Apache Tomcat
This document provides information regarding the configuration of Apache Tomcat with Futurex HSMs and how TLS handshake offloading works. For additional questions related to your HSM, see the relevant user guide.
From the Apache Tomcat website: “the Apache Tomcat software is an open source implementation of the Java Servlet, Java Server Pages, Java Expression Language, and Java Web Socket technologies. Apache Tomcat software powers numerous large-scale, mission-critical web application across a diverse range of industries and organizations.”
The Futurex Java Provider (FXJCE) requires the use of the Futurex PKCS #11 (FXPKCS11) libraries. Futurex provides users with several files to set up and configure the PKCS #11 libraries. The Futurex Java Provider supports Java 7, 8, and 9.
In this scenario, Tomcat Web Server Certificates, which are required for client application connections with the web server, are created using the Keytool feature embedded in Java. Using Keytool, the user can create the RSA Key pair and the certificate for the Tomcat server. The private key for this certificate will be stored in the HSM via the Futurex Java Provider (FXJCE), which also uses the Futurex PKCS #11 library (FXPKCS11) to gain access to the HSM. The connection between the PKCS #11 library and the HSM should be a TLS connection. TLS/SSL certificates must be created (using OpenSSL or an external CA) to provide certificates for the HSM and the server where the PKCS #11 library is running.
The Guardian Series 3 introduces mission-critical viability to core cryptographic infrastructure, including:
- Centralize device management
- Eliminates points of failure
- Distribute transaction loads
- Group-specific function blocking
- User-defined grouping systems
Please see applicable guide for configuring HSMs with the Guardian Series 3.