Re: SSL Certificate Beginner Question
David Wall wrote: ...if the user accesses your site with http://, the port 80 Connector (or 8080 if testing or using a non-standard port) has a redirectPort element that causes Tomcat to automatically issue a redirect using https:// Are you sure? I thought redirectPort was only useful for redirecting _https_ requests which were sent to the wrong port... Paul S. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Certificate Beginner Question
From: Paul Singleton [mailto:[EMAIL PROTECTED] Subject: Re: SSL Certificate Beginner Question David Wall wrote: ...if the user accesses your site with http://, the port 80 Connector (or 8080 if testing or using a non-standard port) has a redirectPort element that causes Tomcat to automatically issue a redirect using https:// Are you sure? I thought redirectPort was only useful for redirecting _https_ requests which were sent to the wrong port... Don't know if he's sure or not, but he is correct. If the deployment descriptor has transport-guarantee set to CONFIDENTIAL, Tomcat automatically switches the request to https. See section 12.8 of the servlet spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
* Bill Barker wrote (30/11/05 05:42): Scott Purcell [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html There are two likely problems, but I don't know which one applies to you. 1) Since you are using 5.5.12, if you installed the libtcnative.dll with Tomcat, then you need to configure SSL via http://tomcat.apache.org/tomcat-5.5-doc/apr.html. In particular, you need to extract the private-key into an OpenSSL format. Alternatively, you can rename the dll for now, and work on just getting the Java Connector working. 2) You imported your cert into a different keystore file than the one that use used to generate the CSR. Import the cert into the original one and you will be fine. If you used OpenSSL to generate the CSR, than the easiest is to convert to a pkcs12 keystore as described above. Alternatively, you can try using http://www.comu.de/docs/tomcat_ssl.htm. 3) (Maybe a long shot) Windows xp firewall is blocking the port. Does netstat -ln show anything listening on port 8443? Do the tomcat logs mention port 8443? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Did you include a security contraint element in your web.xml file? Something like this: security-constraint web-resource-collection web-resource-nameHTTPS for all of these pages of the application./web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint [EMAIL PROTECTED] wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Certificate Beginner Question
I did not include a security constraint. Is this needed for SSL? I spend some time looking at this element, and I was under the impression that it was for form authentication? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: Tomcat Users List Subject: Re: SSL Certificate Beginner Question Did you include a security contraint element in your web.xml file? Something like this: security-constraint web-resource-collection web-resource-nameHTTPS for all of these pages of the application./web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint [EMAIL PROTECTED] wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- You probably want to add the following attributes to the Connector above: keystoreFile=keys/tomcatkeys keystorePass=123 Obviously, make the keystoreFile point to the name of the Java keystore that you put your certificate inside, along with the password for that keystore. I believe the base is $CATALINA_HOME if you use a relative pathname like above. You'll also need to update your webapp's web.xml file with something like (that is, if you want Tomcat to enforce SSL on your webapp): (after any servlet-mapping XML elements, before the session-config and/or welcome-file-list XML elements of web-app element in WEB-INF/web.xml) security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Hope that helps... David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Yes Thanks David, I did add the keystoreFile=XXX and keystorePass=xxx. But it still hangs. Since I was on Windows I used a full path to the file. I forgot about the security constraint element. Thanks I will give that a try and post back. Do I need the security element if I just try https://localhost:8443? Just curious. I know when I asked for the cert, Verisign asked me for my dns name, so maybe the simple localhost will not work and only the dns entry will work. ... Thanks much for your time. Scott - Original Message - From: David Wall [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 10:25 PM Subject: Re: SSL Certificate Beginner Question -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- You probably want to add the following attributes to the Connector above: keystoreFile=keys/tomcatkeys keystorePass=123 Obviously, make the keystoreFile point to the name of the Java keystore that you put your certificate inside, along with the password for that keystore. I believe the base is $CATALINA_HOME if you use a relative pathname like above. You'll also need to update your webapp's web.xml file with something like (that is, if you want Tomcat to enforce SSL on your webapp): (after any servlet-mapping XML elements, before the session-config and/or welcome-file-list XML elements of web-app element in WEB-INF/web.xml) security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Hope that helps... David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Thanks for the link ... I think first I need to be able to hit the https://localhost:8443 before going any further? Once that is working ... then hopefully I can figure out how to restrict certain pages. - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 10:43 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. OK, here's a direct link to the Servlet Spec: http://www.jcp.org/aboutJava/communityprocess/final/jsr154/ :: which, BTW, is the first Google hit on java servlet spec :-) I probably posted a lame request. Let me try again. OK. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html From your first email: How do I configure some of my pages to use https? :: I thought you had *already* configured your installation per that how-to, cert installed, SSL working, and you were trying to understand how to restrict some pages to SSL-only access. Sorry for misunderstanding. -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Scott Purcell [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html There are two likely problems, but I don't know which one applies to you. 1) Since you are using 5.5.12, if you installed the libtcnative.dll with Tomcat, then you need to configure SSL via http://tomcat.apache.org/tomcat-5.5-doc/apr.html. In particular, you need to extract the private-key into an OpenSSL format. Alternatively, you can rename the dll for now, and work on just getting the Java Connector working. 2) You imported your cert into a different keystore file than the one that use used to generate the CSR. Import the cert into the original one and you will be fine. If you used OpenSSL to generate the CSR, than the easiest is to convert to a pkcs12 keystore as described above. Alternatively, you can try using http://www.comu.de/docs/tomcat_ssl.htm. The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]