Re: SSL certificate makes site dont work
Carles, On 9/22/20 08:57, Carles Franquesa wrote: > Trying to install an SSL certificate on 8.5.57. > > Once created the cert files, and with a jks available, and set in a > connector into server.xml file, cannot connect to the page. > > The connectors code is > > ''' > > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" > SSLEnabled="true" > scheme="https" > secure="true" > clientAuth="false" > sslProtocol="TLS" > keystoreFile="/opt/tomcat/certificat/app.aprenonline.eu.jks" > keystoreType="JKS" keystorePass="***"/> > > > > ''' > > When trying to connect from the browser, the status bar says "trying to > make a secure connection..." but it hangs at this pont. What URL is showing in the browser? Are there any errors or warnings during startup in the log files? -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Renewal
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Nitin, On 6/18/19 13:50, Nitin Kadam wrote: > Hello, > > I want to renew current SSL certificate So I am confused. Do I need > to recreate keystore and csr for new certificate. > > If I have to create new keystore, how I can create same on existing > running setup. You do not need to create a new key, but it would be a goods idea to create a new one, just in case your old key has been compromised. It's really not that complicated to create a new key. Keep your old keystore with no changes. Create a new keystore with a new key and new certificate. Get the cert signed by a CA and import the signed cert back into your keystore, along with any of the CA's intermediate certificates that may be necessary. This process has been documented many many times on the web. - -chris > On Thu, Jun 13, 2019, 12:11 PM Ognjen Blagojevic < > ognjen.d.blagoje...@gmail.com> wrote: > >> Nitin, >> >> On 13.6.2019. 07.37, Nitin Kadam wrote: >>> I have apache tomcat server running with publicly signed SSL >>> certificate configured in server.xml, the same certificate is >>> expiring in next week, >> I >>> need steps to the to renew of same. *Server OS: Windows 2012 >>> R2* *Apache Tomcat/8.5.38* >>> >>> 1. How to generate new CSR with new key alias 2. How to import >>> the new. cert & intermediate certificate chain in .jks format >>> 3. what about keystore & current key alias >>> >>> >>> kindly guide me, as I will be performing same first time. >> >> You can find instructions here: >> >> >> http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_C ertificate_from_a_Certificate_Authority >> >> >> Regards, >> Ognjen >> > -BEGIN PGP SIGNATURE- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl0JelUACgkQHPApP6U8 pFhG9Q//YUAnPWCgn5LrQrY3KUgj0QIp72vH61MB2zdSs85rfIBLwEXOfALtomHf p24uRxNvn8hqx8BPRrxwM0Zf2Q0YHd9pBdTww1bb9xTwILqzBQTuzrac8DNnHUDW HXdOyej3tKiPD0e5Wp9AE9aFoE/56/uqxDTej5bGbE7/Prbwf7ynlNsetHMzBA/u BOzE7TpJjxDdmqOIm87JGZtrfDGIIV7xzAdZySg6QtkeD7ieSOrIkrBrToUU2MJG 53n79iEJn+yKWCjtfTBG2mWOT9zwCevNo2VjMk6ql2BbVtlCJ6j8RQeEqpnzEtHB BEECiSAnfRE8wuJ6Ajq/dL3mYcCZrlRyA6XMDA/7GPoiNrlW/cYJ1uxpFbxMiJnm yX3elf16CgBPRm7yg/TbGqihDIpUtRSWAIhTsa56EzvYV1msqCWt8iWkbOBeeyEd UyLaP95N0EDptXIgrgOV1dodyDfKDvjgG9KXfiCEI9Owg9Ka73zffGWuB1Af5P/d +k90Oak8hrDhNjD1E3oqm3wmHi+4rPAH66thxk5M3SV7yRmh+9mbO7XgvPw77EA6 0iWD/JvXOgUw2p/i0Mp4vWMlKE6wLTh4ER/5PKHXK1ZVoD2NfISjky0cpsxmHs/w 7VxnLDDqFyIqaXvDwHaqs0jzL2BWn/V/7ucavFYf7RDeoyg0kh4= =Du+S -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Renewal
Hello, I want to renew current SSL certificate So I am confused. Do I need to recreate keystore and csr for new certificate. If I have to create new keystore, how I can create same on existing running setup. On Thu, Jun 13, 2019, 12:11 PM Ognjen Blagojevic < ognjen.d.blagoje...@gmail.com> wrote: > Nitin, > > On 13.6.2019. 07.37, Nitin Kadam wrote: > > I have apache tomcat server running with publicly signed SSL certificate > > configured in server.xml, the same certificate is expiring in next week, > I > > need steps to the to renew of same. > > *Server OS: Windows 2012 R2* > > *Apache Tomcat/8.5.38* > > > > 1. How to generate new CSR with new key alias > > 2. How to import the new. cert & intermediate certificate chain in .jks > > format > > 3. what about keystore & current key alias > > > > > > kindly guide me, as I will be performing same first time. > > You can find instructions here: > > > http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority > > Regards, > Ognjen >
Re: SSL Certificate Renewal
Nitin On 13.6.2019. 07.37, Nitin Kadam wrote: I have apache tomcat server running with publicly signed SSL certificate configured in server.xml, the same certificate is expiring in next week, I need steps to the to renew of same. *Server OS: Windows 2012 R2* *Apache Tomcat/8.5.38* 1. How to generate new CSR with new key alias 2. How to import the new. cert & intermediate certificate chain in .jks format 3. what about keystore & current key alias kindly guide me, as I will be performing same first time. You can find the instructions here: http://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Installing_a_Certificate_from_a_Certificate_Authority Regards, Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL certificate error in Tomcat 9
On 12/06/2019 15:45, Support wrote: > Hi Sir, > I am using tomcat 9 for my application. > > I got an error with the .keystore file for SSL certificate > > this is my code is this still valid? in tomcat 9 > > maxThreads="150" SSLEnabled="true" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="/home/myapp/.keystore" keystorePass="Password" > sslEnabledProtocols="TLSv1.2" > /> No. Your protocol value is not valid. The BIO connector has been removed. You probably want NIO. See: http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#Common_Attributes Search for protocol. Mark > > > > Logs: > > > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'maxThreads' to '150' did not find a matching property. > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'SSLEnabled' to 'true' did not find a matching property. > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'clientAuth' to 'false' did not find a matching property. > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslProtocol' to 'TLS' did not find a matching property. > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'keystoreFile' to '/home/myPP/.keystore' did not find a matching property. > 12-Jun-2019 14:19:03.973 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'keystorePass' to 'PASSWORD' did not find a matching property. > 12-Jun-2019 14:19:03.974 WARNING [main] > org.apache.catalina.startup.SetAllPropertiesRule.begin > [SetAllPropertiesRule]{Server/Service/Connector} Setting property > 'sslEnabledProtocols' to 'TLSv1.2' did not find a matching property. > > Regards, > Sandeep Raghav > > Customer Support Engineer > supp...@xcaptor.com > Captivate. Engage. > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
