subject:"RE\: Can't Get SSL to Work in 8.5"

Re: Can't Get SSL to Work in 8.5

2018-01-23 Thread Coty Sutherland

On Tue, Jan 23, 2018 at 2:16 PM, Kenneth Taylor
<kenneth.tay...@dataexpress.com> wrote:
> Coty,
>
> Thank you very much. That worked.  The only thing is its not redirecting to 
> SSL if you hit the regular URL.  Are we missing something?

Do you have a CONFIDENTIAL transport guarantee defined for the
applications that you want to redirect? The redirectPort doesn't work
exactly like most people think it does (e.g. it doesn't redirect all
traffic to the port), it redirects traffic for applications with a
transport guarantee that requires SSL. From the http configuration doc
(https://tomcat.apache.org/tomcat-8.5-doc/config/http.html) for
redirectPort: "If this Connector is supporting non-SSL requests, and a
request is received for which a matching 
requires SSL transport, Catalina will automatically redirect the
request to the port number specified here."

You can place a confidential transport guarantee in your application's
web.xml such as:


  
CONFIDENTIAL
  


I guess if you wanted to redirect EVERYTHING from 8080 to 8443 you
could add a constraint in the global web.xml:


  
Everything
/*
  
  
CONFIDENTIAL
  


but...I'm not sure if that would play nicely with everything or cause
problems :)

HTH

>  connectionTimeout="2"
> port="8080"
> protocol="HTTP/1.1"
> redirectPort="8443"
> scheme="http"
> secure="false"/>
>
>  SSLEnabled="true"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true">
>  name="_default_"
> clientAuth="false"
> sslProtocol="TLS"
> protocols="TLSv1.2"
> sessionCacheSize="5"
> sessionTimeout="960">
>  certificateKeyAlias="dmb-kenneth"
> certificateKeystoreFile="conf/localhost-rsa.jks"
> certificateKeystorePassword="=NR5^vtuW_/?"
> certificateVerification="optionalNoCA"
> type="RSA"/>
> 
> 
>
> Thanks
> Ken
>
> -Original Message-
> From: Coty Sutherland [mailto:csuth...@apache.org]
> Sent: Monday, January 22, 2018 2:24 PM
> To: Tomcat Users List <users@tomcat.apache.org>
> Subject: Re: Can't Get SSL to Work in 8.5
>
> On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor 
> <kenneth.tay...@dataexpress.com> wrote:
>> We are trying to get SSL to work in 8.5 and have been unsuccessful.  We 
>> followed all the instructions in the Tomcat documentation and what help is 
>> available on the net but have been unable to get TC to startup with an SSL 
>> Connector configured.
>>
>> Here is our Connector configuration:
>>
>> > scheme="http" redirectPort="8443" secure="false"/>
>>
>> > SSLEnabled="true"
>> clientAuth="false"
>> maxThreads="20"
>> port="8443"
>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
>> scheme="https"
>> secure="true"
>> sslProtocol="TLS">
>
> Remove  `clientAuth="false"` and `sslProtocol="TLS"` from the Connector 
> element and place them inside the SSLHostConfig element below. These two 
> attributes are now SSLHostConfig attributes (even though they are allowed in 
> the Connector because tomcat translates them to a default SSLHostConfig 
> object initialized with those values).
> It's also noteworthy that you're using the default values for clientAuth and 
> sslProtocol, so they aren't necessary.
>
>> > hostName="localhost"
>
> You need an SSLHostConfig that's named _default_ for this to work (which is 
> the default name) so remove hostName="localhost" too and this should work :)
>
> I'm going to file a BZ and see if others are interested in catching this NPE 
> and doing something more useful with it. I'm also going to file an 
> enhancement to remove the requirement to have a _default_ SSLHostConfig, if 
> possible.
>
>> protocols="TLSv1.2"
>> sessionCacheSize="15"
>> sessionTimeout="960">
>>  >  certificateKeyAlias="localhost"
>>  certificateKeystoreFile="conf/localhost-rsa.jks"
>>  certificateKeystorePassword="=NR5^vtuW_/?"
>>  certificateVerification="option

RE: Can't Get SSL to Work in 8.5

2018-01-23 Thread Kenneth Taylor

Coty,

Thank you very much. That worked.  The only thing is its not redirecting to SSL 
if you hit the regular URL.  Are we missing something?









Thanks
Ken

-Original Message-
From: Coty Sutherland [mailto:csuth...@apache.org]
Sent: Monday, January 22, 2018 2:24 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Can't Get SSL to Work in 8.5

On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor 
<kenneth.tay...@dataexpress.com> wrote:
> We are trying to get SSL to work in 8.5 and have been unsuccessful.  We 
> followed all the instructions in the Tomcat documentation and what help is 
> available on the net but have been unable to get TC to startup with an SSL 
> Connector configured.
>
> Here is our Connector configuration:
>
>  scheme="http" redirectPort="8443" secure="false"/>
>
>  SSLEnabled="true"
> clientAuth="false"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true"
> sslProtocol="TLS">

Remove  `clientAuth="false"` and `sslProtocol="TLS"` from the Connector element 
and place them inside the SSLHostConfig element below. These two attributes are 
now SSLHostConfig attributes (even though they are allowed in the Connector 
because tomcat translates them to a default SSLHostConfig object initialized 
with those values).
It's also noteworthy that you're using the default values for clientAuth and 
sslProtocol, so they aren't necessary.

