<attributes>
<attribute name="algorithm" required="false">
- <p>The certificate encoding algorithm to be used. If not
- specified, the default value is <code>SunX509</code>.</p>
+ <p>The certificate encoding algorithm to be used. This defaults to the Sun
+ implementation (<code>SunX509</code>). For IBM JVMs you should use the
+ value <code>IbmX509</code>. For other vendors, consult the JVM
+ documentation for the correct value.</p>
</attribute>
<attribute name="clientAuth" required="false">
<p>Set to <code>true</code> if you want the SSL stack to require a
- valid certificate chain from the client before
- accepting a connection.
- Set to <code>want</code> if you
- want the SSL stack to request a client
- Certificate, but
- not fail if one isn't presented. A <code>false</code>
+ valid certificate chain from the client before accepting a connection.
+ Set to <code>want</code> if you want the SSL stack to request a client
+ Certificate, but not fail if one isn't presented. A <code>false</code>
value (which is the default) will not require a certificate chain
- unless
- the client requests a resource protected by a security
- constraint
- that uses <code>CLIENT-CERT</code> authentication. See the
+ unless the client requests a resource protected by a security
+ constraint that uses <code>CLIENT-CERT</code> authentication. See the
<a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
</attribute>
If not specified, then any available cipher may be used.</p>
</attribute>
+ <attribute name="keyAlias" required="false">
+ <p>The alias used to for the server certificate in the keystore. If not
+ specified the first key read in the keystore will be used.</p>
+ </attribute>
+
+ <attribute name="truststoreFile" required="false">
+ <p>The TrustStore file to use to validate client certificates.</p>
+ </attribute>
+
+ <attribute name="truststorePass" required="false">
+ <p>The password to access the TrustStore. This defaults to the value
+ of <code>keystorePass</code>.</p>
+ </attribute>
+
+ <attribute name="truststoreType" required="false">
+ <p>Add this element if your are using a different format for the
+ TrustStore then you are using for the KeyStore.</p>
+ </attribute>
+
</attributes>
<p>For more information, see the
via (among other things) OpenSSL and Microsoft's Key-Manager.
</p>
+<p>Each entry in a keystore is identified by an alias string. Whilst many
+keystore implmentations treat alaises in a case insensitive manner, case
+sensitive implementations are available. The <code>PKCS11</code> specification,
+for example, requires that aliases are case sensitive. To avoid issues related
+to the case sensitivity of aliaises, it is not recommended to use aliases that
+differ only in case.
+</p>
+
<p>To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about <code>keytool</code>.
Note that openssl often adds a readable comments before the key, <code>keytool</code>does not support that, so remove the openssl comments if they exist before importing the key using <code>keytool</code>.
</tr>
<tr>
<td><code>keystoreType</code></td>
- <td>Add this element if using a PKCS12 keystore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ <td>Add this element if using a keystore type other than
+ <code>JKS</code>.</td>
</tr>
<tr>
<td><code>sslProtocol</code></td>
<tr>
<td><code>truststoreType</code></td>
<td>Add this element if your are using a different format for the
- TrustStore then you are using for the KeyStore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ TrustStore then you are using for the KeyStore.</td>
</tr>
<tr>
<td><code>keyAlias</code></td>
file</a>. <strong>REMINDER</strong> - Passwords are case sensitive!</p>
</blockquote></li>
+<li>When Tomcat starts up, I get an exception like
+ "java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
+ available certificate or key corresponds to the SSL cipher suites which are
+ enabled."
+ <blockquote>
+ <p>A likely explanation is that Tomcat cannot find the alias for the server
+ key withinthe specified keystore. Check that the correct
+ <code>keystoreFile</code> and <code>keyAlias</code> are specified in the
+ <code><Connector></code> element in the
+ <a href="#Edit the Tomcat Configuration File">Tomcat configuration file</a>.
+ <strong>REMINDER</strong> - <code>keyAlias</code> values may be case
+ sensitive!</p>
+ </blockquote></li>
+
</ul>
<p>If you are still having problems, a good source of information is the
projects / tomcat7.0 / commitdiff