On 07/11/12 21:13, Alissa Schneider wrote: Hi - I'm a novice Tomcat user. I've only used the tool to support BusinessObjects. I recently was asked to set up SSL for the first time. Initially I created my own self-signed certificate and was able to get everything working fine, although I would get the 'certificate warning' error message when going to https://localhost:8443, but this was expected. Then my IT admin gave me a CA-signed certificate to use instead so we wouldn't get that warning. The problem I am having, is that Tomcat still seems to be reading my old self-signed certificate instead of being pointed to the CA-signed certificate. Here are my environment specifics: * Windows 2008 R2 64-bit * Tomcat 6.0.24 * IE 8 Here are the steps I have taken thus far: * I deleted my original keystore that held my self-signed certificate. * I deleted the self-signed certificate. * I recreated the keystore. Which will have generate a NEW public/private key pair. * I imported the CA-signed certificate. But when did you generate the certificate request for this certificate. Does it contain the SAME public key as in your new keystore? * I have an index.txt file that I deleted all the contents from so it is empty. * The server.xml file reflects the current keystore/pw information and the SSL lines have been uncommented. Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. I appreciate any help! - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
Alissa, On 7.11.2012 22:13, Alissa Schneider wrote: Here are the steps I have taken thus far: * I deleted my original keystore that held my self-signed certificate. * I deleted the self-signed certificate. * I recreated the keystore. * I imported the CA-signed certificate. * I have an index.txt file that I deleted all the contents from so it is empty. * The server.xml file reflects the current keystore/pw information and the SSL lines have been uncommented. Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Are you sure that the warning is the same? Perhaps the first warning was about certificate not being signed by CA, and second warning is about something else? Every (CA-signed or self-signed) certificate is issued for the specific hostname. If certificate hostname does not match hostname from browser URL, browser will issue a warning. Maybe that is the case here. If your CA-signed certificate is bound to hostname other than localhost and you access your Tomcat server using browser URL https://localhost:8443;, than the browser will issue a warning. I believe not a single CA would sign certificate for loopback interface hostname localhost, only for FQDN like server.example.com. Therefore, you should access your server using FQDN which your certificate is issued for. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Brian, On 11/8/12 4:39 AM, Brian Burch wrote: On 07/11/12 21:13, Alissa Schneider wrote: * I recreated the keystore. Which will have generate a NEW public/private key pair. +1 * I imported the CA-signed certificate. But when did you generate the certificate request for this certificate. Does it contain the SAME public key as in your new keystore? Probably not. My guess is that the keystore in question isn't the one being used by Tomcat. Allison: please post your Connector configuration plus the path of the keystore file you have been re-working. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCcLhgACgkQ9CaO5/Lv0PAKXQCgtRZF7YflGYGZ8BG9B2UAuATR 7vMAnijZ3OhV4ADd0Uks+3Gq5mMQQdBQ =0X0O -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate Help
Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Help
On Thu, Nov 8, 2012 at 8:32 AM, Alissa Schneider aschnei...@sensecorp.comwrote: Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Sounds like your browser is still caching your old one. If Firefox then go to Tools-Options-Advanced-View Certificates button and delete the certificate(s) for the localhost.
RE: SSL Certificate Help
I'm using IE 8. I went into ToolsOptionsContent and there is a Certificates section. I clicked on Certificates and in the Trusted Root Certification Authorities tab, I saw my deleted certificate. So, I went ahead and clicked 'Remove' and 'Close'. Then on the Content tab again, I clicked 'Clear SSL state'. I then restarted Tomcat. When I navigated to http://localhost:8443, I again receive the Certificate Error warning and when I click 'View Certificate', my deleted certificate is still being used. Where is it coming from?! I've also looked at the certificates in the Microsoft Management Console (MMC) and have added the snap-in for all certificates (My user account, Service account, Computer account). In none of the directories do I see my deleted certificate. I appreciate any ideas anyone has - thank you! -Original Message- From: Igor Cicimov [mailto:icici...@gmail.com] Sent: Wednesday, November 07, 2012 4:37 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Sounds like your browser is still caching your old one. If Firefox then go to Tools-Options-Advanced-View Certificates button and delete the certificate(s) for the localhost. On Thu, Nov 8, 2012 at 8:32 AM, Alissa Schneider aschnei...@sensecorp.comwrote: Yes, I have...many, many times. But good question! -Original Message- From: James Lampert [mailto:jam...@touchtonecorp.com] Sent: Wednesday, November 07, 2012 3:28 PM To: Tomcat Users List Subject: Re: SSL Certificate Help Alissa Schneider wrote: Still, when I visit https://localhost:8443, the browser throws a certificate warning. When I click on the certificate warning and view certificate, it displays information on my self-signed certificate (that I've deleted). I think if I could figure out how to make Tomcat point to the CA certificate instead of the old one, this would work for me. However, I'm not sure how to clear the Tomcat cache so to speak. Did you restart Tomcat? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Update Not Reflected on the Website
On 9 Jan 2012, at 10:20, Conway Liu c...@xtra.co.nz wrote: Hi, We used to use Thawte for our SSL certificate. Today I installed new SSL certificate issued by VeriSign and there were no errors. The primary and secondary intermediate CAs both imported into the keystore file properly, and then the SSL issued by VeriSign imported as well. I updated the server.xml to indicate the new keystore file with the keystore password. Started Tomcat, checked the log files and there were no errors. But when I browse to the website, it is still saying the SSL has expired and it's showing the one issued by Thawte. I tried to put an incorrect keystore password in server.xml and Tomcat did generate errors in the log file, which means Tomcat is looking at the correct keystore file. We have also tried to reboot the server in case the old SSL was cached somewhere but that didn't help. Does anyone have any suggestion where might be wrong? Which browser are you using? Some cache Certs and don't reflect the change immediately. Have you tried with a command line tool? p Thank you very much Conway - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate Update Not Reflected on the Website