>  hostName="localhost"

You need an SSLHostConfig that's named _default_ for this to work (which is the 
default name) so remove hostName="localhost" too and this should work :)

I'm going to file a BZ and see if others are interested in catching this NPE 
and doing something more useful with it. I'm also going to file an enhancement 
to remove the requirement to have a _default_ SSLHostConfig, if possible.

> protocols="TLSv1.2"
> sessionCacheSize="15"
> sessionTimeout="960">
>certificateKeyAlias="localhost"
>  certificateKeystoreFile="conf/localhost-rsa.jks"
>  certificateKeystorePassword="=NR5^vtuW_/?"
>  certificateVerification="optionalNoCA"
>  type="RSA"/>
> 
> 
>
> Here is the error we get:
>
> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService
> initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]] at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.
> java:549) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.ja
> va:875) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:62) at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler
> initialization failed at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:99
> 9) at
> org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
> Caused by: java.lang.IllegalArgumentException:
> java.lang.NullPointerException at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr
> actJsseEndpoint.java:114) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(Abstract
> JsseEndpoint.java:85) at
> org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java
> :970) at
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpo
> int.java:244) at
> org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
> at
> org.apache.coyote.http11.AbstractHttp

Re: Can't Get SSL to Work in 8.5

2018-01-22 Thread Coty Sutherland

On Mon, Jan 22, 2018 at 2:23 PM, Kenneth Taylor
 wrote:
> We are trying to get SSL to work in 8.5 and have been unsuccessful.  We 
> followed all the instructions in the Tomcat documentation and what help is 
> available on the net but have been unable to get TC to startup with an SSL 
> Connector configured.
>
> Here is our Connector configuration:
>
>  scheme="http" redirectPort="8443" secure="false"/>
>
>  SSLEnabled="true"
> clientAuth="false"
> maxThreads="20"
> port="8443"
> protocol="org.apache.coyote.http11.Http11NioProtocol"
> sslImplementation="org.apache.tomcat.util.net.jsse.JSSEImplemntation"
> scheme="https"
> secure="true"
> sslProtocol="TLS">

Remove  `clientAuth="false"` and `sslProtocol="TLS"` from the
Connector element and place them inside the SSLHostConfig element
below. These two attributes are now SSLHostConfig attributes (even
though they are allowed in the Connector because tomcat translates
them to a default SSLHostConfig object initialized with those values).
It's also noteworthy that you're using the default values for
clientAuth and sslProtocol, so they aren't necessary.

>  hostName="localhost"

You need an SSLHostConfig that's named _default_ for this to work
(which is the default name) so remove hostName="localhost" too and
this should work :)

I'm going to file a BZ and see if others are interested in catching
this NPE and doing something more useful with it. I'm also going to
file an enhancement to remove the requirement to have a _default_
SSLHostConfig, if possible.

> protocols="TLSv1.2"
> sessionCacheSize="15"
> sessionTimeout="960">
>certificateKeyAlias="localhost"
>  certificateKeystoreFile="conf/localhost-rsa.jks"
>  certificateKeystorePassword="=NR5^vtuW_/?"
>  certificateVerification="optionalNoCA"
>  type="RSA"/>
> 
> 
>
> Here is the error we get:
>
> Jan 19, 2018 2:24:07 PM org.apache.catalina.core.StandardService initInternal
> SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]
> org.apache.catalina.LifecycleException: Failed to initialize component 
> [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at 
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at 
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:875)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:607)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:630)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: org.apache.catalina.LifecycleException: Protocol handler 
> initialization failed
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:999)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
> Caused by: java.lang.IllegalArgumentException: java.lang.NullPointerException
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:114)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(AbstractJsseEndpoint.java:85)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:225)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:970)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.init(AbstractJsseEndpoint.java:244)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:613)
> at 
> org.apache.coyote.http11.AbstractHttp11Protocol.init(AbstractHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connector.java:997)
> ... 13 more
> Caused by: java.lang.NullPointerException
> at java.io.FileInputStream.(FileInputStream.java:130)
> at java.io.FileInputStream.(FileInputStream.java:93)
> at java.io.FileReader.(FileReader.java:58)
> at org.apache.tomcat.util.net.jsse.PEMFile.(PEMFile.java:74)
> at org.apache.tomcat.util.net.jsse.JSSEUtil.getKeyManagers(JSSEUtil.java:193)
> at 
> org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJsseEndpoint.java:112)
> ... 20 more
>
> We tried all kinds of variations of the configuration. We've run out of 
> things to try.
> We are using a JKS keystore created in Java code using the Bouncy Castle API. 
>  The config files are all in the correct location.
> The keystore has a private key and certificate

Re: Can't Get SSL to Work in 8.5

RE: Can't Get SSL to Work in 8.5

Re: Can't Get SSL to Work in 8.5

3 matches

Site Navigation

Mail list logo

Footer information