forked from dogtagpki/tomcatjss
-
Notifications
You must be signed in to change notification settings - Fork 0
/
README
79 lines (65 loc) · 4.49 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
JSS Connector for Apache Tomcat, installed via the tomcatjss package,
is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that
uses Java Security Services (JSS), a Java interface to Network Security
Services (NSS).
JSS Connector for Apache Tomcat defines a number of attributes for a Connector
including:
clientauth: specify if client authentication is required in the connector (or
port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl
implementation. Each option takes the form of: option=[true|false].
JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.
ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject"
ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".
tlsCiphers: specifies a list of TLS ciphers that JSS Connector for
Apache Tomcat should accept or reject from the client. You can use + to
denote "accept", - means "reject".
serverCertNickFile: a file in which specify the nickname of the
server certificate. The file should contain a single line that contains
the nickname.
passwordFile: specify a file in which a password that is required to access
NSS's security database. Each entry in the file needs to appear on its own
line and has the form: token_name=password
certdbDir: specify the directory the NSS security database resides in.
passwordClass: specify the class that will be used to read the password.
sslProtocol: needs to be SSL
sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation
in order to use the plugin
Here is an example of a secure connector:
<Connector port="8443"
protocol="HTTP/1.1"
SSLEnabled="true"
sslProtocol="SSL"
scheme="https"
secure="true"
keyStoreType="PKCS11"
maxHttpHeaderSize="8192"
acceptCount="100"
maxThreads="150"
minSpareThreads="25"
enableLookups="false"
disableUploadTimeout="true"
sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
enableOCSP="false"
ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
ocspCacheSize="1000"
ocspMinCacheEntryDuration="60"
ocspMaxCacheEntryDuration="120"
ocspTimeout="10"
strictCiphers="false"
clientAuth="agent"
clientauth="agent"
sslOptions="ssl2=true,ssl3=true,tls=true"
ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>