Hi Pid, I tried different browsers, and tried different computers. What command line tool are you talking about? Thanks Conway -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Monday, 9 January 2012 11:37 p.m. To: Tomcat Users List Subject: Re: SSL Certificate Update Not Reflected on the Website On 9 Jan 2012, at 10:20, Conway Liu c...@xtra.co.nz wrote: Hi, We used to use Thawte for our SSL certificate. Today I installed new SSL certificate issued by VeriSign and there were no errors. The primary and secondary intermediate CAs both imported into the keystore file properly, and then the SSL issued by VeriSign imported as well. I updated the server.xml to indicate the new keystore file with the keystore password. Started Tomcat, checked the log files and there were no errors. But when I browse to the website, it is still saying the SSL has expired and it's showing the one issued by Thawte. I tried to put an incorrect keystore password in server.xml and Tomcat did generate errors in the log file, which means Tomcat is looking at the correct keystore file. We have also tried to reboot the server in case the old SSL was cached somewhere but that didn't help. Does anyone have any suggestion where might be wrong? Which browser are you using? Some cache Certs and don't reflect the change immediately. Have you tried with a command line tool? p Thank you very much Conway - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Update Not Reflected on the Website
Conway, On 9.1.2012 11:19, Conway Liu wrote: Does anyone have any suggestion where might be wrong? Do you have anything between your browser and Tomcat? Apache HTTPd, perhaps, or some kind of load balancer with SSL termination? -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate Update Not Reflected on the Website
On 09/01/2012 10:44, Conway Liu wrote: Hi Pid, I tried different browsers, and tried different computers. What command line tool are you talking about? Something like: curl or openssl p Thanks Conway -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Monday, 9 January 2012 11:37 p.m. To: Tomcat Users List Subject: Re: SSL Certificate Update Not Reflected on the Website On 9 Jan 2012, at 10:20, Conway Liu c...@xtra.co.nz wrote: Hi, We used to use Thawte for our SSL certificate. Today I installed new SSL certificate issued by VeriSign and there were no errors. The primary and secondary intermediate CAs both imported into the keystore file properly, and then the SSL issued by VeriSign imported as well. I updated the server.xml to indicate the new keystore file with the keystore password. Started Tomcat, checked the log files and there were no errors. But when I browse to the website, it is still saying the SSL has expired and it's showing the one issued by Thawte. I tried to put an incorrect keystore password in server.xml and Tomcat did generate errors in the log file, which means Tomcat is looking at the correct keystore file. We have also tried to reboot the server in case the old SSL was cached somewhere but that didn't help. Does anyone have any suggestion where might be wrong? Which browser are you using? Some cache Certs and don't reflect the change immediately. Have you tried with a command line tool? p Thank you very much Conway - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] signature.asc Description: OpenPGP digital signature
RE: SSL Certificate Update Not Reflected on the Website
Thanks Pid. The problem was actually due to the network admin had to also update the proxy server. Only if he responds quicker to my emails and calls Regards Conway -Original Message- From: Pid [mailto:p...@pidster.com] Sent: Tuesday, 10 January 2012 8:36 a.m. To: Tomcat Users List Subject: Re: SSL Certificate Update Not Reflected on the Website On 09/01/2012 10:44, Conway Liu wrote: Hi Pid, I tried different browsers, and tried different computers. What command line tool are you talking about? Something like: curl or openssl p Thanks Conway -Original Message- From: Pid * [mailto:p...@pidster.com] Sent: Monday, 9 January 2012 11:37 p.m. To: Tomcat Users List Subject: Re: SSL Certificate Update Not Reflected on the Website On 9 Jan 2012, at 10:20, Conway Liu c...@xtra.co.nz wrote: Hi, We used to use Thawte for our SSL certificate. Today I installed new SSL certificate issued by VeriSign and there were no errors. The primary and secondary intermediate CAs both imported into the keystore file properly, and then the SSL issued by VeriSign imported as well. I updated the server.xml to indicate the new keystore file with the keystore password. Started Tomcat, checked the log files and there were no errors. But when I browse to the website, it is still saying the SSL has expired and it's showing the one issued by Thawte. I tried to put an incorrect keystore password in server.xml and Tomcat did generate errors in the log file, which means Tomcat is looking at the correct keystore file. We have also tried to reboot the server in case the old SSL was cached somewhere but that didn't help. Does anyone have any suggestion where might be wrong? Which browser are you using? Some cache Certs and don't reflect the change immediately. Have you tried with a command line tool? p Thank you very much Conway - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- [key:62590808] - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate formats, requirements for import into existing keystore
Thanks, Felix. Yesterday after the Holiday weekend we downloaded the certificates (which were pfx) and I used openssl to convert them and keytool to import them. All seems to work ok now. -Original Message- From: Felix Schumacher [mailto:felix.schumac...@internetallee.de] Sent: Thursday, July 07, 2011 1:46 AM To: Tomcat Users List; users@tomcat.apache.org Subject: Re: SSL Certificate formats, requirements for import into existing keystore Peterson, Tommy tommy.peter...@xpandcorp.com schrieb: I have a keystore for an application that runs on Tomcat. People here introduced a load balancer (LB) into the mix for this same application and therefore I have to use keytool to import the LB's certificate into the existing keystore. However, the key and the cert are in one file. According to the docs this is not an issue (you can even concatenate them the docs say). So I just ran the keytool command and I continually get an error message: keytool error: java.lang.Exception: Input not an X.509 certificate The IT support folks said that this is the cert that was given to them by the hosting company and that it can be installed successfully on Apache. There is some junk (bag attributes)n the file that I don't' understand. I am used to just seeing -BEGIN CERTIFICATE- END CERTIFICATE- -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- Any suggestions? Thanks. _ This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version. Hi Tommy, Your file could be a pkcs12 file. Have you tried to use keytool -importkeystore ...? Keytool -help should give you the needed parameters. You need a recent java6 version for this to work. Regards Felix This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version.
