You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by hg...@apache.org on 2001/08/20 18:11:09 UTC
cvs commit: jakarta-tomcat/src/doc tomcat-ssl-howto.html
hgomez 01/08/20 09:11:09
Modified: src/doc tomcat-ssl-howto.html
Log:
Updated documentation about SSL to handle TC 3.3
new conf and add example of keytool use :)
Revision Changes Path
1.5 +384 -270 jakarta-tomcat/src/doc/tomcat-ssl-howto.html
Index: tomcat-ssl-howto.html
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/tomcat-ssl-howto.html,v
retrieving revision 1.4
retrieving revision 1.5
diff -u -r1.4 -r1.5
--- tomcat-ssl-howto.html 2001/06/13 09:27:00 1.4
+++ tomcat-ssl-howto.html 2001/08/20 16:11:09 1.5
@@ -1,270 +1,384 @@
-<html>
-<head>
- <!-- $Id $ -->
- <!-- Copyright 1999, Apache Software Foundation -->
-
- <meta http-equiv=Content-Type content="text/html">
- <link rel="stylesheet" href="style.css">
- <style type="text/css">
- .inlinetd {
- background-color: #E0E0E0;
- vertical-align: text-top;
- border-top: thick black;
- border-right: thick black;
- border-bottom: thick black;
- border-left: thick black;
- }
- .inlineth {
- background-color: #d0d0d0;
- border-top: thick black;
- border-right: thick black;
- border-bottom: thick black;
- border-left: thick black;
- }
- .inlinetable {
- width: 75%;
- border: thick;
- background-color: #000000;
- }
- .subsection { margin:20pt; }
- .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
-
- </style>
-
-<title>Tomcat and SSL</title>
-</head>
-
-<body>
-<!-- Banner element, all hail the Project! -->
-<table border="0" width="100%" cellspacing="0" cellpadding="0">
- <tr>
- <td width="50%" align="left"> <a href="http://jakarta.apache.org/index.html">
- <img src="uguide/images/banner.gif" width="350" height="100" alt="The Jakarta Project" border="0">
- </a> </td>
- <td width="50%" align="right"> <img border="0" src="uguide/images/tomcat.gif" width="100" height="71" alt="The mighty Tomcat - Meow!">
- </td>
- </tr>
-</table>
-<h1>Tomcat and SSL</h1>
-<p>By Gomez Henri <tt><<a href="mailto:shachor@il.ibm.com">hgomez@slib.fr</a>></tt></p>
-<h2>Table of Contents</h2>
-<ul>
- <li><a href="#s2">Tomcat and SSL</a></li>
- <li><a href="#s3">Building tomcat with SSL support</a></li>
- <li><a href="#s4">Tomcat with Apache and mod_jk</a></li>
- <li><a href="#s5">SSL via apache</a></li>
- <li><a href="#s6">SSL direct</a></li>
- <li><a href="#s7">Credits</a></li>
-</ul>
-<hr>
-<h2><a name=s2>Tomcat and SSL</a></h2>
-<p>Tomcat could use SSL directly (via an HTTP connector supporting SSL) or via
- an Apache SSLified (<a href="http://www.apache-ssl.org">Apache-SSL</a> or apache-mod_ssl)
- with the mod_jk connector.</p>
-<hr>
-<h2><a name=s3>Building tomcat with SSL support</a></h2>
-<p>If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH.
- I used to clear the CLASSPATH env var to avoid conflict in jar. A common case
- of conflict is for XML parsers (xerces & jaxp). tomcat need a recent XML parser
- like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.</p>
-<p>At build time, (via ant), tomcat will check for some libs and will then included
- more or less options. It's the case of SSL support. If you have the JSSE 1.0.2
- jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory). tomcat
- will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software COULDN'T
- BE INCLUDED in tomcat. You'll have to go to <a href="http://java.sun.com/products/jsse/%20">jsse
- home page </a>and download from there the domestic (US/Canada) or global archive.
- Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).</p>
-<hr>
-<h2><a name=s4>Tomcat with Apache and mod_jk</a></h2>
-<p>If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector
- mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL
- directive is present in your httpd.conf. </p>
-<p>Informations are :</p>
-<table width="75%" border="1">
- <tr>
- <td>HTTPS</td>
- <td>apache redirect to tomcat from an SSL area</td>
- </tr>
- <tr>
- <td>SSL_SESSION_ID</td>
- <td>SSL session ID</td>
- </tr>
- <tr>
- <td>SSL_CIPHER</td>
- <td>SSL CIPHER used</td>
- </tr>
- <tr>
- <td>SSL_CLIENT_CERT</td>
- <td>SSL Certificate of client</td>
- </tr>
-</table>
-<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could adapt
- SSL vars via the following JK vars </p>
-<ul>
- <li>JkExtractSSL</li>
- <li>JkHTTPSIndicator</li>
- <li>JkSESSIONIndicator</li>
- <li>JkCIPHERIndicator</li>
- <li>JkCERTSIndicator: </li>
-</ul>
-<p>here is an example of directive to include in httpd.conf for use with mod_ssl
-</p>
-<p><font face="Courier New, Courier, mono" size="-1"># Should mod_jk send SSL
- information to Tomact (default is On)<br>
- JkExtractSSL On <br>
- # What is the indicator for SSL (default is HTTPS)<br>
- JkHTTPSIndicator HTTPS <br>
- # What is the indicator for SSL session (default is SSL_SESSION_ID) <br>
- JkSESSIONIndicator SSL_SESSION_ID <br>
- # What is the indicator for client SSL cipher suit (default is SSL_CIPHER) <br>
- JkCIPHERIndicator SSL_CIPHER <br>
- # What is the indicator for the client SSL certificated (default is SSL_CLIENT_CERT)
- <br>
- JkCERTSIndicator SSL_CLIENT_CERT </font></p>
-<p>When using mod_jk with Apache & mod_ssl it is essential to specify "SSLOptions
- +StdEnvVars +ExportCertData" in the httpd.conf file.<br>
- Otherwise mod_ssl will not produce the neccessary environment variables for
- mod_jk. (Tilo Christ <tilo.christ@med.siemens.de>)</p>
-<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ) and
- ajp13, only ajp13 could forward SSL informations to tomcat.</p>
-<hr>
-<h2><a name=s5>SSL via apache</a></h2>
-<p>mod_jk seems to support the VirtualHost directive of Apache. It's specialy
- usefull when using an apache-mod_ssl with tomcat.<br>
- This config will easily secure your webapps via Apache SSL support. Just take
- care of setting these jk vars outside VirtualHost directives :</p>
-<p> <font face="Courier New, Courier, mono" size="-1">JkWorkersFile /etc/httpd/conf/workers.properties<br>
- JkLogFile /var/log/httpd/mod_jk.log <br>
- JkLogLevel warn</font> </p>
-<p>The jk redirect stuff could be set in virtual hosts : <virtualhost _default_:443></p>
-<p><font face="Courier New, Courier, mono" size="-1"><VirtualHost _default_:443><br>
- SSLEngine on <br>
- SSLCipherSuite ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
- <br>
- <br>
- </font><font face="Courier New, Courier, mono" size="-1"># other SSL stuff<br>
- </font><font face="Courier New, Courier, mono" size="-1"><br>
- Alias /alesia "/var/tomcat/webapps/alesia" <directory "/var/tomcat/webapps/alesia">
- <br>
- <Directory "/var/tomcat/webapps/alesia"></directory><br>
- <directory "/var/tomcat/webapps/alesia">Options Indexes FollowSymLinks </directory>
- <br>
- </Directory> <br>
- <br>
- JkMount /alesia/servlet/* ajp13 <br>
- JkMount /alesia/*.jsp ajp13 <location "/alesia/WEB-INF/"><br>
- </location><br>
- <Location "/alesia/WEB-INF/"><br>
- AllowOverride None<br>
- Deny from all<br>
- </Location> </font></p>
-<p><font face="Courier New, Courier, mono" size="-1"></VirtualHost></font><virtualhost _default_:443></virtualhost></p>
-<hr>
-<h2><a name=s6>SSL direct</a></h2>
-<p>If you want tomcat run HTTP/SSL, you need to create a SSL certificate. For
- more informations about SSL and certificates, I suggest you could take a look
- at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL implementation)
- and <a href="http://www.modssl.org">ModSSL</a> (SSL support for Apache)</p>
-<h3><a name=s61><font size="+1">Verify tomcat server.xml configuration file</font></a></h3>
-<blockquote>
- <p> To use the HTTP with SSL connector in tomcat, verify that it is activated
- in server.xml</p>
- <p><font face="Courier New, Courier, mono" size="-1"><Connector className="org.apache.tomcat.service.PoolTcpConnector"><br>
- <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/><br>
- <Parameter name="port" value="8443"/><br>
- <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"
- /><br>
- <Parameter name="keystore" value="/var/tomcat/conf/keystore" /></font><font face="Courier New, Courier, mono" size="-1">
- <br>
- <Parameter name="keypass" value="changeit"/><br>
- <Parameter name="clientAuth" value="true"/> <br>
- </Connector> </font></p>
- <p>In this example we indicate the keystore is file <b>/var/tomcat/conf/keystore</b>.
