You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Greg Johnson <gr...@yahoo.com> on 2011/08/30 05:10:09 UTC
Two SSL certs. for same web app
We have a wildcard SSL cert. installed on our tomcat (6.0.18) instance. We are not fronted by Apache, as we just use Tomcat to serve the content directly. We provide subdomains for our clients to connect to us. For example:
https://client1.mycompany.com
represents "client 1's" portal into our web app.
https://client2.mycompany.com
represents "client 2's" portal into our web app.
A particular client is not happy with the strength of our SSL certificate, and wants us to install a "better one" for them to use when accessing our web app. (We don't need to discuss "better" here....I've already pulled my hair out on this one. And, no, it's not possible for us to simply get a "better" wildcard cert.) We have a single web app, and all clients access the same ROOT app. The subdomains are used primarily to allow us to skin our site differently for each client.
What is the method I should use to have "most" of our clients access our web app. using our existing wildcard cert., but still allow a single client to use a second SSL cert to access the same web app? In other words, when "client N" accesses our web site via:
https://clientn.mycompany.com
they should use a separate SSL cert.
I'm assuming I'll need a second network connection for our tomcat server. Our "standard" traffic will arrive via "ip-address-one", and "client N's" traffic will arrive via "ip-address-two". (With DNS configured to make that work correctly.) My guess would be that in addition to our tomcat.keystore file, I should create a clientn.keystore (which obviously holds the "better one"). If that is the case, then I'm confused as to how to configure things in server.xml.
My current structure in server.xml is:
<Server>
<Service>
<Connector port=8080 ... />
<Connector port=8443 keystoreFile="tomcat.keystore" ... />
<Engine defaultHost="localhost">
<Host name="localhost">
</Host>
</Service>
</Server>
I've done some research and I believe I should use the "address" parameter on the connectors, so that I would then have two sets of Connector's, using the "clientn.keystore" on the 2nd SSL connector. But from there I'm confused as to what IP addresses should be used in the Engine and Host blocks. Do I need two Host sections?
<Server>
<Service>
<Connector port=8080 address="ip-address-one"... />
<Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... />
<Connector port=8080 address="ip-address-two"... />
<Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... />
<Engine defaultHost="localhost">
<Host name="localhost">
</Host>
</Service>
</Server>
If I simply replace "localhost" in the Engine and Host blocks with "ip-address-one", I get traffic correctly on all of our subdomains, but don't get any response when connecting to ip-address-two.
Be gentle, but please slap me down the right road. ;-) I'm just stumbling through this, as you can tell. I hope I've not forgotten to share enough details.
RE: [Solved] Two SSL certs. for same web app
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Greg Johnson [mailto:gregjo@yahoo.com]
> Subject: [Solved] Two SSL certs. for same web app
> I did end up needing to slightly change the Host and Engine
> declarations to point to 'ip-address-one' in my example.
That change isn't necessary.
> <Engine defaultHost="ip-address-one"> <Host name="ip-address-one"> </Host>
Since you have only one <Host>, the name attribute is irrelevant as long as it matches the defaultHost setting in the <Engine>. The name attribute becomes interesting only when there are multiple <Host> elements; Tomcat then uses the name to select which <Host> will process a given request.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: [Solved] Two SSL certs. for same web app
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Caldarale, Charles R
> Subject: RE: [Solved] Two SSL certs. for same web app
> Since you have only one <Host>, the name attribute is irrelevant
> as long as it matches the defaultHost setting in the <Engine>.
Should also note that the standard value of "localhost" for the defaultHost attribute is somewhat confusing; it has nothing to do with its usual interpretation of 127.0.0.1 or [::1] - it's just a character string that must match the name attribute in one <Host>.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: [Solved] Two SSL certs. for same web app
Posted by Pid <pi...@pidster.com>.
On 31/08/2011 11:48, Pid wrote:
> On 31/08/2011 08:24, Greg Johnson wrote:
>> No, and you don't need to make any changes other than adding the extra <Connector>. Traffic from both <Connector>s will be routed to the single <Engine> and <Host>.
>>> Thanks for the advice, Chuck. I did end up needing to slightly change the Host and Engine declarations to point to 'ip-address-one' in my example. So my server.xml ended up looking like this:
>>
>> <Server>
>> <Service>
>> <Connector port=8080 address="ip-address-one"... />
>> <Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... />
>> <Connector port=8080 address="ip-address-two"... />
>> <Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... />
>> <Engine defaultHost="ip-address-one"> <Host name="ip-address-one"> </Host>
>> </Engine>
>> </Service> </Server>
>>
>
> Does that actually work?
>
> There are two connectors with the same port number, which shouldn't work.
EPIC FAIL. Ignore me.
p
Re: [Solved] Two SSL certs. for same web app
Posted by Pid <pi...@pidster.com>.
On 31/08/2011 08:24, Greg Johnson wrote:
> No, and you don't need to make any changes other than adding the extra <Connector>. Traffic from both <Connector>s will be routed to the single <Engine> and <Host>.
>> Thanks for the advice, Chuck. I did end up needing to slightly change the Host and Engine declarations to point to 'ip-address-one' in my example. So my server.xml ended up looking like this:
>
> <Server>
> <Service>
> <Connector port=8080 address="ip-address-one"... />
> <Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... />
> <Connector port=8080 address="ip-address-two"... />
> <Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... />
> <Engine defaultHost="ip-address-one"> <Host name="ip-address-one"> </Host>
> </Engine>
> </Service> </Server>
>
Does that actually work?
There are two connectors with the same port number, which shouldn't work.
p
[Solved] Two SSL certs. for same web app
Posted by Greg Johnson <gr...@yahoo.com>.