Re: SSL Certificate formats, requirements for import into existing keystore
There is some junk (bag attributes)n the file that I don't' understand. I am used to just seeing -BEGIN CERTIFICATE- END CERTIFICATE- -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- As far as I know, keytool can only import certificates in PKCS8 format. The junk you mentioned may indicate the key is in SSLeay format. You can use OpenSSL to convert from one format to another. That said, I'm not aware of _any_ method to import a keypair into a keystore using keytool; the private key is inaccessible (with respect to import and export) by design. You should probably determine whether you actually need the private key before proceeding. Sounds like you're doing SSL offloading, but that shouldn't necessarily require using the same keypair on both the LB and endpoint. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate formats, requirements for import into existing keystore
Hi Marvin, Marvin Addison marvin.addi...@gmail.com schrieb: There is some junk (bag attributes)n the file that I don't' understand. I am used to just seeing -BEGIN CERTIFICATE- END CERTIFICATE- -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- As far as I know, keytool can only import certificates in PKCS8 format. The junk you mentioned may indicate the key is in SSLeay format. You can use OpenSSL to convert from one format to another. That said, I'm not aware of _any_ method to import a keypair into a keystore using keytool; the private key is inaccessible (with respect to import and export) by design. I think that restriction is gone. At least my sun jdk 6u12 keytool can import complete pkcs12 files into my Java keystores without a problem. Export works, too. And u12 is really old now. Regards Felix You should probably determine whether you actually need the private key before proceeding. Sounds like you're doing SSL offloading, but that shouldn't necessarily require using the same keypair on both the LB and endpoint. M - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate formats, requirements for import into existing keystore
Peterson, Tommy tommy.peter...@xpandcorp.com schrieb: I have a keystore for an application that runs on Tomcat. People here introduced a load balancer (LB) into the mix for this same application and therefore I have to use keytool to import the LB's certificate into the existing keystore. However, the key and the cert are in one file. According to the docs this is not an issue (you can even concatenate them the docs say). So I just ran the keytool command and I continually get an error message: keytool error: java.lang.Exception: Input not an X.509 certificate The IT support folks said that this is the cert that was given to them by the hosting company and that it can be installed successfully on Apache. There is some junk (bag attributes)n the file that I don't' understand. I am used to just seeing -BEGIN CERTIFICATE- END CERTIFICATE- -BEGIN RSA PRIVATE KEY- -END RSA PRIVATE KEY- Any suggestions? Thanks. _ This message contains Devin Group confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. Please notify the sender immediately by e-mail if you have received this e-mail in error and delete this e-mail from your system. E-mail transmissions cannot be guaranteed secure, error-free and information could be intercepted, corrupted, lost, destroyed, arrive late, incomplete, or contain viruses. The sender therefore does not accept liability for errors or omissions in the contents of this message which may arise as result of transmission. If verification is required please request hard-copy version. Hi Tommy, Your file could be a pkcs12 file. Have you tried to use keytool -importkeystore ...? Keytool -help should give you the needed parameters. You need a recent java6 version for this to work. Regards Felix
Re: SSL Certificate : Unable to configure Tomcat server.xml
(a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice, and created a separate keystore. Then imported the certificate there (b) Exists with the exact label 'tomcat' Yes, it does From what I have seen so far, the problem does not lie with the SSL certificate itself. It's with the Tomcat configuration (and that damn server.xml file). Richard da Silva --- On Mon, 10/25/10, Brett Delle Grazie brett.dellegra...@intact-is.com wrote: From: Brett Delle Grazie brett.dellegra...@intact-is.com Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml To: Richard da Silva roman_s...@yahoo.com Cc: users@tomcat.apache.org Date: Monday, October 25, 2010, 12:33 PM Hi, I haven't read the rest of the thread (forgive me for that) so please ignore if I'm repeating someone else's advice. Can you manually confirm (via command line tool 'keytool') that the certificate: (a) Exists in certificate store 'cacerts' (bad idea btw). (b) Exists with the exact label 'tomcat' (might be case sensitive - I don't know). (c) Verify your private key is in 'cacerts' (really bad idea btw) - what happens when you upgrade Java? Do yourself a favour and use a separate keystore for private key + certificate. One other minor detail - I think I remember reading something about only using '/' form of slash in Tomcat configs regardless of OS. But can't remember where it was (somewhere in Tomcat docs I think). Regards, Brett On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote: Hi guys, thanks for your responses. Nothing seems to work so far. As requested, I am sending the full outlines of my Server.xml file. The first file is the original Server.xml (I saved a copy of it, naturally) The second file --- server.xml_modified is the file which I modified, and the one I am now trying to use in Tomcat. Any helpful tips would be greatly appreciated. Thanks. Richard da Silva --- On Fri, 10/22/10, Richard da Silva roman_s...@yahoo.com wrote: From: Richard da Silva roman_s...@yahoo.com Subject: SSL Certificate : Unable to configure Tomcat server.xml To: users@tomcat.apache.org Date: Friday, October 22, 2010, 3:53 PM Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib \security\cacerts keypass=my_password/ And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18
RE: SSL Certificate : Unable to configure Tomcat server.xml
Here are my notes on importing a SSL certificate in case that is the problem. I had a lot of issues and errors when I first tried. (these were compiled from suggestions on this list) Importing SSL certificates RootAddTrustExternalCARoot.crt Intermediate CA UTNAddTrustServerCA.crt Intermediate CA PositiveSSLCA.crt domain/site certificate yourdomainname.crt Location of keystore: cp .keystore /usr/share/tomcat5/.keystore Notes: default keystore is .keystore in the CWD 1. Delete default tomcat cert keytool -delete -alias tomcat -keystore /path/to/keystore 2. Generate new key keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore /path/to/keystore Enter keystore password: (default is changeit) What is your first and last name [Unknown]: xx What is the name of your organizational unit? [Unknown]: xx What is the name of your organization? [Unknown]: xx What is the name of your City or Locality? [Unknown]: xx What is the name of your State or Province? [Unknown]: xx What is the two-letter country code for this unit? [Unknown]: xx Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct? [no]: y Enter key password for tomcat (RETURN if same as keystore password): 3. create CSR keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /path/to/keystore use this csr to order SSL certificate 4. import the certificate back into the keystore keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore /path/to/keystore -Original Message- From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: Tuesday, 26 October 2010 5:25 PM To: brett.dellegra...@intact-is.com Cc: users@tomcat.apache.org Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml (a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice, and created a separate keystore. Then imported the certificate there (b) Exists with the exact label 'tomcat' Yes, it does From what I have seen so far, the problem does not lie with the SSL certificate itself. It's with the Tomcat configuration (and that damn server.xml file). Richard da Silva --- On Mon, 10/25/10, Brett Delle Grazie brett.dellegra...@intact-is.com wrote: From: Brett Delle Grazie brett.dellegra...@intact-is.com Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml To: Richard da Silva roman_s...