- The keystore password is <b>changeit</b> and we want client to authentificate.</p>
- <blockquote> </blockquote>
-</blockquote>
-<h3><a name=s62>Generate a SSL certificate (RSA) for tomcat</a></h3>
-<blockquote>
- <p>I succeed (at least) with my IBM JDK 1.3 after : </p>
-</blockquote>
-<ul>
- <li> jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext
- (JAVA > 1.2)<br>
- </b><br>
- </li>
- <li> from server.xml doc.You _need_ to set up a server certificate if you want
- this to work, and you need JSSE. <br>
- <br>
- <ul>
- <li> Add JSSE jars to CLASSPATH </li>
- <li> Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
- <li> Do: <font face="Courier New, Courier, mono" size="-1">keytool -genkey
- -alias tomcat -keyalg RSA</font> RSA is essential to work with Netscape
- and IIS. Use "changeit" as password. ( or add keypass attribute ) You
- don't need to sign the certificate. You can set parameter keystore and
- keypass if you want to change the default ( user.home/.keystore with changeit
- )<br>
- <br>
- </li>
- </ul>
- </li>
- <li> I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext
- and then add them to CLASSPATH export <br>
- <br>
- <font size="-1" face="Courier New, Courier, mono">CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
- export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font><br>
- <br>
- You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically
- added to CLASSPATH at tomcat startup (tomcat.sh).</li>
-</ul>
-<p> </p>
-<h3><a name=s63>Importing SSL certificates</a></h3>
-<p>It's possible to import certificates generated with <a href="http://www.openssl.org">OpenSSL</a>.
- Here are the steps needed to generate such certs with OpenSSL : </p>
-<ul>
- <li>To generate a new request and a new key <br>
- <pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem -keyout KEY.pem</font> </pre>
- </li>
- <li>To generate a self signed x509 certificate from a certificate request using
- a supplied key, and we want to see the text form of the output certificate
- (which we will put in the file selfSign.pem
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -x509 -in
- REQ.pem -key KEY.pem -out CERT.pem</font> </p>
- </li>
- <li>Verify that the signature is correct on a certificate request.
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem</font> </p>
- </li>
- <li>Verify that the signature was made using a specified public key
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -verify -in
- REQ.pem -key KEY.pem</font> </p>
- </li>
- <li>Print the contents of a certificate request
- <p><font face="Courier New, Courier, mono" size="-1">openssl req -text -in
- REQ.pem</font> </p>
- </li>
- <li>To import the CERT in keystore, you just do next :
- <p><font face="Courier New, Courier, mono" size="-1">keytool -import -v -trustcacerts
- -alias tomcat -file</font> <font size="-1" face="Courier New, Courier, mono">CERT.pem</font>
- </p>
- </li>
-</ul>
-<hr>
-<h2><a name=s7>Credits</a></h2>
-<p>This document was created by <a href="mailto:hgomez@slib.fr">Gomez Henri</a>.
