Overview#
Prior to version 10.5, PKI uses Tomcat JSS 7.2 which only supports blocking I/O (BIO) connector (org.apache.coyote.http11.Http11Protocol). With BIO connector the SSL connector is configured as follows:
<Connector name="Secure"
`` port=”8443”``
`` protocol=”org.apache.coyote.http11.Http11Protocol”``
`` sslImplementationName=”org.apache.tomcat.util.net.jss.JSSImplementation”``
`` …``
`` />``
In Tomcat 8.5 the blocking Java connector is no longer available, so PKI 10.6 is now using Tomcat JSS 7.3 which supports non-blocking I/O (NIO) connector (org.apache.coyote.http11.Http11NioProtocol). The server.xml now looks like the following.
<Connector name="Secure"
`` port=”8443”``
`` protocol=”org.dogtagpki.tomcat.Http11NioProtocol”``
`` …``
`` keystoreType=”pkcs12”``
`` keystoreFile=”[pki_instance_configuration_path]/keystore.p12”``
`` keystorePassFile=”[pki_instance_configuration_path]/keystore.pwd”``
`` keyAlias=”sslserver”``
`` trustManagerClassName=”org.dogtagpki.tomcat.PKITrustManager”``
/>
Installation#
Installing Tomcat 8.5 from COPR Repository#
Tomcat 8.5 can be installed directly from csutherl’s COPR repository.
$ dnf copr enable csutherl/tomcat
$ dnf install tomcat
Installing Upstream Tomcat 8.5#
$ wget http://mirror.cogentco.com/pub/apache/tomcat/tomcat-8/v8.5.32/bin/apache-tomcat-8.5.32.tar.gz
$ tar xzvf apache-tomcat-8.5.32.tar.gz
$ mv apache-tomcat-8.5.32 /usr/share
$ cd /usr/share
$ chown -R root.tomcat apache-tomcat-8.5.32
$ chmod -R a+rx apache-tomcat-8.5.32
$ ln -s apache-tomcat-8.5.32 tomcat85
$ chown -h root.tomcat tomcat85
Development#
Configuration#
catalina.properties#
The location of catalina.properties can be specified with the catalina.config system properties:
-Dcatalina.config=/usr/share/pki/server/conf/catalina.properties
Configuring SSL with PKCS #12 Keystore#
<Connector name="Secure"
port="8443"
protocol="org.dogtagpki.tomcat.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
...>
<SSLHostConfig
certificateVerification="optional"
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
<Certificate
certificateKeyAlias="sslserver"
certificateKeystoreType="pkcs12"
certificateKeystoreFile="[pki_instance_configuration_path]/keystore.p12"
certificateKeystorePassFile="[pki_instance_configuration_path]/keystore.pwd">
</Certificate>
</SSLHostConfig>
</Connector>
Configuring SSL with PKCS #11 JSS Keystore#
<Connector name="Secure"
port="8443"
protocol="org.dogtagpki.tomcat.Http11NioProtocol"
SSLEnabled="true"
scheme="https"
secure="true"
...>
<SSLHostConfig
certificateVerification="optional"
trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">
<Certificate
certificateKeyAlias="sslserver"
certificateKeystoreType="pkcs11"
certificateKeystoreProvider="Mozilla-JSS">
</Certificate>
</SSLHostConfig>
</Connector>
Migration#
See Tomcat 8.5 Migration.