You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Gael Abadin <ga...@imatia.com> on 2015/10/05 13:05:11 UTC
Demand CLIENT-CERT only on certain pages but demand SSL in all pages
Hello, fellow users.
I've been trying to configure tomcat to request client certificate
authentication on a single page, while serving every other SSL page without
requesting a client certificate (before or after authentication). Depending
on the configuration I use, one of 2 things happen: either I get a request
for a client certificate on ANY HTTPS page I visit first, or I do not get a
request at all, never, even when I launch the browser and go straight to
the protected page (/my-app-name/public/login/login.xhtml).
Am I doing something wrong or is this kind of configuration just not
possible?
Here is my web.xml security constraint and login config (I've also tried
ommitin <login-config>):
<security-constraint>
<web-resource-collection>
<web-resource-name>Protected Context</web-resource-name>
<url-pattern>/public/login/*</url-pattern>
</web-resource-collection>
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
<login-config>
<auth-method>CLIENT-CERT</auth-method>
</login-config>
And here is my server.xml config (I've also tried clientAuth="false" and
clientAuth="true"):
<?xml version="1.0" encoding="UTF-8"?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener SSLEngine="on"
className="org.apache.catalina.core.AprLifecycleListener"/>
<!--Initialize Jasper prior to webapps are loaded. Documentation at
/docs/jasper-howto.html -->
<Listener className="org.apache.catalina.core.JasperListener"/>
<!-- Prevent memory leaks due to use of particular java/javax APIs-->
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
<GlobalNamingResources>
<Resource auth="Container" description="User database that can be
updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
name="UserDatabase" pathname="conf/tomcat-users.xml"
type="org.apache.catalina.UserDatabase"/>
</GlobalNamingResources>
<Service name="Catalina">
<Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
redirectPort="443"/>
<Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
port="443" protocol="org.apache.coyote.http11.Http11Protocol"
scheme="https" secure="true" sslProtocol="TLS"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
<Engine defaultHost="localhost" name="Catalina">
<Realm className="org.apache.catalina.realm.LockOutRealm">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
</Realm>
<Host appBase="webapps" autoDeploy="true" name="localhost"
unpackWARs="true">
<Valve className="org.apache.catalina.valves.AccessLogValve"
directory="logs" pattern="%h %l %u %t "%r" %s %b"
prefix="localhost_access_log." suffix=".txt"/>
<Context docBase="my-app-name" path="/my-app-name"
reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
</Host>
</Engine>
</Service>
</Server>
It is my first Tomcat SSL client cert set up so I must be missing
something. Hope you may help me see it :-)
Cheers,
--
.
Alberto Gael Abadin Martinez
Junior Developer
[image: IMATIA]
www.imatia.com
*Tel: *+34 986 342 774 ext 4531
*Email: *gael.abadin@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
España
.
<http://www.linkedin.com/company/imatia-innovation>
<http://www.youtube.com/imatiainnovation>
.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener información confidencial, siendo para uso exclusivo del
destinatario. Queda prohibida su divulgación copia o distribución a
terceros sin la autorización expresa del remitente. Si usted ha recibido
este mensaje erróneamente, se ruega lo notifique al remitente y proceda a
su borrado. Gracias por su colaboración.
This message, and in the case of any file annexed to it, can have
confidential information, and it is exclusively for the use of the
addressee of the message. It is strictly forbidden to spread a copy or
distribute to third parties, without the express order of the sender. If
you have received this message mistakenly, we request you to notify to the
sender, and please be sure to erase it. Thank you for your collaboration.
.
Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
Posted by Gael Abadin <ga...@imatia.com>.
@Mark Thomas:
I have been going through the documentation on
https://docs.oracle.com/cd/E19798-01/821-1841/bncbk/index.html
trying to come up with a set of security constraints that allow me to force
SSL without asking for a client certificate except on a single login page,
but there is nothing there suggesting a configuration where I can force SSL
without asking for a client certificate: Once I set the CONFIDENTIAL
transport guarantee and the CLIENT-CERT auth method I will be asked for a
client cert when I land on a SSL page, no matter what.
