out that
request was handled as HTTPS, but apache takes care of it for you,
and you cannot make much use of it within a servlet.

> 
> Is the above true?  And also, if my web server is IPlanet/Netscape or
> IIS, do those redirectors provide SSL support?

Beats me...

> 
> Any help would be greatly appreciated!  Please cc: jsu@patkai.com.

I probably did not help... 


Jan K. Labanowski            |    phone: 614-292-9279,  FAX: 614-292-7168
Ohio Supercomputer Center    |    Internet: jkl@osc.edu 
1224 Kinnear Rd,             |    http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163      |    http://www.osc.edu/

Re: Tomcat & SSL

[Milt Epstein <me...@uiuc.edu>]

On Mon, 23 Apr 2001, Joy Su wrote:

> Hi!
>
> I was wondering if anyone could tell me what the story with Tomcat &
> SSL is.  From what I've gathered on the jakarta site, it seems like:
>
> -- Tomcat 3.2 is the first release of Tomcat to claim "SSL support",
> but client-auth is not supported (only server authentication &
> encryption of data)
>
> -- SSL is only supported for Apache, and you need Apache-SSL or
> apache-mod_ssl, running with mod_jk
>
> -- mod_jserv won't work if you want to use SSL
>
> Is the above true?  And also, if my web server is IPlanet/Netscape or
> IIS, do those redirectors provide SSL support?
>
> Any help would be greatly appreciated!  Please cc: jsu@patkai.com.

Well, I can't answer all your questions, but I am using Apache,
mod_ssl, tomcat, and mod_jserv, so the answer to your last one would
seem to be "no, it's false" :-).

Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
mepstein@uiuc.edu