@yahoo.com Cc: users@tomcat.apache.org Date: Monday, October 25, 2010, 12:33 PM Hi, I haven't read the rest of the thread (forgive me for that) so please ignore if I'm repeating someone else's advice. Can you manually confirm (via command line tool 'keytool') that the certificate: (a) Exists in certificate store 'cacerts' (bad idea btw). (b) Exists with the exact label 'tomcat' (might be case sensitive - I don't know). (c) Verify your private key is in 'cacerts' (really bad idea btw) - what happens when you upgrade Java? Do yourself a favour and use a separate keystore for private key + certificate. One other minor detail - I think I remember reading something about only using '/' form of slash in Tomcat configs regardless of OS. But can't remember where it was (somewhere in Tomcat docs I think). Regards, Brett On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote: Hi guys, thanks for your responses. Nothing seems to work so far. As requested, I am sending the full outlines of my Server.xml file. The first file is the original Server.xml (I saved a copy of it, naturally) The second file --- server.xml_modified is the file which I modified, and the one I am now trying to use in Tomcat. Any helpful tips would be greatly appreciated. Thanks. Richard da Silva --- On Fri, 10/22/10, Richard da Silva roman_s...@yahoo.com wrote: From: Richard da Silva roman_s...@yahoo.com Subject: SSL Certificate : Unable to configure Tomcat server.xml To: users@tomcat.apache.org Date: Friday, October 22, 2010, 3:53 PM Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection
Re: SSL Certificate : Unable to configure Tomcat server.xml
On Tuesday 26 October 2010 08:24:53 Richard da Silva wrote: (a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice, and created a separate keystore. Then imported the certificate there Did you create a new private key and request a new certificate? You need *both* private key and certificate in one keystore entry. (AFAIK keytool can not import and export private keys, so you can't easily get the existing private key out of cacerts and and into the new keystore). If you did, show your matching tomcat configuration (full server.xml with comments stripped) AND unmodified log lines that show the error. Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate : Unable to configure Tomcat server.xml
Hi Richard, In your Server_modified.xml up the top you've got AprListener configured with SSLEngine=on. This means Tomcat expects the APR type of SSL configuration on a Connector. (see Tomcat SSL Howto for details) http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html In short - your config is using the wrong SSL type. Either: (a)Change the connector to use the SSL under APR type, you'll need to convert your key, certificate and CA certificates (including intermediate ones) to the Open SSL PEM type. (b) Or turn off the AprListener's SSLEngine option (simpler). The APR solution is supposed to be faster since it uses the native SSL libraries compiled specifically for your system. Best Regards, Brett From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: 26 October 2010 09:09 To: Tomcat Users List; Brett Delle Grazie Cc: darryl.le...@unsw.edu.au Subject: SSL Certificate : Unable to configure Tomcat server.xml Thanks for your response, Darryl But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml) Richard da Silva --- On Tue, 10/26/10, Darryl Lewis darryl.le...@unsw.edu.au wrote: From: Darryl Lewis darryl.le...@unsw.edu.au Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml To: Tomcat Users List users@tomcat.apache.org, brett.dellegra...@intact-is.com brett.dellegra...@intact-is.com Date: Tuesday, October 26, 2010, 10:26 AM Here are my notes on importing a SSL certificate in case that is the problem. I had a lot of issues and errors when I first tried. (these were compiled from suggestions on this list) Importing SSL certificates Root AddTrustExternalCARoot.crt Intermediate CAUTNAddTrustServerCA.crt Intermediate CAPositiveSSLCA.crt domain/site certificateyourdomainname.crt Location of keystore: cp .keystore /usr/share/tomcat5/.keystore Notes: default keystore is .keystore in the CWD 1.Delete default tomcat cert keytool -delete -alias tomcat -keystore /path/to/keystore 2.Generate new key keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore /path/to/keystore Enter keystore password: (default is changeit) What is your first and last name [Unknown]: xx What is the name of your organizational unit? [Unknown]: xx What is the name of your organization? [Unknown]: xx What is the name of your City or Locality? [Unknown]: xx What is the name of your State or Province? [Unknown]: xx What is the two-letter country code for this unit? [Unknown]: xx Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct? [no]: y Enter key password for tomcat (RETURN if same as keystore password): 3.create CSR keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /path/to/keystore use this csr to order SSL certificate 4. import the certificate back into the keystore keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore /path/to/keystore -Original Message- From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: Tuesday, 26 October 2010 5:25 PM To: brett.dellegra...@intact-is.com Cc: users@tomcat.apache.org Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml (a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice, and created a separate keystore. Then imported the certificate there (b) Exists with the exact label 'tomcat' Yes, it does From what I have seen so far, the problem does not lie with the SSL certificate itself. It's with the Tomcat configuration (and that damn server.xml file). Richard da Silva --- On Mon, 10/25/10, Brett Delle Grazie brett.dellegra...@intact-is.com wrote: From: Brett Delle Grazie brett.dellegra...@intact-is.com Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml To: Richard da Silva roman_s...@yahoo.com Cc: users@tomcat.apache.org Date: Monday, October 25, 2010, 12:33 PM Hi, I haven't read the rest of the thread (forgive me for that) so please ignore if I'm repeating someone else's advice. Can you manually confirm (via command line tool 'keytool') that the certificate: (a) Exists in certificate store 'cacerts' (bad idea btw). (b) Exists with the exact label 'tomcat' (might be case sensitive - I don't know). (c) Verify your private key is in 'cacerts' (really bad idea btw) - what happens when you upgrade Java? Do yourself a favour and use a separate keystore for private key + certificate. One other minor detail - I think I remember reading something about only using '/' form of slash in Tomcat configs regardless of OS. But can't remember where it was (somewhere in Tomcat docs I think). Regards, Brett On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote: Hi guys, thanks for your responses. Nothing seems to work so far. As requested, I am sending the full outlines of my Server.xml file. The first file is the original Server.xml (I saved a copy of it, naturally
Re: SSL Certificate : Unable to configure Tomcat server.xml
On 10/26/2010 04:08 AM, Richard da Silva wrote: Thanks for your response, Darryl But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml) Richard da Silva Richard, Are you sure that the certificate isn't also the problem? As Brett has previously mentioned, the APR is enabled [ Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on ] , thus you need OpenSSL/mod_ssl style syntax and not the standard JSSE way of defining a keystore. SSLCertificateFile=/usr/local/ssl/server.crt SSLCertificateKeyFile=/usr/local/ssl/server.pem SSLCertificateChainFile/usr/local/ssl/chain.pem Your best bet at this time is to create a key and CSR with OpenSSL. openssl req -nodes -newkey rsa:2048 -nodes -keyout myserver.key -out server.csr -subj /C=US/ST=NY/L=NY/O=MyCompany Ltd./OU=IT/CN=mysubdomain.mydomain.com Then, send it to your CA to re-key the certificate. After all of that, modify the SSL connector as per the docs for the APR [ http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html ] (as per Brett too) In your original server.xml file, I do not see an SSL definition, yet the SSL Engine is on. Are you sure this server is enabled with SSL in the original configuration? --Sal - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate : Unable to configure Tomcat server.xml