I think I am getting something wrong. Please, can you be more specific on
the solution you suggest?
2015-10-06 16:52 GMT+02:00 Mark Thomas <ma...@apache.org>:
> On 06/10/2015 15:46, George Stanchev wrote:
> > Mark,
> >
> > What are the possible issues with renegotiation? We're on NIO
> connectors, is there anything known?
>
> NIO should be fine. We've seen odd issues on OSX we haven't been able to
> track down.
>
> Mark
>
> >
> > George
> >
> > -----Original Message-----
> > From: Mark Thomas [mailto:markt@apache.org]
> > Sent: Monday, October 05, 2015 8:32 AM
> > To: Tomcat Users List
> > Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in
> all pages
> >
> > On 05/10/2015 12:05, Gael Abadin wrote:
> >> Hello, fellow users.
> >>
> >> I've been trying to configure tomcat to request client certificate
> >> authentication on a single page, while serving every other SSL page
> >> without requesting a client certificate (before or after
> >> authentication). Depending on the configuration I use, one of 2 things
> >> happen: either I get a request for a client certificate on ANY HTTPS
> >> page I visit first, or I do not get a request at all, never, even when
> >> I launch the browser and go straight to the protected page
> (/my-app-name/public/login/login.xhtml).
> >>
> >> Am I doing something wrong or is this kind of configuration just not
> >> possible?
> >
> > That should be possible but you'll need two security constraints. One to
> require TLS everywhere and one for the pages where you require
> authentication.
> >
> > You may also hit issues with which connectors support renegotiation
> (don't use APR).
> >
> > Mark
> >
> >>
> >> Here is my web.xml security constraint and login config (I've also
> >> tried ommitin <login-config>):
> >>
> >> <security-constraint>
> >> <web-resource-collection>
> >> <web-resource-name>Protected Context</web-resource-name>
> >> <url-pattern>/public/login/*</url-pattern>
> >> </web-resource-collection>
> >> <user-data-constraint>
> >> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> >> </user-data-constraint>
> >> </security-constraint>
> >> <login-config>
> >> <auth-method>CLIENT-CERT</auth-method>
> >> </login-config>
> >>
> >>
> >> And here is my server.xml config (I've also tried clientAuth="false"
> >> and
> >> clientAuth="true"):
> >>
> >> <?xml version="1.0" encoding="UTF-8"?> <Server port="8005"
> >> shutdown="SHUTDOWN">
> >> <Listener
> >> className="org.apache.catalina.startup.VersionLoggerListener"/>
> >>
> >> <!--APR library loader. Documentation at /docs/apr.html -->
> >> <Listener SSLEngine="on"
> >> className="org.apache.catalina.core.AprLifecycleListener"/>
> >> <!--Initialize Jasper prior to webapps are loaded. Documentation at
> >> /docs/jasper-howto.html -->
> >> <Listener className="org.apache.catalina.core.JasperListener"/>
> >> <!-- Prevent memory leaks due to use of particular java/javax APIs-->
> >> <Listener
> >> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> >> <Listener
> >>
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> >> <Listener
> >> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> >> />
> >>
> >> <GlobalNamingResources>
> >> <Resource auth="Container" description="User database that can be
> >> updated and saved"
> >> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> >> name="UserDatabase" pathname="conf/tomcat-users.xml"
> >> type="org.apache.catalina.UserDatabase"/>
> >> </GlobalNamingResources>
> >>
> >> <Service name="Catalina">
> >>
> >> <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
> >> redirectPort="443"/>
> >>
> >> <Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
> >> port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> >> scheme="https" secure="true" sslProtocol="TLS"/>
> >>
> >> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
> >>
> >> <Engine defaultHost="localhost" name="Catalina">
> >> <Realm className="org.apache.catalina.realm.LockOutRealm">
> >> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> >> resourceName="UserDatabase"/>
> >> </Realm>
> >> <Host appBase="webapps" autoDeploy="true" name="localhost"
> >> unpackWARs="true">
> >> <Valve className="org.apache.catalina.valves.AccessLogValve"
> >> directory="logs" pattern="%h %l %u %t "%r" %s %b"
> >> prefix="localhost_access_log." suffix=".txt"/>
> >> <Context docBase="my-app-name" path="/my-app-name"
> >> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
> >> </Host>
> >> </Engine>
> >> </Service>
> >> </Server>
> >>
> >> It is my first Tomcat SSL client cert set up so I must be missing
> >> something. Hope you may help me see it :-)
> >>
> >> Cheers,
> >>
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
.
