Skip to content

dogtagpki/tomcatjss

Repository files navigation

Overview

JSS Connector for Apache Tomcat, installed via the tomcatjss package, is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that uses Java Security Services (JSS), a Java interface to Network Security Services (NSS).

Note
Tomcat JSS 8.5 has been merged into JSS 5.5.

Configuration

JSS Connector for Apache Tomcat defines a number of attributes for a Connector including:

  • clientauth: specify if client authentication is required in the connector (or port), it can be true or false. If true then client authentication is required.

  • sslOptions: specify a comma-delimited list of ssl options to pass into the ssl implementation. Each option takes the form of: option=[true|false]. JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.

  • ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject"

  • ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject".

  • tlsCiphers: specifies a list of TLS ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject".

  • serverCertNickFile: a file in which specify the nickname of the server certificate. The file should contain a single line that contains the nickname.

  • passwordFile: specify a file in which a password that is required to access NSS’s security database. Each entry in the file needs to appear on its own line and has the form: token_name=password

  • certdbDir: specify the directory the NSS security database resides in.

  • passwordClass: specify the class that will be used to read the password.

  • sslProtocol: needs to be SSL

  • sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation in order to use the plugin

Examples

Here is an example of a secure connector:

<Connector port="8443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="SSL"
           scheme="https"
           secure="true"
           keyStoreType="PKCS11"
           maxHttpHeaderSize="8192"
           acceptCount="100"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="false"
           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"
           strictCiphers="false"
           clientAuth="agent"
           clientauth="agent"
           sslOptions="ssl2=true,ssl3=true,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
           certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>