[prev in list] [next in list] [prev in thread] [next in thread] 

List:       tomcat-user
Subject:    RE: ssl - JioEndpoint, JSSESocketFactory & Truststore
From:       "Michael Rooz" <michaelrooz () gmail ! com>
Date:       2008-12-31 12:43:05
Message-ID: 3df1c6c00812310443lc025773w399f06e233813d29 () mail ! gmail ! com
[Download RAW message or body]


I ned a way of refreshing the Tomcat trust store without restarting Tomcat.

I've tried another approach:

JioEndpoint initializes its ServerSocket from the JSSESocketFactory created
at startup.  From this point onwards the JSSESocketFactory (containining the
trust store) is never re-initialized.  Would it be safe, to reinitialize the
JSSESocketFactory from within the JIOEndpoint Acceptor run loop?  Currently
I do this by calling the destroy() method followed by the start() method.
This seems to work, but again I'm concerned about undesireable side
effects.  I'd appreciate any comment on this.
thanks,
Mike





-----Original Message-----
From: Michael Rooz [mailto:mrooz@nextnine.com]
Sent: Tuesday, December 30, 2008 1:29 PM
To: Tomcat Users List
Subject: RE: ssl



I agree that in general this would be the preferable way of working with

the trust store however using self signed certificates streamlines much

better with my application and therefore my preference at this point is

to find a proper way of refreshing the trust store in the

JSSESocketFactory.



I'm still looking for a solution to this...

Thx,

Mike



-----Original Message-----

From: Mark Thomas [mailto:markt@apache.org]

Sent: Tuesday, December 30, 2008 12:28 PM

To: Tomcat Users List

Subject: Re: ssl



Michael Rooz wrote:

> Hi Bill,

> Well - first the reason we need to update the truststore often is

because we

> use self signed certificates and therefore each client certifcate

needs to

> be in there.



If your processes allow, you would be better off creating your own

(self-signed)

root CA, using that to sign client certs and then adding your CA to

Tomcat's

trust store. That way you can add new client certs without any changes

to Tomcat.



Mark





---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

For additional commands, e-mail: users-help@tomcat.apache.org









---------------------------------------------------------------------

To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org

For additional commands, e-mail: users-help@tomcat.apache.org


[prev in list] [next in list] [prev in thread] [next in thread]