Alberto Gael Abadin Martinez
Junior Developer
[image: IMATIA]
www.imatia.com
*Tel: *+34 986 342 774 ext 4531
*Email: *gael.abadin@imatia.com
Edificio CITEXVI
Fonte das Abelleiras, s/n - Local 27
36310 Vigo (Pontevedra)
España
.
<http://www.linkedin.com/company/imatia-innovation>
<http://www.youtube.com/imatiainnovation>
.
Este mensaje, y en su caso, cualquier fichero anexo al mismo, puede
contener información confidencial, siendo para uso exclusivo del
destinatario. Queda prohibida su divulgación copia o distribución a
terceros sin la autorización expresa del remitente. Si usted ha recibido
este mensaje erróneamente, se ruega lo notifique al remitente y proceda a
su borrado. Gracias por su colaboración.
This message, and in the case of any file annexed to it, can have
confidential information, and it is exclusively for the use of the
addressee of the message. It is strictly forbidden to spread a copy or
distribute to third parties, without the express order of the sender. If
you have received this message mistakenly, we request you to notify to the
sender, and please be sure to erase it. Thank you for your collaboration.
.
Re: Demand CLIENT-CERT only on certain pages but demand SSL in all
pages
Posted by Mark Thomas <ma...@apache.org>.
On 06/10/2015 15:46, George Stanchev wrote:
> Mark,
>
> What are the possible issues with renegotiation? We're on NIO connectors, is there anything known?
NIO should be fine. We've seen odd issues on OSX we haven't been able to
track down.
Mark
>
> George
>
> -----Original Message-----
> From: Mark Thomas [mailto:markt@apache.org]
> Sent: Monday, October 05, 2015 8:32 AM
> To: Tomcat Users List
> Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
>
> On 05/10/2015 12:05, Gael Abadin wrote:
>> Hello, fellow users.
>>
>> I've been trying to configure tomcat to request client certificate
>> authentication on a single page, while serving every other SSL page
>> without requesting a client certificate (before or after
>> authentication). Depending on the configuration I use, one of 2 things
>> happen: either I get a request for a client certificate on ANY HTTPS
>> page I visit first, or I do not get a request at all, never, even when
>> I launch the browser and go straight to the protected page (/my-app-name/public/login/login.xhtml).
>>
>> Am I doing something wrong or is this kind of configuration just not
>> possible?
>
> That should be possible but you'll need two security constraints. One to require TLS everywhere and one for the pages where you require authentication.
>
> You may also hit issues with which connectors support renegotiation (don't use APR).
