You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Bill Barker <wb...@wilshire.com> on 2007/06/01 05:14:15 UTC
Re: Tomcat TLS with PKCS11 token
If you are using the JIO Connector (the default if APR isn't installed),
then you should just be able to specify keystoreType="PKCS11" on the
<Connector /> element, and configure the PKCS11 setting as in the JCE
documents for your Java vendor. If you have more than just the one Tomcat
key, then you will also want to specify the keyAlias="myHostAlias" option on
the <Connector />. I'm guessing that this will work with the NIO Connector
as well, but I haven't looked. I've got no clue how to do this for the APR
Connector :), but if you are using truststoreFile, then you aren't using
APR.
"Lee, Esmond" <Es...@cable.comcast.com> wrote in message
news:38F5F6E4D905F142BAA734B9D894F124055F849E@CAPLSEXCMB01.cable.comcast.com...
Hello,
I would like to use TOMCAT 6 as an HTTPS server on our windows/linux
servers, using a PCI based PKCS11 token that stores the keys for TLS
connectivity. Up until now, we've enabled TLS connections using the
keystoreFile/keystorePass, truststoreFile/truststorePass attribute pairs
in server.xml. Our core application currently uses the PKCS11 token for
our keystore, but we would like TOMCAT to use it as well. Is there a way
to configure TOMCAT (via server.xml or by other means) to use this
token?
=20
Thanks in advance.
Esmond
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Re: Tomcat TLS with PKCS11 token
Posted by "Lee, Esmond" <Es...@cable.comcast.com>.
Thanks for the reply, however I think I've tried that and got some
errors stating that Tomcat couldn't find the keystore file. Here is a
snippet of my server.xml file
>From Tomcat 5.5.23 - (I know I mentioned Tomcat 6 in the original thread
but that was a mistake)
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreType="PKCS11"
ciphers="TLS_RSA_WITH_AES_128_CBC_SHA />
and here is the error I am getting..
java.io.IOException: Exception trying to load keystore C:\Documents and
Settings\elee3389k/.keystore: PKCS11 not found
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFac
tory.java:294)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocket
Factory.java:227)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE1
4SocketFactory.java:142)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFac
tory.java:110)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocke
tFactory.java:89)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.
java:293)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java
:139)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1017)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java
:578)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:7
82)
at org.apache.catalina.startup.Catalina.load(Catalina.java:504)
at org.apache.catalina.startup.Catalina.load(Catalina.java:524)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav
a:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor
Impl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:267)
at
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
May 31, 2007 2:52:26 PM org.apache.catalina.startup.Catalina load
It looks like the JSSESocketFactory has some default keystore file (and
maybe even password) that it sets when one is not set in the Connector.
This could be a problem as the PKCS11 Provider that I am using expects
null values for the keystore file and password.
Also, since there doesn't seem to be a way to tell the Tomcat connector
which PKCS11 Provider to use, do you know if Tomcat just searches the
Providers that are registered in the java.security file?
Esmond Lee
Staff Engineer
CCAD, LLC
858.736.3238
-----Original Message-----
From: news [mailto:news@sea.gmane.org] On Behalf Of Bill Barker
Sent: Thursday, May 31, 2007 8:14 PM
To: users@tomcat.apache.org
Subject: Re: Tomcat TLS with PKCS11 token
If you are using the JIO Connector (the default if APR isn't installed),
then you should just be able to specify keystoreType="PKCS11" on the
<Connector /> element, and configure the PKCS11 setting as in the JCE
documents for your Java vendor. If you have more than just the one
Tomcat
key, then you will also want to specify the keyAlias="myHostAlias"
option on
the <Connector />. I'm guessing that this will work with the NIO
Connector
as well, but I haven't looked. I've got no clue how to do this for the
APR
Connector :), but if you are using truststoreFile, then you aren't using
APR.
"Lee, Esmond" <Es...@cable.comcast.com> wrote in message
news:38F5F6E4D905F142BAA734B9D894F124055F849E@CAPLSEXCMB01.cable.comcast
.com...
Hello,
I would like to use TOMCAT 6 as an HTTPS server on our windows/linux
servers, using a PCI based PKCS11 token that stores the keys for TLS
connectivity. Up until now, we've enabled TLS connections using the
keystoreFile/keystorePass, truststoreFile/truststorePass attribute pairs
in server.xml. Our core application currently uses the PKCS11 token for
our keystore, but we would like TOMCAT to use it as well. Is there a way
to configure TOMCAT (via server.xml or by other means) to use this
token?
=20
Thanks in advance.
Esmond
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org