You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "D'Alessandro, Arthur" <Ar...@cbetech.com> on 2004/03/23 23:28:38 UTC
Tomcat 5 Multiple SSL certificates (virtual hosts)
We'd like to implement a single Tomcat 5 server running multiple ip
address aliases, each with it's own SSL certificate assigned. I do not
see a configuration option, other than potentially trying to utilize a
different keystore file (each with it's own tomcat alias cert) for each
virtual host.
Is there an easier way, and has anyone had any success in doing so?
-Arthur
Re: Tomcat 5 Multiple SSL certificates (virtual hosts)
Posted by Peter Rossbach <pr...@objektpark.de>.
Hello Arthur,
I have successfull tested those system with mulple IP Interfaces and
different certs.
One thing is a good practice:
have small Service for admin web application
The Engine name are Catalina of this service.
Here my example configuration with one Catalina Service an two IP
Service with different certs.
<Server port="7305" shutdown="SHUTDOWN" debug="0">
<!-- Enable JMX MBeans support -->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<parameter>
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
</GlobalNamingResources>
<Service name="Catalina">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
<Connector
port="7380"
enableLookups="false"
acceptCount="10"
address="localhost"/>
<Engine name="Catalina" defaultHost="localhost" debug="0">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<!-- Developer Mode -->
<Host
name="localhost"
appBase="webapps"
unpackWARs="false"
autoDeploy="true"
deployXML="true"
deployOnStartUp="true"
>
</Host>
</Engine>
</Service>
<Service name="Secure-WebDev1">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7380"
redirectPort="7543"
address="secure1"/>
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7543"
acceptCount="100" scheme="https" secure="true"
address="secure1">
<Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="conf/secure1.keystore"
clientAuth="false"
keystorePass="changeit"
protocol="TLS"
SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation" />
</Connector>
<Engine name="Secure-Webdev1" defaultHost="secure1" debug="0">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
dir="secure1/logs"
timestamp="true"/>
<!-- Developer Mode -->
<Host
name="secure1"
appBase="secure1/webapps"
unpackWARs="false"
autoDeploy="true"
deployXML="true"
deployOnStartUp="true"
>
<!--
<Valve
className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
-->
</Host>
</Engine>
</Service>
<Service name="Secure-WebDev2">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 7380 -->
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7380"
redirectPort="7543"
address="secure2"/>
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="7543"
scheme="https" secure="true"
address="secure2">
<Factory
className="org.apache.coyote.tomcat5.CoyoteServerSocketFactory"
keystoreFile="conf/secure2.keystore"
clientAuth="false"
keystorePass="changeit2"
protocol="TLS"
SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation" />
</Connector>
<Engine name="Secure-Webdev2" defaultHost="secure2" debug="0">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Global logger unless overridden at lower levels -->
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
dir="secure2/logs"
timestamp="true"/>
<!-- Developer Mode -->
<Host
name="secure2"
appBase="secure2/webapps"
unpackWARs="false"
autoDeploy="true"
deployXML="true"
deployOnStartUp="true"
>
<!--
<Valve
className="org.apache.catalina.authenticator.SingleSignOn"
debug="0"/>
-->
</Host>
</Engine>
</Service>
</Server>
I hope this help
Peter
--
http://tomcat.objektpark.org/
Bill Barker schrieb:
>IMHO, using separate keystore files is the easiest option. However, it
>should also be possible to specify which cert to use via the 'keyAlias'
>attribute on the Connector.
>
>"D'Alessandro, Arthur" <Ar...@cbetech.com> wrote in message
>news:58308322565CAC4DB0B7845FA6959E2FD9DD4D@cbebosex01.cbetech.local...
>We'd like to implement a single Tomcat 5 server running multiple ip
>address aliases, each with it's own SSL certificate assigned. I do not
>see a configuration option, other than potentially trying to utilize a
>different keystore file (each with it's own tomcat alias cert) for each
>virtual host.
>
>Is there an easier way, and has anyone had any success in doing so?
>
>-Arthur
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: Tomcat 5 Multiple SSL certificates (virtual hosts)
Posted by Bill Barker <wb...@wilshire.com>.
IMHO, using separate keystore files is the easiest option. However, it
should also be possible to specify which cert to use via the 'keyAlias'
attribute on the Connector.
"D'Alessandro, Arthur" <Ar...@cbetech.com> wrote in message
news:58308322565CAC4DB0B7845FA6959E2FD9DD4D@cbebosex01.cbetech.local...
We'd like to implement a single Tomcat 5 server running multiple ip
address aliases, each with it's own SSL certificate assigned. I do not
see a configuration option, other than potentially trying to utilize a
different keystore file (each with it's own tomcat alias cert) for each
virtual host.
Is there an easier way, and has anyone had any success in doing so?
-Arthur
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org