>
> Mark
>
>>
>> Here is my web.xml security constraint and login config (I've also
>> tried ommitin <login-config>):
>>
>> <security-constraint>
>> <web-resource-collection>
>> <web-resource-name>Protected Context</web-resource-name>
>> <url-pattern>/public/login/*</url-pattern>
>> </web-resource-collection>
>> <user-data-constraint>
>> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
>> </user-data-constraint>
>> </security-constraint>
>> <login-config>
>> <auth-method>CLIENT-CERT</auth-method>
>> </login-config>
>>
>>
>> And here is my server.xml config (I've also tried clientAuth="false"
>> and
>> clientAuth="true"):
>>
>> <?xml version="1.0" encoding="UTF-8"?> <Server port="8005"
>> shutdown="SHUTDOWN">
>> <Listener
>> className="org.apache.catalina.startup.VersionLoggerListener"/>
>>
>> <!--APR library loader. Documentation at /docs/apr.html -->
>> <Listener SSLEngine="on"
>> className="org.apache.catalina.core.AprLifecycleListener"/>
>> <!--Initialize Jasper prior to webapps are loaded. Documentation at
>> /docs/jasper-howto.html -->
>> <Listener className="org.apache.catalina.core.JasperListener"/>
>> <!-- Prevent memory leaks due to use of particular java/javax APIs-->
>> <Listener
>> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
>> <Listener
>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
>> <Listener
>> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
>> />
>>
>> <GlobalNamingResources>
>> <Resource auth="Container" description="User database that can be
>> updated and saved"
>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>> name="UserDatabase" pathname="conf/tomcat-users.xml"
>> type="org.apache.catalina.UserDatabase"/>
>> </GlobalNamingResources>
>>
>> <Service name="Catalina">
>>
>> <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
>> redirectPort="443"/>
>>
>> <Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
>> port="443" protocol="org.apache.coyote.http11.Http11Protocol"
>> scheme="https" secure="true" sslProtocol="TLS"/>
>>
>> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
>>
>> <Engine defaultHost="localhost" name="Catalina">
>> <Realm className="org.apache.catalina.realm.LockOutRealm">
>> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
>> resourceName="UserDatabase"/>
>> </Realm>
>> <Host appBase="webapps" autoDeploy="true" name="localhost"
>> unpackWARs="true">
>> <Valve className="org.apache.catalina.valves.AccessLogValve"
>> directory="logs" pattern="%h %l %u %t "%r" %s %b"
>> prefix="localhost_access_log." suffix=".txt"/>
>> <Context docBase="my-app-name" path="/my-app-name"
>> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
>> </Host>
>> </Engine>
>> </Service>
>> </Server>
>>
>> It is my first Tomcat SSL client cert set up so I must be missing
>> something. Hope you may help me see it :-)
>>
>> Cheers,
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Demand CLIENT-CERT only on certain pages but demand SSL in all
pages
Posted by George Stanchev <Gs...@serena.com>.
Mark,
What are the possible issues with renegotiation? We're on NIO connectors, is there anything known?
George
-----Original Message-----
From: Mark Thomas [mailto:markt@apache.org]
Sent: Monday, October 05, 2015 8:32 AM
To: Tomcat Users List
Subject: Re: Demand CLIENT-CERT only on certain pages but demand SSL in all pages
On 05/10/2015 12:05, Gael Abadin wrote:
> Hello, fellow users.
>
> I've been trying to configure tomcat to request client certificate
> authentication on a single page, while serving every other SSL page
> without requesting a client certificate (before or after
> authentication). Depending on the configuration I use, one of 2 things
> happen: either I get a request for a client certificate on ANY HTTPS
> page I visit first, or I do not get a request at all, never, even when
> I launch the browser and go straight to the protected page (/my-app-name/public/login/login.xhtml).
>
> Am I doing something wrong or is this kind of configuration just not
> possible?
That should be possible but you'll need two security constraints. One to require TLS everywhere and one for the pages where you require authentication.
You may also hit issues with which connectors support renegotiation (don't use APR).
Mark
>
> Here is my web.xml security constraint and login config (I've also
> tried ommitin <login-config>):
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Context</web-resource-name>
> <url-pattern>/public/login/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
>
> And here is my server.xml config (I've also tried clientAuth="false"
> and
> clientAuth="true"):
>
> <?xml version="1.0" encoding="UTF-8"?> <Server port="8005"
> shutdown="SHUTDOWN">
> <Listener
> className="org.apache.catalina.startup.VersionLoggerListener"/>
>
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener SSLEngine="on"
> className="org.apache.catalina.core.AprLifecycleListener"/>
> <!--Initialize Jasper prior to webapps are loaded. Documentation at
> /docs/jasper-howto.html -->
> <Listener className="org.apache.catalina.core.JasperListener"/>
> <!-- Prevent memory leaks due to use of particular java/javax APIs-->
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"
> />
>
> <GlobalNamingResources>
> <Resource auth="Container" description="User database that can be
> updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> name="UserDatabase" pathname="conf/tomcat-users.xml"
> type="org.apache.catalina.UserDatabase"/>
> </GlobalNamingResources>
>
> <Service name="Catalina">
>
> <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
> redirectPort="443"/>
>
> <Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
> port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> scheme="https" secure="true" sslProtocol="TLS"/>
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
>
> <Engine defaultHost="localhost" name="Catalina">
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
> <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true">
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" pattern="%h %l %u %t "%r" %s %b"
> prefix="localhost_access_log." suffix=".txt"/>
> <Context docBase="my-app-name" path="/my-app-name"
> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
> </Host>
> </Engine>
> </Service>
> </Server>
>
> It is my first Tomcat SSL client cert set up so I must be missing
> something. Hope you may help me see it :-)
>
> Cheers,
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Demand CLIENT-CERT only on certain pages but demand SSL in all
pages
Posted by Mark Thomas <ma...@apache.org>.
