Tomcat 8.5

From Dogtag
Jump to: navigation, search

Overview

Prior to version 10.5, PKI uses Tomcat JSS 7.2 which only supports blocking I/O (BIO) connector (org.apache.coyote.http11.Http11Protocol). With BIO connector the SSL connector is configured as follows:

<Connector name="Secure"
           port="8443"
           protocol="org.apache.coyote.http11.Http11Protocol"
           sslImplementationName="org.apache.tomcat.util.net.jss.JSSImplementation"
           ...
           />

In Tomcat 8.5 the blocking Java connector is no longer available, so PKI 10.6 is now using Tomcat JSS 7.3 which supports non-blocking I/O (NIO) connector (org.apache.coyote.http11.Http11NioProtocol). The server.xml now looks like the following.

<Connector name="Secure"
           port="8443"
           protocol="org.dogtagpki.tomcat.Http11NioProtocol"
           ...
           keystoreType="pkcs12"
           keystoreFile="[pki_instance_configuration_path]/keystore.p12"
           keystorePassFile="[pki_instance_configuration_path]/keystore.pwd"
           keyAlias="sslserver"
           trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager"
/>

Installation

Installing Tomcat 8.5 from COPR Repository

Tomcat 8.5 can be installed directly from csutherl's COPR repository.

$ dnf copr enable csutherl/tomcat
$ dnf install tomcat

Installing Upstream Tomcat 8.5

$ wget http://mirror.cogentco.com/pub/apache/tomcat/tomcat-8/v8.5.32/bin/apache-tomcat-8.5.32.tar.gz
$ tar xzvf apache-tomcat-8.5.32.tar.gz
$ mv apache-tomcat-8.5.32 /usr/share
$ cd /usr/share
$ chown -R root.tomcat apache-tomcat-8.5.32
$ chmod -R a+rx apache-tomcat-8.5.32
$ ln -s apache-tomcat-8.5.32 tomcat85
$ chown -h root.tomcat tomcat85

Development

See Tomcat 8.5 Development.

Configuration

catalina.properties

The location of catalina.properties can be specified with the catalina.config system properties:

-Dcatalina.config=/usr/share/pki/server/conf/catalina.properties

Configuring SSL with PKCS #12 Keystore

<Connector name="Secure"
           port="8443"
           protocol="org.dogtagpki.tomcat.Http11NioProtocol"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           ...>

    <SSLHostConfig
            certificateVerification="optional"
            trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">

        <Certificate
            certificateKeyAlias="sslserver"
            certificateKeystoreType="pkcs12"
            certificateKeystoreFile="[pki_instance_configuration_path]/keystore.p12"
            certificateKeystorePassFile="[pki_instance_configuration_path]/keystore.pwd">
        </Certificate>

    </SSLHostConfig>

</Connector>

Configuring SSL with PKCS #11 JSS Keystore

<Connector name="Secure"
           port="8443"
           protocol="org.dogtagpki.tomcat.Http11NioProtocol"
           SSLEnabled="true"
           scheme="https"
           secure="true"
           ...>

    <SSLHostConfig
            certificateVerification="optional"
            trustManagerClassName="org.dogtagpki.tomcat.PKITrustManager">

        <Certificate
            certificateKeyAlias="sslserver"
            certificateKeystoreType="pkcs11"
            certificateKeystoreProvider="Mozilla-JSS">
        </Certificate>

    </SSLHostConfig>

</Connector>

Migration

See Tomcat 8.5 Migration.

References