Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
On 09/08/17 12:24, Senthil Kumar wrote: > Mark, > > Tomcat version is 8.0.39. > > I have to use both server certificate (.pfx) and service certificate as > keystore. Do I need to convert PFX format certificate to JKS format. How to > configure more than on private certificate in keystore. The setenv.sh settings shouldn't interfere with the Tomcat connector but to be sure I suggest the following: - comment out the setenv.sh settings - start Tomcat - test https on port 443 and report and errors including those in the logs Once port 443 is working then uncomment the settings in setenv and check port 433 still works. Mark > > Senthil > > On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomaswrote: > >> On 08/08/17 21:03, dsenthil...@gmail.com wrote: >>> Hello, I have configured ssl certificates for below requirements: 1. Tomcat server certificate configuration in 'server.xml' file to run >> tomcat server on port 443 and https > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" acceptCount="100" scheme="https" secure="true" >> SSLEnabled="true" clientAuth="false" sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" >> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" keystoreType="PKCS12" /> 2. Service certificate configuration in 'setenv.sh' file for the >> two-way ssl authentication for the connection to MQ / Soap service servers. export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' But It looks like the service certificate configured (for the two-way >> ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is >> overwriting the tomcat server ssl configuration configured in 'server.xml' >> and subsequently tomcat server is down for https and port 443. Can someone recommend suitable tomcat config to fix this issue. The >> tomcat config should support both https (port 443) and two-ways ssl >> handshake with other servers. >> >> Tomcat version? >> >> >> - >> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >> For additional commands, e-mail: users-h...@tomcat.apache.org >> >> > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
Mark, Tomcat version is 8.0.39. I have to use both server certificate (.pfx) and service certificate as keystore. Do I need to convert PFX format certificate to JKS format. How to configure more than on private certificate in keystore. Senthil On Wed, Aug 9, 2017 at 1:39 AM, Mark Thomaswrote: > On 08/08/17 21:03, dsenthil...@gmail.com wrote: > > > >> Hello, > >> > >> I have configured ssl certificates for below requirements: > >> > >> 1. Tomcat server certificate configuration in 'server.xml' file to run > tomcat server on port 443 and https > >> > >> minSpareThreads="25" > >>maxSpareThreads="75" enableLookups="false" > disableUploadTimeout="true" > >>acceptCount="100" scheme="https" secure="true" > SSLEnabled="true" clientAuth="false" > >>sslProtocol="TLSv1.2" > >> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" > keystoreFile="Tomcat.HostName.pfx" keystorePass="password" > >>keystoreType="PKCS12" /> > >> > >> 2. Service certificate configuration in 'setenv.sh' file for the > two-way ssl authentication for the connection to MQ / Soap service servers. > >> > >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 > -Djavax.net.ssl.keyStorePassword=password > -Djavax.net.ssl.trustStore=clienttruststore.jks > -Djavax.net.ssl.trustStorePassword=changeit' > >> > >> > >> But It looks like the service certificate configured (for the two-way > ssl handshake with MQ and Soap service servers) in 'setenv.sh' file is > overwriting the tomcat server ssl configuration configured in 'server.xml' > and subsequently tomcat server is down for https and port 443. > >> > >> Can someone recommend suitable tomcat config to fix this issue. The > tomcat config should support both https (port 443) and two-ways ssl > handshake with other servers. > > Tomcat version? > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Senthil, On 8/8/17 4:03 PM, dsenthil...