- Thanks to hgopal@cmcltd.com for import info. Feel free to contact me for more
- updates.</p>
-<table width="100%" border="0" cellpadding="10" cellspacing="0">
- <tr>
- <td>
- <p class="fineprint"> Copyright ©1999-2000 The Apache Software Foundation<br>
- <a href="http://jakarta.apache.org/legal.html">Legal Stuff They Make Us
- Say</a><br>
- <a href="http://jakarta.apache.org/contact.html">Contact Information</a>
- </p>
- </td>
- </tr>
-</table>
-</body>
-</html>
-
+<!doctype html public "-//w3c//dtd html 4.0 transitional//en">
+<html>
+<head>
+ <meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1">
+ <meta name="GENERATOR" content="Mozilla/4.77 [en] (X11; U; Linux 2.2.19-6.2.7 i686) [Netscape]">
+ <title>Tomcat and SSL</title>
+<!-- $Id $ -->
+<!-- Copyright 1999, Apache Software Foundation -->
+<link rel="stylesheet" href="style.css">
+<style type="text/css">
+ .inlinetd {
+ background-color: #E0E0E0;
+ vertical-align: text-top;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlineth {
+ background-color: #d0d0d0;
+ border-top: thick black;
+ border-right: thick black;
+ border-bottom: thick black;
+ border-left: thick black;
+ }
+ .inlinetable {
+ width: 75%;
+ border: thick;
+ background-color: #000000;
+ }
+ .subsection { margin:20pt; }
+ .note { margin:20pt; padding:5pt; background-color:#e0e0ff; }
+
+ </style>
+</head>
+<body>
+<!-- Banner element, all hail the Project! -->
+<table BORDER=0 CELLSPACING=0 CELLPADDING=0 WIDTH="100%" >
+<tr>
+<td ALIGN=LEFT WIDTH="50%"><a href="http://jakarta.apache.org/index.html"><img SRC="banner.gif" ALT="The Jakarta Project" BORDER=0 height=100 width=350></a></td>
+
+<td ALIGN=RIGHT WIDTH="50%"><img SRC="tomcat.gif" ALT="The mighty Tomcat - Meow!" BORDER=0 height=71 width=100></td>
+</tr>
+</table>
+
+<h1>
+Tomcat and SSL</h1>
+By Gomez Henri <tt><<a href="mailto:hgomez@slib.fr">hgomez@slib.fr</a>></tt>
+<h2>
+Table of Contents</h2>
+
+<ul>
+<li>
+<a href="#s2">Tomcat and SSL</a></li>
+
+<li>
+<a href="#s3">Building tomcat with SSL support</a></li>
+
+<li>
+<a href="#s4">Tomcat with Apache and mod_jk</a></li>
+
+<li>
+<a href="#s5">SSL via apache</a></li>
+
+<li>
+<a href="#s6">SSL direct</a></li>
+
+<li>
+<a href="#s7">Credits</a></li>
+</ul>
+
+<hr>
+<h2>
+<a NAME="s2"></a>Tomcat and SSL</h2>
+Tomcat could use SSL directly (via an HTTP connector supporting SSL) or
+via an Apache SSLified (<a href="http://www.apache-ssl.org">Apache-SSL</a>
+or <a href="http://www.modssl.org">apache-mod_ssl</a>) with the mod_jk
+connector.
+<br>
+<hr>
+<h2>
+<a NAME="s3"></a>Building tomcat with SSL support</h2>
+If you want to rebuild the tomcat with SSL, be carefull of your CLASSPATH.
+I used to clear the CLASSPATH env var to avoid conflict in jar. A common
+case of conflict is for XML parsers (xerces & jaxp). tomcat need a
+recent XML parser like Apache Group xerces 1.1.2 or Sun's jaxp 1.0.1.
+<p>At build time, (via ant), tomcat will check for some libs and will then
+included more or less options. It's the case of SSL support. If you have
+the JSSE 1.0.2 jars in your CLASSPATH, tomcat will be built with SSL (SSLSocketFactory).
+tomcat will use the JSSE jars (jcert.jar, jsse.jar, jnet.jar).This software
+COULDN'T BE INCLUDED in tomcat. You'll have to go to <a href="http://java.sun.com/products/jsse/">jsse
+home page </a>and download from there the domestic (US/Canada) or global
+archive. Then copy the 3 jars in tomcat runtime classpath lib ($TOMCAT_HOME/lib).
+<br>
+<hr>
+<h2>
+<a NAME="s4"></a>Tomcat with Apache and mod_jk</h2>
+If you use Apache with SSL (apache-ssl or apache-mod_ssl), the apache connector
+mod_jk will be able to forward to tomcat some SSL informations if JkExtractSSL
+directive is present in your httpd.conf.