Dear Sal and Brett, thank you for pointing this out to me. I changed the definition of the SSLEngine to off. But, still, the error persists. I am unable to copy the error messages, and paste them here, because, as I mentioned in my earlier post, there is NO error message. Whenever I try to start Tomcat, I get this weird scene : lines of text flashing past the screen at lightening speed! Then my computer hangs, and I have to reboot it. As I also mentioned in my first posting, I have performed this entire procedure before created a keystore, imported the certificate into the keystore, and modified the server.xml file. And everything worked smoothly. Back then, I was using Tomcat 6.0.18. Which is the same version I am using now. Basically, I have done everything exactly the same way. So, I do not understand where this problem is coming from. And, to make matters worse, there is no error message to tell me what I am doing wrong. Richard da Silva --- On Tue, 10/26/10, Brett Delle Grazie brett.dellegra...@intact-is.com wrote: From: Brett Delle Grazie brett.dellegra...@intact-is.com Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml To: Richard da Silva roman_s...@yahoo.com, Tomcat Users List users@tomcat.apache.org Cc: darryl.le...@unsw.edu.au Date: Tuesday, October 26, 2010, 1:04 PM Hi Richard, In your Server_modified.xml up the top you’ve got AprListener configured with SSLEngine=on. This means Tomcat expects the APR type of SSL configuration on a Connector. (see Tomcat SSL Howto for details) http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html In short – your config is using the wrong SSL type. Either: (a) Change the connector to use the SSL under APR type, you’ll need to convert your key, certificate and CA certificates (including intermediate ones) to the Open SSL PEM type. (b) Or turn off the AprListener’s SSLEngine option (simpler). The APR solution is supposed to be faster since it uses the native SSL libraries compiled specifically for your system. Best Regards, Brett From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: 26 October 2010 09:09 To: Tomcat Users List; Brett Delle Grazie Cc: darryl.le...@unsw.edu.au Subject: SSL Certificate : Unable to configure Tomcat server.xml Thanks for your response, Darryl But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml) Richard da Silva --- On Tue, 10/26/10, Darryl Lewis darryl.le...@unsw.edu.au wrote: From: Darryl Lewis darryl.le...@unsw.edu.au Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml To: Tomcat Users List users@tomcat.apache.org, brett.dellegra...@intact-is.com brett.dellegra...@intact-is.com Date: Tuesday, October 26, 2010, 10:26 AM Here are my notes on importing a SSL certificate in case that is the problem. I had a lot of issues and errors when I first tried. (these were compiled from suggestions on this list) Importing SSL certificates Root AddTrustExternalCARoot.crt Intermediate CA UTNAddTrustServerCA.crt Intermediate CA PositiveSSLCA.crt domain/site certificate yourdomainname.crt Location of keystore: cp .keystore /usr/share/tomcat5/.keystore Notes: default keystore is .keystore in the CWD 1. Delete default tomcat cert keytool -delete -alias tomcat -keystore /path/to/keystore 2. Generate new key keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore /path/to/keystore Enter keystore password: (default is changeit) What is your first and last name [Unknown]: xx What is the name of your organizational unit? [Unknown]: xx What is the name of your organization? [Unknown]: xx What is the name of your City or Locality? [Unknown]: xx What is the name of your State or Province? [Unknown]: xx What is the two-letter country code for this unit? [Unknown]: xx Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct? [no]: y Enter key password for tomcat (RETURN if same as keystore password): 3. create CSR keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr -keystore /path/to/keystore use this csr to order SSL certificate 4. import the certificate back into the keystore keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore /path/to/keystore -Original Message- From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: Tuesday, 26 October 2010 5:25 PM To: brett.dellegra...@intact-is.com Cc: users@tomcat.apache.org Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml (a) Exists in certificate store 'cacerts' (bad idea btw). Yes it does exist. But, I took your advice
RE: SSL Certificate : Unable to configure Tomcat server.xml
Hi Richard, Comments below, Regards, Brett From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: 26 October 2010 13:30 To: Tomcat Users List; Brett Delle Grazie; crypto@gmail.com Cc: darryl.le...@unsw.edu.au Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml Dear Sal and Brett, thank you for pointing this out to me. I changed the definition of the SSLEngine to off. Just to confirm you changed from: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / To: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=off / But, still, the error persists. I am unable to copy the error messages, and paste them here, because, as I mentioned in my earlier post, there is NO error message. Whenever I try to start Tomcat, I get this weird scene : lines of text flashing past the screen at lightening speed! Then my computer hangs, and I have to reboot it. As I also mentioned in my first posting, I have performed this entire procedure before created a keystore, imported the certificate into the keystore, and modified the server.xml file. And everything worked smoothly. Back then, I was using Tomcat 6.0.18. Which is the same version I am using now. Any reason you can’t use 6.0.29 (current)? Basically, I have done everything exactly the same way. So, I do not understand where this problem is coming from. As explained, I haven’t read your previous posts. What OS and JVM are you using? And, to make matters worse, there is no error message to tell me what I am doing wrong. The error messages, if present should be in the log files. I think you need to start from scratch. Can you retry with just the default tomcat applications, i.e. manager, docs and samples, (i.e. not your application) in the webapp directory? Then you can try reconfiguring for ssl, test with the ‘docs’ example application. This way you know you have a working Tomcat installation that won’t be doing anything ‘funny’. Use ‘/’ for your paths as explained previously. Tomcat should start in roughly ~ 20 seconds depending upon speed of your system. Check the logs for error messages and then look at installing your application. This way we know Tomcat is working before trying your application. Richard da Silva --- On Tue, 10/26/10, Brett Delle Grazie brett.dellegra...@intact-is.com wrote: From: Brett Delle Grazie brett.dellegra...@intact-is.com Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml To: Richard da Silva roman_s...@yahoo.com, Tomcat Users List users@tomcat.apache.org Cc: darryl.le...@unsw.edu.au Date: Tuesday, October 26, 2010, 1:04 PM Hi Richard, In your Server_modified.xml up the top you’ve got AprListener configured with SSLEngine=on. This means Tomcat expects the APR type of SSL configuration on a Connector. (see Tomcat SSL Howto for details) http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html In short – your config is using the wrong SSL type. Either: (a)Change the connector to use the SSL under APR type, you’ll need to convert your key, certificate and CA certificates (including intermediate ones) to the Open SSL PEM type. (b) Or turn off the AprListener’s SSLEngine option (simpler). The APR solution is supposed to be faster since it uses the native SSL libraries compiled specifically for your system. Best Regards, Brett From: Richard da Silva [mailto:roman_s...@yahoo.com] Sent: 26 October 2010 09:09 To: Tomcat Users List; Brett Delle Grazie Cc: darryl.le...@unsw.edu.au Subject: SSL Certificate : Unable to configure Tomcat server.xml Thanks for your response, Darryl But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml) Richard da Silva --- On Tue, 10/26/10, Darryl Lewis darryl.le...@unsw.edu.au wrote: From: Darryl Lewis darryl.le...@unsw.edu.au Subject: RE: SSL Certificate : Unable to configure Tomcat server.xml To: Tomcat Users List users@tomcat.apache.org, brett.dellegra...@intact-is.com brett.dellegra...@intact-is.com Date: Tuesday, October 26, 2010, 10:26 AM Here are my notes on importing a SSL certificate in case that is the problem. I had a lot of issues and errors when I first tried. (these were compiled from suggestions on this list) Importing SSL certificates Root AddTrustExternalCARoot.crt Intermediate CAUTNAddTrustServerCA.crt Intermediate CAPositiveSSLCA.crt domain/site certificateyourdomainname.crt Location of keystore: cp .keystore /usr/share/tomcat5/.keystore Notes: default keystore is .keystore in the CWD 1.Delete default tomcat cert keytool -delete -alias tomcat -keystore /path/to/keystore 2.Generate new key keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore /path/to/keystore Enter keystore password: (default is changeit) What is your first and last name [Unknown]: xx What is the name
