-
Notifications
You must be signed in to change notification settings - Fork 139
Configuring HTTPS Connector
Endi S. Dewata edited this page May 13, 2022
·
4 revisions
This page describes how to configure HTTPS connector. By default PKI server will be installed with a JSS connector.
Store the password for the PKCS #12 files into a file:
$ echo Secret.123 > /var/lib/pki/pki-tomcat/conf/keystore.pwd $ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/conf/keystore.pwd $ chmod 0660 /var/lib/pki/pki-tomcat/conf/keystore.pwd
Export the SSL server certificate with the following command:
$ pki-server cert-export \ sslserver \ --instance "pki-tomcat" \ --pkcs12-file /var/lib/pki/pki-tomcat/conf/keystore.p12 \ --pkcs12-password-file /var/lib/pki/pki-tomcat/conf/keystore.pwd \ --cert-encryption "PBE/SHA1/RC2-40" \ --key-encryption "PBE/SHA1/DES3/CBC"
Alternatively, the SSL server certificate can be exported with the following command:
$ pk12util \ -n sslserver \ -d /var/lib/pki/pki-tomcat/alias \ -k Secret.123 \ -o /var/lib/pki/pki-tomcat/conf/keystore.p12 \ -w /var/lib/pki/pki-tomcat/conf/keystore.pwd
Then configure the file permission as follows:
$ chown pkiuser.pkiuser /var/lib/pki/pki-tomcat/conf/keystore.p12 $ chmod 0660 /var/lib/pki/pki-tomcat/conf/keystore.p12
To configure JSSE connector:
$ pki-server http-connector-mod Secure \ --type JSSE \ --keystore-file /var/lib/pki/pki-tomcat/conf/keystore.p12 \ --keystore-password-file /var/lib/pki/pki-tomcat/conf/keystore.pwd ----------------- Updated connector ----------------- Connector ID: Secure Scheme: https Port: 8443 Protocol: org.dogtagpki.tomcat.Http11NioProtocol SSL Version Range Stream: tls1_0:tls1_2 SSL Version Range Datagram: tls1_1:tls1_2 SSL Range Ciphers: -TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA NSS Database Directory: /var/lib/pki/pki-tomcat/alias NSS Password Class: org.apache.tomcat.util.net.jss.PlainPasswordFile NSS Password File: /var/lib/pki/pki-tomcat/conf/password.conf Server Cert Nickname File: /var/lib/pki/pki-tomcat/conf/serverCertNick.conf Keystore File: /var/lib/pki/pki-tomcat/conf/keystore.p12 Keystore Password File: /var/lib/pki/pki-tomcat/conf/keystore.pwd
To configure JSS Connector:
$ pki-server http-connector-mod Secure --type JSS ----------------- Updated connector ----------------- Connector ID: Secure Scheme: https Port: 8443 Protocol: org.apache.coyote.http11.Http11Protocol SSL Implementation: org.apache.tomcat.util.net.jss.JSSImplementation SSL Version Range Stream: tls1_0:tls1_2 SSL Version Range Datagram: tls1_1:tls1_2 SSL Range Ciphers: -TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,-TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,-TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_DSS_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_DSS_WITH_AES_128_CBC_SHA,-TLS_DHE_DSS_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_3DES_EDE_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA,-TLS_DHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_256_CBC_SHA256,-TLS_DHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,-TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,-TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_AES_128_CBC_SHA256,-TLS_RSA_WITH_AES_256_CBC_SHA256,-TLS_RSA_WITH_AES_128_GCM_SHA256,-TLS_RSA_WITH_3DES_EDE_CBC_SHA,+TLS_RSA_WITH_AES_128_CBC_SHA,+TLS_RSA_WITH_AES_256_CBC_SHA NSS Database Directory: /var/lib/pki/pki-tomcat/alias NSS Password Class: org.apache.tomcat.util.net.jss.PlainPasswordFile NSS Password File: /var/lib/pki/pki-tomcat/conf/password.conf Server Cert Nickname File: /var/lib/pki/pki-tomcat/conf/serverCertNick.conf
Tip
|
To find a page in the Wiki, enter the keywords in search field, press Enter, then click Wikis. |