Environment
Situation
Resolution
Tomcat is a servlet container used by the Secure Password Administrator (SPA) Web server to respond to Java Server Page (JSP) requests. Servlets are a safe, flexible, and component-specific way to extend the abilities of Web applications. Secure Password Administrator uses Tomcat to serve JSP through a secure HTTP connection to your browser client. By using Tomcat, Secure Password Administrator allows the use of hypertext transfer protocol secure sockets (HTTPS) through Sun Java Secure Socket Extension (JSSE). The Tomcat servlet also limits security liabilities by not allowing the execution of server-side JavaScript, JScript, or VBscript. Unlike a fully functional Web server, Tomcat provides only the service needed by Secure Password Administrator and does not unduly expose you to malicious attack.
Automatically Passing JavaServer Pages to Tomcat
Tomcat listens on a configurable port for HTTP or HTTPS requests. When a request is detected, Tomcat automatically provides the requested JSP. Secure Password Administrator uses DRA to authenticate access to account information, before allowing Tomcat to provide anything other than the first page of the Secure Password Administrator Web interface. After installing Secure Password Administrator, you do not need to modify your configuration in any way.
Configuring IIS to Use Tomcat
While you do not need to configure Secure Password Administrator to use IIS, the flexibility of the product allows you to do so. If your network security policy requires you to pass all Web-based information through IIS, you can extend IIS to handle JSP calls by passing them to Tomcat. The setup program allows you to automatically configure IIS to implement JSP handling using Tomcat. For more information, see ?Installing Secure Password Administrator? on page 24 in the User Guide.
To attach the Secure Password Administrator Web server to an IIS server, the setup program uses Microsoft Internet Server application programming interface (ISAPI) filters. Before connecting the Secure Password Administrator Web server to IIS, ensure you have applied all available IIS updates. You can find IIS updates on the Microsoft Web site.