Overview

JSS Connector for Apache Tomcat, installed via the tomcatjss package, is a Java Secure Socket Extension (JSSE) module for Apache Tomcat that uses Java Security Services (JSS), a Java interface to Network Security Services (NSS).

Note	Tomcat JSS 8.5 has been merged into JSS 5.5.

Configuration

JSS Connector for Apache Tomcat defines a number of attributes for a Connector including:

clientauth: specify if client authentication is required in the connector (or port), it can be true or false. If true then client authentication is required.
sslOptions: specify a comma-delimited list of ssl options to pass into the ssl implementation. Each option takes the form of: option=[true|false]. JSS Connector for Apache Tomcat supports the options: ssl2, ssl3, tls.
ssl2Ciphers: specify a list of SSL2 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject"
ssl3Ciphers: specifies a list of SSL3 ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject".
tlsCiphers: specifies a list of TLS ciphers that JSS Connector for Apache Tomcat should accept or reject from the client. You can use + to denote "accept", - means "reject".
serverCertNickFile: a file in which specify the nickname of the server certificate. The file should contain a single line that contains the nickname.
passwordFile: specify a file in which a password that is required to access NSS’s security database. Each entry in the file needs to appear on its own line and has the form: token_name=password
certdbDir: specify the directory the NSS security database resides in.
passwordClass: specify the class that will be used to read the password.
sslProtocol: needs to be SSL
sslImplementationName: MUST be org.apache.tomcat.util.net.jss.JSSImplementation in order to use the plugin

Examples

Here is an example of a secure connector:

<Connector port="8443"
           protocol="HTTP/1.1"
           SSLEnabled="true"
           sslProtocol="SSL"
           scheme="https"
           secure="true"
           keyStoreType="PKCS11"
           maxHttpHeaderSize="8192"
           acceptCount="100"
           maxThreads="150"
           minSpareThreads="25"
           enableLookups="false"
           disableUploadTimeout="true"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           enableOCSP="false"
           ocspResponderURL="http://pkilinux.sjc.redhat.com:9080/ca/ocsp"
           ocspResponderCertNickname="ocspSigningCert cert-pki-ca"
           ocspCacheSize="1000"
           ocspMinCacheEntryDuration="60"
           ocspMaxCacheEntryDuration="120"
           ocspTimeout="10"
           strictCiphers="false"
           clientAuth="agent"
           clientauth="agent"
           sslOptions="ssl2=true,ssl3=true,tls=true"
           ssl2Ciphers="-SSL2_RC4_128_WITH_MD5,-SSL2_RC4_128_EXPORT40_WITH_MD5,-SSL2_RC2_128_CBC_WITH_MD5,-SSL2_RC2_128_CBC_EXPORT40_WITH_MD5,-SSL2_DES_64_CBC_WITH_MD5,-SSL2_DES_192_EDE3_CBC_WITH_MD5"
           ssl3Ciphers="-SSL3_FORTEZZA_DMS_WITH_NULL_SHA,-SSL3_FORTEZZA_DMS_WITH_RC4_128_SHA,+SSL3_RSA_WITH_RC4_128_SHA,-SSL3_RSA_EXPORT_WITH_RC4_40_MD5,+SSL3_RSA_WITH_3DES_EDE_CBC_SHA,+SSL3_RSA_WITH_DES_CBC_SHA,-SSL3_RSA_EXPORT_WITH_RC2_CBC_40_MD5,-SSL3_FORTEZZA_DMS_WITH_FORTEZZA_CBC_SHA,-SSL_RSA_FIPS_WITH_DES_CBC_SHA,+SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA,-SSL3_RSA_WITH_NULL_MD5,-TLS_RSA_EXPORT1024_WITH_RC4_56_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA"
           tlsCiphers="-TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,+TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,+TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,+TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,+TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_DSS_WITH_AES_128_CBC_SHA,+TLS_DHE_DSS_WITH_AES_256_CBC_SHA,+TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_DHE_RSA_WITH_AES_128_CBC_SHA,+TLS_DHE_RSA_WITH_AES_256_CBC_SHA"
           serverCertNickFile="/var/lib/pki/redhat.com-foobar/conf/serverCertNick.conf"
           passwordFile="/var/lib/pki/redhat.com-foobar/conf/password.conf"
           passwordClass="org.apache.tomcat.util.net.jss.PlainPasswordFile"
           certdbDir="/var/lib/pki/redhat.com-foobar/alias"
/>

Name		Name	Last commit message	Last commit date
Latest commit History 336 Commits
.copr		.copr
.github/workflows		.github/workflows
.settings		.settings
core		core
docs		docs
main		main
tests/bin		tests/bin
tomcat-9.0		tomcat-9.0
.classpath		.classpath
.dockerignore		.dockerignore
.gitignore		.gitignore
.gitlab-ci.yml		.gitlab-ci.yml
.packit.yaml		.packit.yaml
.project		.project
Dockerfile		Dockerfile
LICENSE		LICENSE
README.adoc		README.adoc
build.sh		build.sh
build.xml		build.xml
pom.xml		pom.xml
revert_update_version.sh		revert_update_version.sh
sonar-project.properties		sonar-project.properties
tomcatjss.spec		tomcatjss.spec
update_version.sh		update_version.sh

License

dogtagpki/tomcatjss

Folders and files

Latest commit

History

Repository files navigation

Overview

Configuration

Examples

About

Resources

License

Stars

Watchers

Forks

Languages