Re: SSL Certificate : Unable to configure Tomcat server.xml
Hi, I haven't read the rest of the thread (forgive me for that) so please ignore if I'm repeating someone else's advice. Can you manually confirm (via command line tool 'keytool') that the certificate: (a) Exists in certificate store 'cacerts' (bad idea btw). (b) Exists with the exact label 'tomcat' (might be case sensitive - I don't know). (c) Verify your private key is in 'cacerts' (really bad idea btw) - what happens when you upgrade Java? Do yourself a favour and use a separate keystore for private key + certificate. One other minor detail - I think I remember reading something about only using '/' form of slash in Tomcat configs regardless of OS. But can't remember where it was (somewhere in Tomcat docs I think). Regards, Brett On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote: Hi guys, thanks for your responses. Nothing seems to work so far. As requested, I am sending the full outlines of my Server.xml file. The first file is the original Server.xml (I saved a copy of it, naturally) The second file --- server.xml_modified is the file which I modified, and the one I am now trying to use in Tomcat. Any helpful tips would be greatly appreciated. Thanks. Richard da Silva --- On Fri, 10/22/10, Richard da Silva roman_s...@yahoo.com wrote: From: Richard da Silva roman_s...@yahoo.com Subject: SSL Certificate : Unable to configure Tomcat server.xml To: users@tomcat.apache.org Date: Friday, October 22, 2010, 3:53 PM Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib \security\cacerts keypass=my_password/ And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18), and repeated the process all over again. This time, there were none of the above-mentioned errors. But, I got another error : Alias tomcat not found. So, I removed that line - keyAlias=tomcat and re-started the server. This time, something else happened : when I start-up the server, the Tomcat window goes haywire. I see phrases and lines of data (output) flashing on the screen at the speed of light. And, then, my computer hangs. I have to re-boot it, to get it working again. I'm at a total loss. I have racked my brain for any and all possible causes. At
Re: SSL Certificate : Unable to configure Tomcat server.xml
On 22 Oct 2010, at 13:54, Richard da Silva roman_s...@yahoo.com wrote: Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts keypass=my_password/ You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. p And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18), and repeated the process all over again. This time, there were none of the above-mentioned errors. But, I got another error : Alias tomcat not found. So, I removed that line - keyAlias=tomcat and re-started the server. This time, something else happened : when I start-up the server, the Tomcat window goes haywire. I see phrases and lines of data (output) flashing on the screen at the speed of light. And, then, my computer hangs. I have to re-boot it, to get it working again. I'm at a total loss. I have racked my brain for any and all possible causes. At first, I thought that, maybe, I ought to have created a whole NEW keystore (as it mentions in the online manual). But, since I was able to successfully import my certificate into the default cacerts, I figured that was not the reason. And, besides, there is obviously something wrong with the newer version of Tomcat, because the older version (which I am now using), did not give me those earlier errors. But, I still do not know what I am doing wrong. Any help will be greatly appreciated. Thanks. Richard da Silva - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate : Unable to configure Tomcat server.xml
You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. Sorry, I don't understand what you said. Specify this where, exactly? And, which docs should I check? I've been over everything, and have found nothing remotely addressing my problem. Richard da Silva --- On Fri, 10/22/10, Pid * p...@pidster.com wrote: From: Pid * p...@pidster.com Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml To: Tomcat Users List users@tomcat.apache.org Date: Friday, October 22, 2010, 4:04 PM On 22 Oct 2010, at 13:54, Richard da Silva roman_s...@yahoo.com wrote: Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts keypass=my_password/ You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. p And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18), and repeated the process all over again. This time, there were none of the above-mentioned errors. But, I got another error : Alias tomcat not found. So, I removed that line - keyAlias=tomcat and re-started the server. This time, something else happened : when I start-up the server, the Tomcat window goes haywire. I see phrases and lines of data (output) flashing on the screen at the speed of light. And, then, my computer hangs. I have to re-boot it, to get it working again. I'm at a total loss. I have racked my brain for any and all possible causes. At first, I thought that, maybe, I ought to have created a whole NEW keystore (as it mentions in the online manual). But, since I was able to successfully import my certificate into the default cacerts, I figured that was not the reason. And, besides, there is obviously something wrong with the newer version of Tomcat, because the older version (which I am now using), did not give me those earlier errors. But, I still do not know what I am doing wrong. Any help will be greatly appreciated. Thanks. Richard da Silva - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Certificate : Unable to configure Tomcat server.xml
On 22/10/2010 14:04, Pid * wrote: On 22 Oct 2010, at 13:54, Richard da Silva roman_s...@yahoo.com wrote: Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts keypass=my_password/ You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. Actually, I'm talking total nonsense. Can you please remove the comments from server.xml and paste it, inline, into here? The docs are here: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html p And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18), and repeated the process all over again. This time, there were none of the above-mentioned errors. But, I got another error : Alias tomcat not found. So, I removed that line - keyAlias=tomcat and re-started the server. This time, something else happened : when I start-up the server, the Tomcat window goes haywire. I see phrases and lines of data (output) flashing on the screen at the speed of light. And, then, my computer hangs. I have to re-boot it, to get it working again. I'm at a total loss. I have racked my brain for any and all possible causes. At first, I thought that, maybe, I ought to have created a whole NEW keystore (as it mentions in the online manual). But, since I was able to successfully import my certificate into the default cacerts, I figured that was not the reason. And, besides, there is obviously something wrong with the newer version of Tomcat, because the older version (which I am now using), did not give me those earlier errors. But, I still do not know what I am doing wrong. Any help will be greatly appreciated. Thanks. Richard da Silva 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: SSL Certificate : Unable to configure Tomcat server.xml