No, and you don't need to make any changes other than adding the extra <Connector>. Traffic from both <Connector>s will be routed to the single <Engine> and <Host>.
>Thanks for the advice, Chuck. I did end up needing to slightly change the Host and Engine declarations to point to 'ip-address-one' in my example. So my server.xml ended up looking like this:
<Server>
<Service>
<Connector port=8080 address="ip-address-one"... />
<Connector port=8443 address="ip-address-one" keystoreFile="tomcat.keystore" ... />
<Connector port=8080 address="ip-address-two"... />
<Connector port=8443 address="ip-address-two" keystoreFile="clientn.keystore" ... />
<Engine defaultHost="ip-address-one"> <Host name="ip-address-one"> </Host>
</Engine>
</Service> </Server>
RE: Two SSL certs. for same web app
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Greg Johnson [mailto:gregjo@yahoo.com]
> Subject: Two SSL certs. for same web app
> I've done some research and I believe I should use the "address"
> parameter on the connectors, so that I would then have two sets of
> Connector's, using the "clientn.keystore" on the 2nd SSL connector.
Correct.
> But from there I'm confused as to what IP addresses should be used
> in the Engine and Host blocks. Do I need two Host sections?
No, and you don't need to make any changes other than adding the extra <Connector>. Traffic from both <Connector>s will be routed to the single <Engine> and <Host>.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Two SSL certs. for same web app
Posted by Greg Johnson <gr...@yahoo.com>.
Jeffrey wrote:
>I do hope you are billing them an arm & a leg for that "better" certificate.
Our client is an integral partner of a well-known certificate provider, so they are providing it for us without charge....for just their subdomain.
Chuck wrote:
>Since you have only one <Host>, the name attribute is irrelevant
>as long as it matches the defaultHost setting in the <Engine>.
Thanks for your attention to detail, Chuck. You are correct. I guess I made that change at the same time I made some iptables changes (which was another hurdle for me). Apparently I changed the "right thing" with iptables at the same time I made the changes in Host and Engine, and incorrectly assumed I needed changes in the Host and Engine definition.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
[OT] Two SSL certs. for same web app
Posted by Jeffrey Janner <Je...@PolyDyne.com>.
I do hope you are billing them an arm & a leg for that "better" certificate.
Our setup is near identical to yours, and it is what we would do.
> -----Original Message-----
> From: Greg Johnson [mailto:gregjo@yahoo.com]
> Sent: Monday, August 29, 2011 10:10 PM
> To: users@tomcat.apache.org
> Subject: Two SSL certs. for same web app
>
> We have a wildcard SSL cert. installed on our tomcat (6.0.18) instance.
> We are not fronted by Apache, as we just use Tomcat to serve the
> content directly. We provide subdomains for our clients to connect to
> us. For example:
> https://client1.mycompany.com
> represents "client 1's" portal into our web app.
> https://client2.mycompany.com
> represents "client 2's" portal into our web app.
>
> A particular client is not happy with the strength of our SSL
> certificate, and wants us to install a "better one" for them to use
> when accessing our web app. (We don't need to discuss "better"
> here....I've already pulled my hair out on this one. And, no, it's not
> possible for us to simply get a "better" wildcard cert.) We have a
> single web app, and all clients access the same ROOT app. The
> subdomains are used primarily to allow us to skin our site differently
> for each client.
>
> What is the method I should use to have "most" of our clients access
> our web app. using our existing wildcard cert., but still allow a
> single client to use a second SSL cert to access the same web app? In
> other words, when "client N" accesses our web site via:
> https://clientn.mycompany.com
> they should use a separate SSL cert.
>
> I'm assuming I'll need a second network connection for our tomcat
> server. Our "standard" traffic will arrive via "ip-address-one", and
> "client N's" traffic will arrive via "ip-address-two". (With DNS
> configured to make that work correctly.) My guess would be that in
> addition to our tomcat.keystore file, I should create a
> clientn.keystore (which obviously holds the "better one"). If that is
> the case, then I'm confused as to how to configure things in
> server.xml.
>
> My current structure in server.xml is:
> <Server>
> <Service>
> <Connector port=8080 ... />
> <Connector port=8443 keystoreFile="tomcat.keystore" ... />
> <Engine defaultHost="localhost">
> <Host name="localhost">
> </Host>
> </Service>
>
> </Server>
>
> I've done some research and I believe I should use the "address"
> parameter on the connectors, so that I would then have two sets of
> Connector's, using the "clientn.keystore" on the 2nd SSL connector. But
> from there I'm confused as to what IP addresses should be used in the
> Engine and Host blocks. Do I need two Host sections?
>
> <Server>
> <Service>
> <Connector port=8080 address="ip-address-one"... />
> <Connector port=8443 address="ip-address-one"
> keystoreFile="tomcat.keystore" ... />
> <Connector port=8080 address="ip-address-two"... />
> <Connector port=8443 address="ip-address-two"
> keystoreFile="clientn.keystore" ... />
> <Engine defaultHost="localhost">
>
> <Host name="localhost">
> </Host>
> </Service>
>
> </Server>
>
> If I simply replace "localhost" in the Engine and Host blocks with
> "ip-address-one", I get traffic correctly on all of our subdomains, but
> don't get any response when connecting to ip-address-two.
>
>
> Be gentle, but please slap me down the right road. ;-) I'm just
> stumbling through this, as you can tell. I hope I've not forgotten to
> share enough details.
__________________________________________________________________________
Confidentiality Notice: This Transmission (including any attachments) may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient you are hereby notified that any dissemination, distribution, or copying of this communication is strictly prohibited.
If you have received this transmission in error, please immediately reply to the sender or telephone (512) 343-9100 and delete this transmission from your system.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org