Yes, most often Tomcat is chained to a webserver such as httpd, communicating via the ajp protocol. httpd is not capable of functioning as a servlet container and compiling JSP's, but Tomcat has poor performance serving static content (such as images) over HTTP. By chaining the two together, you get the best of both worlds. For development, most people don't care too much about Tomcat's static content performance so they go directly to port 8080.
For development on Fedora (if you want to test fronting Tomcat):
- install the
httpd
package
- install the
tomcat6
package
- Edit
/etc/httpd/conf.d/proxy_ajp.conf
and uncomment/create an appropriate ProxyPass line
- Drop your .war into /var/lib/tomcat6/webapps/
For production on Fedora:
- install
httpd
and tomcat6
packages
- install
mod_jk
(you may need to download and compile this from the Tomcat website)
- configure
mod_jk
per its documentation
(YMMV on whether Fedora's upgrade cycle is too quick for a production server)
I assume that you have already exported the CA certificate to a file, such as "internal-ca.pem". Also, I assume that it is Tomcat who initiates the SSL connection to the IIS server.
You can must use the Java keytool to import the certificate into the Java keystore that is being used by your Tomcat engine. The keystore for CA certs is $JAVA_HOME/jre/lib/security/cacerts. So to import your new internal-ca.pem certificate into this keystore, you would use:
$JAVA_HOME/bin/keytool -importcert \
-keystore $JAVA_HOME/jre/lib/security/cacerts \
-file /path/to/internal-ca.pem \
-trustcacerts -alias internal-ca-1
The default password for the keystore is: changeit
Verify that your cert is in the keystore:
$JAVA_HOME/bin/keytool -list \
-keystore $JAVA_HOME/jre/lib/security/cacerts -v | less
Test the connection to the server:
openssl s_client -CAfile /path/to/internal-ca.pem -connect server:port
This should give you, near the end of its output:
Verify return code: 0 (ok)
If you want to test the trust from within Tomcat, you will have to write some test code to do it. Sorry, I don't know any Java. :-)
Best Answer
Check this howto: http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html