You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Aripaka, Krishna" <ka...@teksystems.com> on 2014/05/02 10:55:18 UTC
Reg: Issue in SSL Authentication in Tomcat after new client
certificate has been created / added, Tomcat has to be started every time i
add a new client certificate
Hi,
1. We are using Tomcat 7.0.39 in our application.
2. We have implemented Two Way SSL authentication using java keytool
3. Issue is, when we create a new client certificate and add it to Java Keystore(.jks), we are unable to authenticate unless we restart the Tomcat.
So, every time we add a new client certificate, we are restarting the Tomcat. Is there any way to handle this scenario with out restarting the Tomcat.
I have read the document thoroughly, but i didn't get any information regarding this. Can you please help us on this.
Thanks In advance.
--
Thanks & Regards,
Krishna Chaitanya Aripaka | Consultant
Cell : +91 92912 41123 | Work : +91 40 30113024
This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply e-mail so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Reg: Issue in SSL Authentication in Tomcat after new client certificate
has been created / added, Tomcat has to be started every time i add a new
client certificate
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Krishna,
On 5/2/14, 4:55 AM, Aripaka, Krishna wrote:
> 1. We are using Tomcat 7.0.39 in our application.
>
> 2. We have implemented Two Way SSL authentication using java
> keytool
>
> 3. Issue is, when we create a new client certificate and add it to
> Java Keystore(.jks), we are unable to authenticate unless we
> restart the Tomcat.
FYI this is the "trust store" - the things you trust, not the
keystore. They have the same file format, but they are used for
different things.
> So, every time we add a new client certificate, we are restarting
> the Tomcat. Is there any way to handle this scenario with out
> restarting the Tomcat.
Tomcat's connector needs to be restarted when you add something to the
trust store. Can you try using something like JMX to restart the
connector?
There is an enhancement request to support CRL re-loading in the
secure connector implementations [1]. Perhaps a similar strategy could
be used to reload the trust store as well.
> I have read the document thoroughly, but i didn't get any
> information regarding this. Can you please help us on this. Thanks
> In advance.
IMHO, you shouldn't be storing individual certificates in your trust
store: that's a management headache. Instead, use a trusted
certificate to /sign/ your client certificates and then simply trust
the single certificate. If you need to revoke a certificate, then
you'll need to be able to manage your CRL properly in the same way
that it's tough to maintain your trust store right now. It's a
balancing act.
- -chris
[1] https://issues.apache.org/bugzilla/show_bug.cgi?id=55770
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJTY66jAAoJEBzwKT+lPKRYAKAQALcWf8BSUbHcEdLR1/YXfGYJ
Mnrv9h/TlCYHbhUOxKIc1m3Q0d0Ofh/sYjOaEDz2A+iMgN7xmV6EWgbPjdTJMYyA
YBDfJijq7jCNt9Iv0EwLCPnmKguckh/8CWMDgKMwImy5SnwDS3Cp12RbFjJcAd76
I7SjOuDldEZCwvxQmUMc4Ihlng7tRfLVDU1cmtg0cRrcu+f/5dtD4o1jbzcwNxFG
RpwblubNeM8eazDzIcaalB5IKFH95BYzxA06Hi0W4LFE9nmR1pwuNSfXHigIa5fO
DIk8AyTJhkvvRW9t8iJbMGEBwjRolGnPS6xQpE0/bFIJzP6SX+Jp0UFG/t/UzBa4
scax17wm8m4Ha0slvfBgCyGzts/zptIrzHnBm/IpEuFTLtlojPUi5r7W3Ugt/Voz
OUURa8ZlgsJu1ZwoAiBB1wD78yyVSEJoBedoDq/ZIHFCQN5RM7qDqPCnVoj46dRV
uype8P0htwdIDKOaQZ2hf4ORaBxwQL0DfaB7Qe/rpCNrmZzY0N/hkBU/a7WEtvU/
63YrPhMicPVnCKnjCVEj77icblQGbu2sO7g2uruD77K5B+YjKSxWJLEsttB582aw
qXdx8kxyKzqmrEXaDVZrJmfnlr/ZQphfujsSwRHGkSLH19x9+67ccv2Mh9O3+cBN
8+JJPe1hYPvt90zYo9oR
=t8vW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Reg: Issue in SSL Authentication in Tomcat after new client
certificate has been created / added, Tomcat has to be started every time i
add a new client certificate
Posted by Martin Gainty <mg...@hotmail.com>.
Krishna
Let me check with the engineers who want to work for you for free
> From: karipaka@teksystems.com
> To: users@tomcat.apache.org
> Date: Fri, 2 May 2014 04:55:18 -0400
> Subject: Reg: Issue in SSL Authentication in Tomcat after new client certificate has been created / added, Tomcat has to be started every time i add a new client certificate
>
>
> Hi,
>
> 1. We are using Tomcat 7.0.39 in our application.
> 2. We have implemented Two Way SSL authentication using java keytool
> 3. Issue is, when we create a new client certificate and add it to Java Keystore(.jks), we are unable to authenticate unless we restart the Tomcat.
> So, every time we add a new client certificate, we are restarting the Tomcat. Is there any way to handle this scenario with out restarting the Tomcat.
>
> I have read the document thoroughly, but i didn't get any information regarding this. Can you please help us on this.
> Thanks In advance.
>
> --
> Thanks & Regards,
>
> Krishna Chaitanya Aripaka | Consultant
> Cell : +91 92912 41123 | Work : +91 40 30113024
>
> This electronic mail (including any attachments) may contain information that is privileged, confidential, and/or otherwise protected from disclosure to anyone other than its intended recipient(s). Any dissemination or use of this electronic mail or its contents (including any attachments) by persons other than the intended recipient(s) is strictly prohibited. If you have received this message in error, please notify us immediately by reply e-mail so that we may correct our internal records. Please then delete the original message (including any attachments) in its entirety. Thank you.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>