forked from dogtagpki/tomcatjss
-
Notifications
You must be signed in to change notification settings - Fork 0
JSS Connector for Apache Tomcat Issues should be reported to the JSS Connector for Apache Tomcat Pagure Issues site
License
c-dorney/tomcatjss
Folders and files
Name | Name | Last commit message | Last commit date | |
---|---|---|---|---|
Repository files navigation
JSS Connector for Apache Tomcat, installed via the tomcatjss package, is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that uses Java Security Services (JSS), a Java interface to Network Security Services (NSS). JSS Connector for Apache Tomcat defines a number of attributes for a Connector including: clientauth: specify if client authentication is required in the connector (or port), it can be true or false. If true then client authentication is required. sslOptions: specify a comma-delimited list of ssl options to pass into the ssl implementation. Each option takes the form of: option=[true|false]. JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls. ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject" ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject". tlsCiphers: specifies a list of TLS ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject". serverCertNickFile: a file in which specify the nickname of the server certificate. The file should contain a single line that contains the nickname. passwordFile: specify a file in which a password that is required to access NSS's security database. Each entry in the file needs to appear on its own line and has the form: token_name=password certdbDir: specify the directory the NSS security database resides in. passwordClass: specify the class that will be used to read the password. sslProtocol: needs to be SSL sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation in order to use the plugin Here is an example of a secure connector: <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" keyStoreType="PKCS11" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" enableLookups="false" disableUploadTimeout="true" sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation" enableOCSP="false" ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp" ocspResponderCertNickname="ocspSigningCert cert-pki-ca" ocspCacheSize="1000" ocspMinCacheEntryDuration="60" ocspMaxCacheEntryDuration="120" ocspTimeout="10" strictCiphers="false" clientAuth="agent" clientauth="agent" sslOptions="ssl2=true,ssl3=true,tls=true" ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5" ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA" tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA" serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf" passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf" passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile" certdbDir="/var/lib/pki/redhat.com-foobar/alias" />
About
JSS Connector for Apache Tomcat Issues should be reported to the JSS Connector for Apache Tomcat Pagure Issues site
Resources
License
Stars
Watchers
Forks
Packages 0
No packages published
Languages
- Java 75.7%
- Shell 21.8%
- Dockerfile 2.2%
- Makefile 0.3%