-
Type:
Improvement
-
Status: Open
-
Priority:
Major
-
Resolution: Unresolved
-
Affects Version/s: 10.10
-
Component/s: Docker Image
-
Tags:
According to https://medium.com/@crueda/tomcat-native-openssl-in-spring-boot-2-0-a341ad07471d, the most performant way to deploy an SSL-enabled Tomcat instance on openjdk 8 is to configure Tomcat Native + OpenSSL. This configuration leverages JSSE w/OpenSSL and uses only OpenSSL for native code (no native socket, poller etc).
As noted in the above article, "...NGINX has its strengths and is an excellent option for services that are publicly exposed, but isn’t the best option when dealing with internal TLS termination." A use case that requires Nuxeo internal TLS termination is when a ETL service securely communicates with a Nuxeo Importer deployment all within a single K8s cluster.
Nuxeo should include the tcnative library in the Nuxeo Docker 10.10+ Image to give users the option to TLS-enable their Nuxeo embedded Tomcat instance via the Tomcat Native + OpenSSL library.
See https://github.com/docker-library/tomcat/blob/master/9.0/jdk8/openjdk/Dockerfile#L72-L97 for the recipe to include the tcnative library in a Tomcat 9 Docker image.
- is related to
-
NXP-24198 Validate and provide some guidance to use APR on Tomcat
-
- Open
-
