Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up

JSS Connector for Apache Tomcat

License

NotificationsYou must be signed in to change notification settings

dogtagpki/tomcatjss

Repository files navigation

JSS Connector for Apache Tomcat, installed via thetomcatjss package,is a Java Secure Socket Extension (JSSE) module for Apache Tomcat thatusesJava Security Services (JSS),a Java interface toNetwork Security Services (NSS).

Note
Tomcat JSS 8.5 has beenmerged into JSS 5.5.

Configuration

JSS Connector for Apache Tomcat defines a number of attributes for aConnectorincluding:

  • clientauth: specify if client authentication is required in the connector (orport), it can betrue orfalse. Iftrue then client authentication is required.

  • sslOptions: specify a comma-delimited list of ssl options to pass into the sslimplementation. Each option takes the form of:option=[true|false].JSS Connector for Apache Tomcat supports the options:ssl2,ssl3,tls.

  • ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector forApache Tomcat should accept or reject from the client. You can use+ todenote "accept",- means "reject"

  • ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector forApache Tomcat should accept or reject from the client. You can use+ todenote "accept",- means "reject".

  • tlsCiphers: specifies a list of TLS ciphers that JSS Connector forApache Tomcat should accept or reject from the client. You can use+ todenote "accept",- means "reject".

  • serverCertNickFile: a file in which specify the nickname of theserver certificate. The file should contain a single line that containsthe nickname.

  • passwordFile: specify a file in which a password that is required to accessNSS’s security database. Each entry in the file needs to appear on its ownline and has the form:token_name=password

  • certdbDir: specify the directory the NSS security database resides in.

  • passwordClass: specify the class that will be used to read the password.

  • sslProtocol: needs to beSSL

  • sslImplementationName: MUST beorg.apache.tomcat.util.net.jss.JSSImplementationin order to use the plugin

Examples

Here is an example of a secure connector:

<Connector port="8443"           protocol="HTTP/1.1"           SSLEnabled="true"           sslProtocol="SSL"           scheme="https"           secure="true"           keyStoreType="PKCS11"           maxHttpHeaderSize="8192"           acceptCount="100"           maxThreads="150"           minSpareThreads="25"           enableLookups="false"           disableUploadTimeout="true"           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"           enableOCSP="false"           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"           ocspCacheSize="1000"           ocspMinCacheEntryDuration="60"           ocspMaxCacheEntryDuration="120"           ocspTimeout="10"           strictCiphers="false"           clientAuth="agent"           clientauth="agent"           sslOptions="ssl2=true,ssl3=true,tls=true"           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"           certdbDir="/var/lib/pki/redhat.com-foobar/alias"/>
[8]ページ先頭
©2009-2025 Movatter.jp