On 05/10/2015 12:05, Gael Abadin wrote:
> Hello, fellow users.
>
> I've been trying to configure tomcat to request client certificate
> authentication on a single page, while serving every other SSL page without
> requesting a client certificate (before or after authentication). Depending
> on the configuration I use, one of 2 things happen: either I get a request
> for a client certificate on ANY HTTPS page I visit first, or I do not get a
> request at all, never, even when I launch the browser and go straight to
> the protected page (/my-app-name/public/login/login.xhtml).
>
> Am I doing something wrong or is this kind of configuration just not
> possible?
That should be possible but you'll need two security constraints. One to
require TLS everywhere and one for the pages where you require
authentication.
You may also hit issues with which connectors support renegotiation
(don't use APR).
Mark
>
> Here is my web.xml security constraint and login config (I've also tried
> ommitin <login-config>):
>
> <security-constraint>
> <web-resource-collection>
> <web-resource-name>Protected Context</web-resource-name>
> <url-pattern>/public/login/*</url-pattern>
> </web-resource-collection>
> <user-data-constraint>
> <transport-guarantee>CONFIDENTIAL</transport-guarantee>
> </user-data-constraint>
> </security-constraint>
> <login-config>
> <auth-method>CLIENT-CERT</auth-method>
> </login-config>
>
>
> And here is my server.xml config (I've also tried clientAuth="false" and
> clientAuth="true"):
>
> <?xml version="1.0" encoding="UTF-8"?>
> <Server port="8005" shutdown="SHUTDOWN">
> <Listener className="org.apache.catalina.startup.VersionLoggerListener"/>
>
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener SSLEngine="on"
> className="org.apache.catalina.core.AprLifecycleListener"/>
> <!--Initialize Jasper prior to webapps are loaded. Documentation at
> /docs/jasper-howto.html -->
> <Listener className="org.apache.catalina.core.JasperListener"/>
> <!-- Prevent memory leaks due to use of particular java/javax APIs-->
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
> <Listener
> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
>
> <GlobalNamingResources>
> <Resource auth="Container" description="User database that can be
> updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> name="UserDatabase" pathname="conf/tomcat-users.xml"
> type="org.apache.catalina.UserDatabase"/>
> </GlobalNamingResources>
>
> <Service name="Catalina">
>
> <Connector connectionTimeout="20000" port="80" protocol="HTTP/1.1"
> redirectPort="443"/>
>
> <Connector SSLEnabled="true" clientAuth="want" maxThreads="150"
> port="443" protocol="org.apache.coyote.http11.Http11Protocol"
> scheme="https" secure="true" sslProtocol="TLS"/>
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443"/>
>
> <Engine defaultHost="localhost" name="Catalina">
> <Realm className="org.apache.catalina.realm.LockOutRealm">
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
> </Realm>
> <Host appBase="webapps" autoDeploy="true" name="localhost"
> unpackWARs="true">
> <Valve className="org.apache.catalina.valves.AccessLogValve"
> directory="logs" pattern="%h %l %u %t "%r" %s %b"
> prefix="localhost_access_log." suffix=".txt"/>
> <Context docBase="my-app-name" path="/my-app-name"
> reloadable="true" source="org.eclipse.jst.jee.server:cividas-core-web"/>
> </Host>
> </Engine>
> </Service>
> </Server>
>
> It is my first Tomcat SSL client cert set up so I must be missing
> something. Hope you may help me see it :-)
>
> Cheers,
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org