Skip to content

JSS Connector for Apache Tomcat Issues should be reported to the JSS Connector for Apache Tomcat Pagure Issues site

License

Notifications You must be signed in to change notification settings

c-dorney/tomcatjss

 
 

Repository files navigation

JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).

JSS Connector for Apache Tomcat defines a number of attributes for a Connector
including:

clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.

sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.

ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject"

ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

tlsCiphers: specifies a list of TLS ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".

serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.

passwordFile: specify a file in which a password that is required to access
NSS's security database. Each entry in the file needs to appear on its own
line and has the form: token_name=password

certdbDir: specify the directory the NSS security database resides in.

passwordClass: specify the class that will be used to read the password.

sslProtocol: needs to be SSL

sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin

Here is an example of a secure connector:

<Connector port="8443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="SSL"
           scheme="https"
           secure="true"
           keyStoreType="PKCS11"
           maxHttpHeaderSize="8192"
           acceptCount="100"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="false"
           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"
           strictCiphers="false"
           clientAuth="agent"
           clientauth="agent"
           sslOptions="ssl2=true,ssl3=true,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
           certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>

About

JSS Connector for Apache Tomcat Issues should be reported to the JSS Connector for Apache Tomcat Pagure Issues site

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Java 75.7%
  • Shell 21.8%
  • Dockerfile 2.2%
  • Makefile 0.3%