Re: Can't Get SSL to Work in 8.5
On Tue, Jan 23, 2018 at 2:16 PM, Kenneth Taylor <kenneth.tay...@dataexpress.com> wrote: > Coty, > > Thank you very much. That worked. The only thing is its not redirecting to > SSL if you hit the regular URL. Are we missing something? Do you have a CONFIDENTIAL transport guarantee defined for the applications that you want to redirect? The redirectPort doesn't work exactly like most people think it does (e.g. it doesn't redirect all traffic to the port), it redirects traffic for applications with a transport guarantee that requires SSL. From the http configuration doc (https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) for redirectPort: "If this Connector is supporting non-SSL requests, and a request is received for which a matching requires SSL transport, Catalina will automatically redirect the request to the port number specified here." You can place a confidential transport guarantee in your application's web.xml such as: CONFIDENTIAL I guess if you wanted to redirect EVERYTHING from 8080 to 8443 you could add a constraint in the global web.xml: Everything /* CONFIDENTIAL but...I'm not sure if that would play nicely with everything or cause problems :) HTH > connectionTimeout="2" > port="8080" > protocol="HTTP/1.1" > redirectPort="8443" > scheme="http" > secure="false"/> > > SSLEnabled="true" > maxThreads="20" > port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation" > scheme="https" > secure="true"> > name="_default_" > clientAuth="false" > sslProtocol="TLS" > protocols="TLSv1.2" > sessionCacheSize="5" > sessionTimeout="960"> > certificateKeyAlias="dmb-kenneth" > certificateKeystoreFile="conf/localhost-rsa.jks" > certificateKeystorePassword="=NR5^vtuW_/?" > certificateVerification="optionalNoCA" > type="RSA"/> > > > > Thanks > Ken > > -Original Message- > From: Coty Sutherland [mailto:csuth...@apache.org] > Sent: Monday, January 22, 2018 2:24 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: Can't Get SSL to Work in 8.5 > > On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor > <kenneth.tay...@dataexpress.com> wrote: >> We are trying to get SSL to work in 8.5 and have been unsuccessful. We >> followed all the instructions in the Tomcat documentation and what help is >> available on the net but have been unable to get TC to startup with an SSL >> Connector configured. >> >> Here is our Connector configuration: >> >> > scheme="http" redirectPort="8443" secure="false"/> >> >> > SSLEnabled="true" >> clientAuth="false" >> maxThreads="20" >> port="8443" >> protocol="org.apache.coyote.http11.Http11NioProtocol" >> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation" >> scheme="https" >> secure="true" >> sslProtocol="TLS"> > > Remove `clientAuth="false"` and `sslProtocol="TLS"` from the Connector > element and place them inside the SSLHostConfig element below. These two > attributes are now SSLHostConfig attributes (even though they are allowed in > the Connector because tomcat translates them to a default SSLHostConfig > object initialized with those values). > It's also noteworthy that you're using the default values for clientAuth and > sslProtocol, so they aren't necessary. > >> > hostName="localhost" > > You need an SSLHostConfig that's named _default_ for this to work (which is > the default name) so remove hostName="localhost" too and this should work :) > > I'm going to file a BZ and see if others are interested in catching this NPE > and doing something more useful with it. I'm also going to file an > enhancement to remove the requirement to have a _default_ SSLHostConfig, if > possible. > >> protocols="TLSv1.2" >> sessionCacheSize="15" >> sessionTimeout="960"> >> > certificateKeyAlias="localhost" >> certificateKeystoreFile="conf/localhost-rsa.jks" >> certificateKeystorePassword="=NR5^vtuW_/?" >> certificateVerification="option
RE: Can't Get SSL to Work in 8.5
Coty, Thank you very much. That worked. The only thing is its not redirecting to SSL if you hit the regular URL. Are we missing something? Thanks Ken -Original Message- From: Coty Sutherland [mailto:csuth...@apache.org] Sent: Monday, January 22, 2018 2:24 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: Can't Get SSL to Work in 8.5 On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor <kenneth.tay...@dataexpress.com> wrote: > We are trying to get SSL to work in 8.5 and have been unsuccessful. We > followed all the instructions in the Tomcat documentation and what help is > available on the net but have been unable to get TC to startup with an SSL > Connector configured. > > Here is our Connector configuration: > > scheme="http" redirectPort="8443" secure="false"/> > > SSLEnabled="true" > clientAuth="false" > maxThreads="20" > port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation" > scheme="https" > secure="true" > sslProtocol="TLS"> Remove `clientAuth="false"` and `sslProtocol="TLS"` from the Connector element and place them inside the SSLHostConfig element below. These two attributes are now SSLHostConfig attributes (even though they are allowed in the Connector because tomcat translates them to a default SSLHostConfig object initialized with those values). It's also noteworthy that you're using the default values for clientAuth and sslProtocol, so they aren't necessary. > hostName="localhost" You