@gmail.com wrote: > >> Hello, >> >> I have configured ssl certificates for below requirements: >> >> 1. Tomcat server certificate configuration in 'server.xml' file >> to run tomcat server on port 443 and https >> >> > minSpareThreads="25" maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" acceptCount="100" scheme="https" >> secure="true" SSLEnabled="true" clientAuth="false" >> sslProtocol="TLSv1.2" ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" >> keystoreFile="Tomcat.HostName.pfx" keystorePass="password" >> keystoreType="PKCS12" /> >> >> 2. Service certificate configuration in 'setenv.sh' file for the >> two-way ssl authentication for the connection to MQ / Soap >> service servers. >> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >> >> >> But It looks like the service certificate configured (for the >> two-way ssl handshake with MQ and Soap service servers) in >> 'setenv.sh' file is overwriting the tomcat server ssl >> configuration configured in 'server.xml' and subsequently tomcat >> server is down for https and port 443. >> >> Can someone recommend suitable tomcat config to fix this issue. >> The tomcat config should support both https (port 443) and >> two-ways ssl handshake with other servers. Regardless of the actual problem and solution, here, I would always highly recommend that you use explicit configuration for your for your truststore as well as our keystore. Using system properties is very heavy-handed and ends up applying the same trust store to a whole variety of components, not just the . - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlmKOlgACgkQHPApP6U8 pFiIvRAArbBwixXhAxxgegBWYIrCMxtqgg8KAccfRyvkmSIGOkQ/xMV+Z8sP+2Xr KHEnK8P2vKDzgGKT7fjAaD0HCTbWK7j455OKRKYXxowZkOU5Qbz10xW1j25bHtUy 3mD2Vn5jmrv/vMEkr0sJ3AxB8QeyyZ/ZpK33Zy0bNMYB945H3QQ3QX5lX6d8k9El 0VSt4NKglYdLXvuYmI/YVBvIZw0rzt9hPjBAO9Mc0cIEGJfNJafMKjdYpFSfoUOs b5TpvVEszEGwgsaaOU4Y7EyHg72EAyNtUzyeSIbn0s0VsvYWS3AqT7QiL5GUvQ4Z glLdYL+34R1gfsB462fE0RFgVaUuGEBUFs/YxV3loh2FUkCe91MbJ02OTRK27Z/o ipKXNzcwPJ6ASafMRc2qBR6Wt0Mwg+FC/tXIlMcIhVBbkCXNUuhs21n0lO13kdJM 7uK7XSWWTjHyXd38b1NhplidNmDygzTzJ2lcEs/7MDf1lzU0h4l46FbvWNbInDw7 OvvWjheDKH8mqmCNDgbj7iA+b3FMoSwE+Xv5qG54k1nwoStAWzeTFi4vjqHNMxEa VzKQMcIa++31/Ytdp7UElixMeGwQfxSGJluWi2wnXmupC/+h2YXM3TwG3hgv3t1H SHQeBUXtnsITpy5iSka1Y2efhEL26jIiApsPIl+TUOLcvumlTrc= =Bz/F -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat8 - How to configure ssl certificates for both https and two-way authentication
On 08/08/17 21:03, dsenthil...@gmail.com wrote: > >> Hello, >> >> I have configured ssl certificates for below requirements: >> >> 1. Tomcat server certificate configuration in 'server.xml' file to run >> tomcat server on port 443 and https >> >> > minSpareThreads="25" >>maxSpareThreads="75" enableLookups="false" >> disableUploadTimeout="true" >>acceptCount="100" scheme="https" secure="true" >> SSLEnabled="true" clientAuth="false" >>sslProtocol="TLSv1.2" >> ciphers="TLS_RSA_WITH_AES_256_CBC_SHA256" keystoreFile="Tomcat.HostName.pfx" >> keystorePass="password" >>keystoreType="PKCS12" /> >> >> 2. Service certificate configuration in 'setenv.sh' file for the two-way ssl >> authentication for the connection to MQ / Soap service servers. >> >> export JAVA_OPTS='-Djavax.net.ssl.keyStore=ServiceCertificate.p12 >> -Djavax.net.ssl.keyStorePassword=password >> -Djavax.net.ssl.trustStore=clienttruststore.jks >> -Djavax.net.ssl.trustStorePassword=changeit' >> >> >> But It looks like the service certificate configured (for the two-way ssl >> handshake with MQ and Soap service servers) in 'setenv.sh' file is >> overwriting the tomcat server ssl configuration configured in 'server.xml' >> and subsequently tomcat server is down for https and port 443. >> >> Can someone recommend suitable tomcat config to fix this issue. The tomcat >> config should support both https (port 443) and two-ways ssl handshake with >> other servers. Tomcat version? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org