+<p>Informations are :
+<br>
+<table BORDER WIDTH="75%" >
+<tr>
+<td>HTTPS</td>
+
+<td>apache redirect to tomcat from an SSL area</td>
+</tr>
+
+<tr>
+<td>SSL_SESSION_ID</td>
+
+<td>SSL session ID</td>
+</tr>
+
+<tr>
+<td>SSL_CIPHER</td>
+
+<td>SSL CIPHER used</td>
+</tr>
+
+<tr>
+<td>SSL_CLIENT_CERT</td>
+
+<td>SSL Certificate of client</td>
+</tr>
+</table>
+
+<p>Since apache-ssl and apache-mod_ssl use differents env vars, you could
+adapt SSL vars via the following JK vars
+<ul>
+<li>
+JkExtractSSL</li>
+
+<li>
+JkHTTPSIndicator</li>
+
+<li>
+JkSESSIONIndicator</li>
+
+<li>
+JkCIPHERIndicator</li>
+
+<li>
+JkCERTSIndicator:</li>
+</ul>
+here is an example of directive to include in httpd.conf for use with mod_ssl
+<p><font face="Courier New, Courier, mono"><font size=-1># Should mod_jk
+send SSL information to Tomact (default is On)</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkExtractSSL
+On</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1># What is the
+indicator for SSL (default is HTTPS)</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkHTTPSIndicator
+HTTPS</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1># What is the
+indicator for SSL session (default is SSL_SESSION_ID)</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkSESSIONIndicator
+SSL_SESSION_ID</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1># What is the
+indicator for client SSL cipher suit (default is SSL_CIPHER)</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkCIPHERIndicator
+SSL_CIPHER</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1># What is the
+indicator for the client SSL certificated (default is SSL_CLIENT_CERT)</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkCERTSIndicator
+SSL_CLIENT_CERT</font></font>
+<p>When using mod_jk with Apache & mod_ssl it is essential to specify
+"SSLOptions +StdEnvVars +ExportCertData" in the httpd.conf file.
+<br>Otherwise mod_ssl will not produce the neccessary environment variables
+for mod_jk. (Tilo Christ <tilo.christ@med.siemens.de>)
+<p>Warning, even if mod_jk support both ajp12 (old version from ApacheJServ)
+and ajp13, only ajp13 could forward SSL informations to tomcat.
+<br>
+<hr>
+<h2>
+<a NAME="s5"></a>SSL via apache</h2>
+mod_jk seems to support the VirtualHost directive of Apache. It's specialy
+usefull when using an apache-mod_ssl with tomcat.
+<br>This config will easily secure your webapps via Apache SSL support.
+Just take care of setting these jk vars outside VirtualHost directives
+:
+<p><font face="Courier New, Courier, mono"><font size=-1>JkWorkersFile
+/etc/httpd/conf/workers.properties</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkLogFile /var/log/httpd/mod_jk.log</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkLogLevel warn</font></font>
+<p>The jk redirect stuff could be set in virtual hosts : <virtualhost _default_:443>
+<p><font face="Courier New, Courier, mono"><font size=-1><VirtualHost
+_default_:443></font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>SSLEngine on</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>SSLCipherSuite
+ALL:!ADH:!EXP56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL</font></font>
+<p><font face="Courier New, Courier, mono"><font size=-1># other SSL stuff</font></font>
+<p><font face="Courier New, Courier, mono"><font size=-1>Alias /alesia
+"/var/tomcat/webapps/alesia" </font></font><directory "/var/tomcat/webapps/alesia">
+<br><font face="Courier New, Courier, mono"><font size=-1><Directory
+"/var/tomcat/webapps/alesia"></font></font></directory>
+<br><directory "/var/tomcat/webapps/alesia"><font face="Courier New, Courier, mono"><font size=-1>Options
+Indexes FollowSymLinks </font></font></directory>
+<br><font face="Courier New, Courier, mono"><font size=-1></Directory></font></font>
+<p><font face="Courier New, Courier, mono"><font size=-1>JkMount /alesia/servlet/*
+ajp13</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>JkMount /alesia/*.jsp
+ajp13 </font></font><location "/alesia/WEB-INF/">
+<br></location>
+<br><font face="Courier New, Courier, mono"><font size=-1><Location
+"/alesia/WEB-INF/"></font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>AllowOverride
+None</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1>Deny from all</font></font>
+<br><font face="Courier New, Courier, mono"><font size=-1></Location></font></font>
+<p><font face="Courier New, Courier, mono"><font size=-1></VirtualHost></font></font><virtualhost _default_:443></virtualhost>
+<br>
+<hr>
+<h2>
+<a NAME="s6"></a>SSL direct</h2>
+If you want tomcat run HTTP/SSL, you need to create a SSL certificate.