need an SSLHostConfig that's named _default_ for this to work (which is the default name) so remove hostName="localhost" too and this should work :) I'm going to file a BZ and see if others are interested in catching this NPE and doing something more useful with it. I'm also going to file an enhancement to remove the requirement to have a _default_ SSLHostConfig, if possible. > protocols="TLSv1.2" > sessionCacheSize="15" > sessionTimeout="960"> >certificateKeyAlias="localhost" > certificateKeystoreFile="conf/localhost-rsa.jks" > certificateKeystorePassword="=NR5^vtuW_/?" > certificateVerification="optionalNoCA" > type="RSA"/> > > > > Here is the error we get: > > Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService > initInternal > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > at > org.apache.catalina.core.StandardService.initInternal(StandardService. > java:549) at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja > va:875) at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) > at org.apache.catalina.startup.Catalina.load(Catalina.java:630) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j > ava:62) at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess > orImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed at > org.apache.catalina.connector.Connector.initInternal(Connector.java:99 > 9) at > org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > ... 12 more > Caused by: java.lang.IllegalArgumentException: > java.lang.NullPointerException at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJsseEndpoint.java:114) at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract > JsseEndpoint.java:85) at > org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) > at > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java > :970) at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo > int.java:244) at > org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613) > at > org.apache.coyote.http11.AbstractHttp
Re: Can't Get SSL to Work in 8.5
On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylorwrote: > We are trying to get SSL to work in 8.5 and have been unsuccessful. We > followed all the instructions in the Tomcat documentation and what help is > available on the net but have been unable to get TC to startup with an SSL > Connector configured. > > Here is our Connector configuration: > > scheme="http" redirectPort="8443" secure="false"/> > > SSLEnabled="true" > clientAuth="false" > maxThreads="20" > port="8443" > protocol="org.apache.coyote.http11.Http11NioProtocol" > sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation" > scheme="https" > secure="true" > sslProtocol="TLS"> Remove `clientAuth="false"` and `sslProtocol="TLS"` from the Connector element and place them inside the SSLHostConfig element below. These two attributes are now SSLHostConfig attributes (even though they are allowed in the Connector because tomcat translates them to a default SSLHostConfig object initialized with those values). It's also noteworthy that you're using the default values for clientAuth and sslProtocol, so they aren't necessary. > hostName="localhost" You need an SSLHostConfig that's named _default_ for this to work (which is the default name) so remove hostName="localhost" too and this should work :) I'm going to file a BZ and see if others are interested in catching this NPE and doing something more useful with it. I'm also going to file an enhancement to remove the requirement to have a _default_ SSLHostConfig, if possible. > protocols="TLSv1.2" > sessionCacheSize="15" > sessionTimeout="960"> >certificateKeyAlias="localhost" > certificateKeystoreFile="conf/localhost-rsa.jks" > certificateKeystorePassword="=NR5^vtuW_/?" > certificateVerification="optionalNoCA" > type="RSA"/> > > > > Here is the error we get: > > Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > at > org.apache.catalina.core.StandardService.initInternal(StandardService.java:549) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:607) > at org.apache.catalina.startup.Catalina.load(Catalina.java:630) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: org.apache.catalina.LifecycleException: Protocol handler > initialization failed > at org.apache.catalina.connector.Connector.initInternal(Connector.java:999) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > ... 12 more > Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225) > at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613) > at > org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66) > at org.apache.catalina.connector.Connector.initInternal(Connector.java:997) > ... 13 more > Caused by: java.lang.NullPointerException > at java.io.FileInputStream.(FileInputStream.java:130) > at java.io.FileInputStream.(FileInputStream.java:93) > at java.io.FileReader.(FileReader.java:58) > at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:74) > at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193) > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112) > ... 20 more > > We tried all kinds of variations of the configuration. We've run out of > things to try. > We are using a JKS keystore created in Java code using the Bouncy Castle API. > The config files are all in the correct location. > The keystore has a private key and certificate