diff options
| author | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:01:57 +0000 |
|---|---|---|
| committer | jdennis <jdennis@c9f7a03b-bd48-0410-a16d-cbbf54688b0b> | 2010-11-19 21:01:57 +0000 |
| commit | 7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36 (patch) | |
| tree | e8e8193351dba480d76df0b6273f0158a7772da6 /pki/base/ca/shared | |
| parent | 2ab4b4058a240143e513db050bbf4170e9115ef1 (diff) | |
| download | pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.tar.gz pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.tar.xz pki-7ff1a2d86491e3ae8bc653e2ab2cc261d10fda36.zip | |
Undo the pre_merge_adjustment
git-svn-id: svn+ssh://svn.fedorahosted.org/svn/pki/trunk@1576 c9f7a03b-bd48-0410-a16d-cbbf54688b0b
Diffstat (limited to 'pki/base/ca/shared')
| -rw-r--r-- | pki/base/ca/shared/conf/server.xml | 33 |
1 files changed, 32 insertions, 1 deletions
diff --git a/pki/base/ca/shared/conf/server.xml b/pki/base/ca/shared/conf/server.xml index 6642a58fc..83eaf775e 100644 --- a/pki/base/ca/shared/conf/server.xml +++ b/pki/base/ca/shared/conf/server.xml @@ -92,12 +92,43 @@ Tomcat Port = [TOMCAT_SERVER_PORT] (for shutdown) <!-- Define a SSL HTTP/1.1 Connector on port 8443 --> [PKI_SECURE_PORT_SERVER_COMMENT] - <!-- DO NOT REMOVE - Begin define PKI secure port --> + <!-- DO NOT REMOVE - Begin define PKI secure port + NOTE: The OCSP settings take effect globally, so it should only be set once. + + In setup where SSL clientAuth="true", OCSP can be turned on by + setting enableOCSP to true like the following: + enableOCSP="true" + along with changes to related settings, especially: + ocspResponderURL=<see example in connector definition below> + ocspResponderCertNickname=<see example in connector definition below> + Here are the definition to all the OCSP-related settings: + enableOCSP - turns on/off the ocsp check + ocspResponderURL - sets the url where the ocsp requests are sent + ocspResponderCertNickname - sets the nickname of the cert that is + either CA's signing certificate or the OCSP server's signing + certificate. + The CA's signing certificate should already be in the db, in + case of the same security domain. + In case of an ocsp signing certificate, one must import the cert + into the subsystem's nss db and set trust. e.g.: + certutil -d . -A -n "ocspSigningCert cert-pki-ca" -t "C,," -a -i ocspCert.b64 + ocspCacheSize - sets max cache entries + ocspMinCacheEntryDuration - sets minimum seconds to next fetch attempt + ocspMaxCacheEntryDuration - sets maximum seconds to next fetch attempt + ocspTimeout -sets OCSP timeout in seconds + --> <Connector name="[PKI_SECURE_PORT_CONNECTOR_NAME]" port="[PKI_SECURE_PORT]" protocol="HTTP/1.1" SSLEnabled="true" sslProtocol="SSL" scheme="https" secure="true" maxHttpHeaderSize="8192" acceptCount="100" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" connectionTimeout="20000" disableUploadTimeout="true" SSLImplementation="org.apache.tomcat.util.net.jss.JSSImplementation" + enableOCSP="false" + ocspResponderURL="http://[PKI_MACHINE_NAME]:9080/ca/ocsp" + ocspResponderCertNickname="ocspSigningCert cert-pki-ca" + ocspCacheSize="1000" + ocspMinCacheEntryDuration="60" + ocspMaxCacheEntryDuration="120" + ocspTimeout="10" clientAuth="[PKI_AGENT_CLIENTAUTH]" sslOptions="[TOMCAT_SSL_OPTIONS]" ssl2Ciphers="[TOMCAT_SSL2_CIPHERS]" |