+For more informations about SSL and certificates, I suggest you could take
+a look at <a href="http://www.openssl.org">OpenSSL</a> (OpenSource SSL
+implementation) and <a href="http://www.modssl.org">ModSSL</a> (SSL support
+for Apache)
+<h3>
+<a NAME="s61"></a><font size=+1>Verify tomcat server.xml configuration
+file</font></h3>
+
+<blockquote>To use the HTTP with SSL connector in tomcat, verify that it
+is activated in server.xml
+<p>Syntax for tomcat 3.2 :
+<p><tt><font size=-1><Connector className="org.apache.tomcat.service.PoolTcpConnector"></font></tt>
+<br><tt><font size=-1><Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/></font></tt>
+<br><tt><font size=-1><Parameter name="port" value="8443"/></font></tt>
+<br><tt><font size=-1><Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"
+/></font></tt>
+<br><tt><font size=-1><Parameter name="keystore" value="/var/tomcat/conf/keystore"
+/></font></tt>
+<br><tt><font size=-1><Parameter name="keypass" value="changeit"/></font></tt>
+<br><tt><font size=-1><Parameter name="clientAuth" value="false"/></font></tt>
+<br><tt><font size=-1></Connector></font></tt><tt></tt>
+<p>Syntax for tomcat 3.3 :
+<p><tt><font size=-1><Http10Connector</font></tt>
+<br><tt><font size=-1> port="8443"</font></tt>
+<br><tt><font size=-1> secure="true"</font></tt>
+<br><tt><font size=-1> keystore="/var/tomcat/conf/keystore"</font></tt>
+<br><tt><font size=-1> keypass="changeit"/</font></tt>
+<br><tt><font size=-1> clientAuth="false" /></font></tt><font size=-1></font>
+<p>In this example we indicate the keystore is file <b>/var/tomcat/conf/keystore</b>.
+The keystore password is <b>changeit</b> and we DONT want client to
+authentificate.
+<blockquote> </blockquote>
+</blockquote>
+
+<h3>
+<a NAME="s62"></a>Generate a SSL certificate (RSA) for tomcat</h3>
+
+<blockquote>I succeed (at least) with my IBM JDK 1.3 after :</blockquote>
+
+<ul>
+<li>
+jsse jars <b>MUST BE IN BOTH CLASSPATH</b> and <b>$JAVA_HOME/jre/lib/ext
+(JAVA > 1.2)</b></li>
+
+<br>
+<li>
+from server.xml doc.You _need_ to set up a server certificate if you want
+this to work, and you need JSSE.</li>
+
+<br>
+<ul>
+<li>
+Add JSSE jars to CLASSPATH</li>
+
+<li>
+Edit $JAVA_HOME/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider</li>
+
+<li>
+Generate the certificate with keytool, be carefull and set 'first and last
+name' to your server name :<br>
+<BR></li>
+
+<br>Do: <font face="Courier New, Courier, mono"><font size=-1>keytool -genkey
+-alias tomcat -keyalg RSA</font></font> RSA is essential to work with Netscape
+and IIS. Use "changeit" as password. ( or add keypass attribute ) You don't
+need to sign the certificate. You can set parameter keystore and keypass
+if you want to change the default ( user.home/.keystore with changeit )
+:<br>
+<br>
+<tt><font size=-1>[root@www.vercingetorix.org /root]# keytool -genkey -alias
+tomcat -keyalg RSA</font></tt>
+<br><tt><font size=-1>Enter keystore password: changeit</font></tt>
+<br><tt><font size=-1>What is your first and last name?</font></tt>
+<br><tt><font size=-1> [Unknown]: www.vercingetorix.org</font></tt>
+<br><tt><font size=-1>What is the name of your organizational unit?</font></tt>
+<br><tt><font size=-1> [Unknown]: Chief</font></tt>
+<br><tt><font size=-1>What is the name of your organization?</font></tt>
