Melanjutkan posting sebelumnya, mengenai konfigurasi https mutual authentication server dengan menggunakan Apache2, kali ini konfigurasi yang sama namun dengan menggunakan Tomcat 6.
Pada tomcat, kita dapat menyeting Connector dengan mengedit file konfigurasi server.xml, sesuai dengan koneksi yang akan kita gunakan, misalnya http, AJP13 atau yang lainnya, berikut ini adalah setting connector untuk koneksi https dengan mutual authentication :
<Connector className=”org.apache.coyote.tomcat4.CoyoteConnector”
port=”8443″ enableLookups=”true”
acceptCount=”100″ connectionTimeout=”20000″
useURIValidationHack=”false” disableUploadTimeout=”true”
scheme=”https” secure=”true” SSLEnabled=”true”
keystoreFile=”[path]/server.jks” keystorePass=”keystore pass”
truststoreFile=”[path]/truststore.jks” truststorePass=”truststore pass”
clientAuth=”true” sslProtocol=”TLS”/>
Untuk setting clientAuth, terdapat tiga opsi yang dapat digunakan :
true : all connections through this connector require client authentication
want : the web app will ask for authentication but not require it
false : connections do not require client authentication UNLESS the web app specifies it is required via a security constraint with CLIENT-CERT chosen
Berikut keterangan dari option yang dapat digunakan pada konfigurasi SSL :
| Attribute | Description |
| clientAuth | Set this value to true if you want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Set this value to want if you want Tomcat to request a client Certificate, but not fail if one isn’t presented. For using clientAuth on a per-user or per-session basis, check out the tips in Bugzilla 34643. |
| keystoreFile | Add this attribute if the keystore file you created is not in the default place that Tomcat expects (a file named .keystore in the user home directory under which Tomcat is running). You can specify an absolute pathname, or a relative pathname that is resolved against the $CATALINA_BASE environment variable. |
| keystorePass | Add this element if you used a different keystore (and Certificate) password than the one Tomcat expects (changeit). |
| keystoreType | Add this element if using a keystore type other than JKS. |
| sslProtocol | The encryption/decryption protocol to be used on this socket. It is not recommended to change this value if you are using Sun’s JVM. It is reported that IBM’s 1.4.1 implementation of the TLS protocol is not compatible with some popular browsers. In this case, use the value SSL. |
| ciphers | The comma separated list of encryption ciphers that this socket is allowed to use. By default, the default ciphers for the JVM will be used. Note that this usually means that the weak export grade ciphers will be included in the list of available ciphers. The ciphers are specified using the JSSE cipher naming convention. |
| algorithm | The X509 algorithm to use. This defaults to the Sun implementation (SunX509). For IBM JVMs you should use the value IbmX509. For other vendors, consult the JVM documentation for the correct value. |
| truststoreFile | The TrustStore file to use to validate client certificates. |
| truststorePass | The password to access the TrustStore. This defaults to the value of keystorePass. |
| truststoreType | Add this element if your are using a different format for the TrustStore then you are using for the KeyStore. |
| keyAlias | Add this element if your have more than one key in the KeyStore. If the element is not present the first key read in the KeyStore will be used. |