+<br><tt><font size=-1> [Unknown]: Gaulois</font></tt>
+<br><tt><font size=-1>What is the name of your City or Locality?</font></tt>
+<br><tt><font size=-1> [Unknown]: Alesia</font></tt>
+<br><tt><font size=-1>What is the name of your State or Province?</font></tt>
+<br><tt><font size=-1> [Unknown]: 50</font></tt>
+<br><tt><font size=-1>What is the two-letter country code for this unit?</font></tt>
+<br><tt><font size=-1> [Unknown]: FR</font></tt>
+<br><tt><font size=-1>Is <CN=www.vercingetorix.org, OU=Chief, O=Gaulois,
+L=Alesia, ST=50, C=FR> correct?</font></tt>
+<br><tt><font size=-1> [no]: yes</font></tt><br>
+<br>
+<BR></ul>
+
+<li>
+I suggest you install jcert.jar, jnet.jar and jsse.jar in $JAVA_HOME/jre/lib/ext
+and then add them to CLASSPATH export</li>
+
+<p><br><font face="Courier New, Courier, mono"><font size=-1>CLASSPATH=$JAVA_HOME/jre/lib/ext/jcert.jar:$CLASSPATH
+export CLASSPATH=$JAVA_HOME/jre/lib/ext/jnet.jar:$CLASSPATH export CLASSPATH=$JAVA_HOME/jre/lib/ext/jsse.jar:$CLASSPATH</font></font>
+<p>You could also copy the 3 jars in $TOMCAT_HOME/lib/ so there are automatically
+added to CLASSPATH at tomcat startup (tomcat.sh).</ul>
+
+<h3>
+<a NAME="s63"></a>Importing SSL certificates</h3>
+It's possible to import certificates generated with <a href="http://www.openssl.org">OpenSSL</a>.
+Here are the steps needed to generate such certs with OpenSSL :
+<ul>
+<li>
+To generate a new request and a new key</li>
+
+<pre><font face="Courier New, Courier, mono">openssl req -new -out REQ.pem -keyout KEY.pem</font></pre>
+
+<li>
+To generate a self signed x509 certificate from a certificate request using
+a supplied key, and we want to see the text form of the output certificate
+(which we will put in the file selfSign.pem</li>
+
+<br>
+<p>
+<p><font face="Courier New, Courier, mono"><font size=-1>openssl req -x509
+-in REQ.pem -key KEY.pem -out CERT.pem</font></font>
+<li>
+Verify that the signature is correct on a certificate request.</li>
+
+<br>
+<p>
+<p><font face="Courier New, Courier, mono"><font size=-1>openssl req -verify
+-in REQ.pem</font></font>
+<li>
+Verify that the signature was made using a specified public key</li>
+
+<br>
+<p>
+<p><font face="Courier New, Courier, mono"><font size=-1>openssl req -verify
+-in REQ.pem -key KEY.pem</font></font>
+<li>
+Print the contents of a certificate request</li>
+
+<br>
+<p>
+<p><font face="Courier New, Courier, mono"><font size=-1>openssl req -text
+-in REQ.pem</font></font>
+<li>
+To import the CERT in keystore, you just do next :</li>
+
+<br>
+<p>
+<p><font face="Courier New, Courier, mono"><font size=-1>keytool -import
+-v -trustcacerts -alias tomcat -file</font></font> <font face="Courier New, Courier, mono"><font size=-1>CERT.pem</font></font></ul>
+
+<hr>
+<h2>
+<a NAME="s7"></a>Credits</h2>
+This document was created by <a href="mailto:hgomez@slib.fr">Gomez Henri</a>.
+Thanks to hgopal@cmcltd.com for import info. Feel free to contact me for
+more updates.
+<br>
+<table BORDER=0 CELLSPACING=0 CELLPADDING=10 WIDTH="100%" >
+<tr>
+<td>
+<div class="fineprint">Copyright ©1999-2000 The Apache Software Foundation</div>
+
+<p><br><a href="http://jakarta.apache.org/legal.html">Legal Stuff They
+Make Us Say</a>
+<br><a href="http://jakarta.apache.org/contact.html">Contact Information</a></td>
+</tr>
+</table>
+
+</body>
+</html>