I use this in my configuration and it works, i think you miss the protocol and scheme attribute. Ciao. Stefano. Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/local/tomcat/conf/.keystore keypass=tomcat / Il giorno ven, 22/10/2010 alle 07.45 -0700, Richard da Silva ha scritto: You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. Sorry, I don't understand what you said. Specify this where, exactly? And, which docs should I check? I've been over everything, and have found nothing remotely addressing my problem. Richard da Silva --- On Fri, 10/22/10, Pid * p...@pidster.com wrote: From: Pid * p...@pidster.com Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml To: Tomcat Users List users@tomcat.apache.org Date: Friday, October 22, 2010, 4:04 PM On 22 Oct 2010, at 13:54, Richard da Silva roman_s...@yahoo.com wrote: Hi all, I've been fighting with a very silly problem all day. I have an instance of Sun Identity Manager (IDM) running on a Tomcat server. To be able to use some of its Resources features, we have had to create and install SSL Certificates. Using some of the online documentation on the installation of SSL Certificates, I was able to successfully copy the Certificate to the keystore. (I did not create a new keystore. Instead, I used the default keystore which comes with the JAVA kit : cacerts ) Everything seemed to work fine, and I got the confirmation message saying : Certificate installed in keystore The final stage involves configuring the Tomcat server.xml file, to be able to allow SSL connection, and also to pinpoint the location of the Keystore. First, I commented out the Connector Port 8080 details. And then, I modified the Connector port 8443 as follows : Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEnabled=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=C:\Program Files\Java\jdk1.6.0_21\jre\lib\security\cacerts keypass=my_password/ You need to specify that it's an HTTP connector, rather than say an AJP connector. Check your configuration against the docs. p And, this is where my problems began. For some reason, I cannot get this to work. At first, I was using Tomcat version 6.0.21 I began to get several errors in my Tomcat window (a) only one usage allowed for each of the following : port / protocol / maxThreads, etc, etc (b) System parameter maxThreadsno match found for parameter; System parameter schemeno match found for parameter; System parameter clientAuthno match found for parameter; etc, etc I began to wonder if, maybe, there was something wrong with the Tomcat version (6.0.21) Last year, I had successfully performed a similar procedure (installed Certificate, modified Tomcat server.xml file, etc). But, that version I used was : 6.0.18 So, I decided to try it. I downloaded an older version of Tomcat (6.0.18), and repeated the process all over again. This time, there were none of the above-mentioned errors. But, I got another error : Alias tomcat not found. So, I removed that line - keyAlias=tomcat and re-started the server. This time, something else happened : when I start-up the server, the Tomcat window goes haywire. I see phrases and lines of data (output) flashing on the screen at the speed of light. And, then, my computer hangs. I have to re-boot it, to get it working again. I'm at a total loss. I have racked my brain for any and all possible causes. At first, I thought that, maybe, I ought to have created a whole NEW keystore (as it mentions in the online manual). But, since I was able to successfully import my certificate into the default cacerts, I figured that was not the reason. And, besides, there is obviously something wrong with the newer version of Tomcat, because the older version (which I am now using), did not give me those earlier errors. But, I still do not know what I am doing wrong. Any help will be greatly appreciated. Thanks. Richard da Silva - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Certificate : Unable to configure Tomcat server.xml
From: Stefano Suzzi [mailto:s.su...@protesa.it] Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml i think you miss the protocol and scheme attribute. The OP clearly had the scheme specified, and the protocol defaults to HTTP/1.1. Start again. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: SSL Certificate : Unable to configure Tomcat server.xml
On 22/10/2010 19:02, Caldarale, Charles R wrote: From: Stefano Suzzi [mailto:s.su...@protesa.it] Subject: Re: SSL Certificate : Unable to configure Tomcat server.xml i think you miss the protocol and scheme attribute. The OP clearly had the scheme specified, and the protocol defaults to HTTP/1.1. Start again. Yep. I corrected when I followed up, I wasn't reading it right on my phone. Need to see the whole of the OPs server.xml I think. p - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: ssl certificate
Thank you. I look forward to having a tomcat restart command. The stop and restart is considered downtime and requires documentation. I'm hoping it will come in a future release. Mark Thomas [EMAIL PROTECTED] 8/14/2008 11:17 AM Alonzo Wilson wrote: Please explain. How does adding a new connector restart tomcat and activate the new ssl cert? It doesn't. In 4.1.30 you can use the admin app to add a connector and start it. In 6.0.16 the admin app doesn't exist so JMX is your only option but this could be tricky so restarting Tomcat will be a lot simpler. Mark Mark Thomas [EMAIL PROTECTED] 8/12/2008 5:05 PM Alonzo Wilson wrote: 4.1.30 and 6.0.16 4.1.30 you should be able to use the admin app to add a new connector. With 6.0.16 you might be able to use JMX. Restarting Tomcat will be far easier. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
Alonzo Wilson wrote: Thank you. I look forward to having a tomcat restart command. The stop and restart is considered downtime and requires documentation. I'm hoping it will come in a future release. Sorry, that is very unlikely to ever happen. You can restart a context without dropping connections but you can't restart the server that way. If you need that level of availability, look into a simple httpd Tomcat cluster. Mark Mark Thomas [EMAIL PROTECTED] 8/14/2008 11:17 AM Alonzo Wilson wrote: Please explain. How does adding a new connector restart tomcat and activate the new ssl cert? It doesn't. In 4.1.30 you can use the admin app to add a connector and start it. In 6.0.16 the admin app doesn't exist so JMX is your only option but this could be tricky so restarting Tomcat will be a lot simpler. Mark Mark Thomas [EMAIL PROTECTED] 8/12/2008 5:05 PM Alonzo Wilson wrote: 4.1.30 and 6.0.16 4.1.30 you should be able to use the admin app to add a new connector. With 6.0.16 you might be able to use JMX. Restarting Tomcat will be far easier. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
Please explain. How does adding a new connector restart tomcat and activate the new ssl cert? Mark Thomas [EMAIL PROTECTED] 8/12/2008 5:05 PM Alonzo Wilson wrote: 4.1.30 and 6.0.16 4.1.30 you should be able to use the admin app to add a new connector. With 6.0.16 you might be able to use JMX. Restarting Tomcat will be far easier. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
Alonzo Wilson wrote: Please explain. How does adding a new connector restart tomcat and activate the new ssl cert? It doesn't. In 4.1.30 you can use the admin app to add a connector and start it. In 6.0.16 the admin app doesn't exist so JMX is your only option but this could be tricky so restarting Tomcat will be a lot simpler. Mark Mark Thomas [EMAIL PROTECTED] 8/12/2008 5:05 PM Alonzo Wilson wrote: 4.1.30 and 6.0.16 4.1.30 you should be able to use the admin app to add a new connector. With 6.0.16 you might be able to use JMX. Restarting Tomcat will be far easier. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
Alonzo Wilson wrote: After importing the signed certificate using keytool -import -alias tomcat1 -trustcacerts -file tsat.cer -keystore .keystore is there a way to make the new certificate active besides stopping and starting tomcat? Tomcat version? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
4.1.30 and 6.0.16 Mark Thomas [EMAIL PROTECTED] 8/12/2008 3:02 PM Alonzo Wilson wrote: After importing the signed certificate using keytool -import -alias tomcat1 -trustcacerts -file tsat.cer -keystore .keystore is there a way to make the new certificate active besides stopping and starting tomcat? Tomcat version? Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl certificate
Alonzo Wilson wrote: 4.1.30 and 6.0.16 4.1.30 you should be able to use the admin app to add a new connector. With 6.0.16 you might be able to use JMX. Restarting Tomcat will be far easier. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL certificate
keyAlias ? -Message d'origine- De : Reis, Tom [mailto:[EMAIL PROTECTED] Envoyé : vendredi 30 mars 2007 19:01 À : users@tomcat.apache.org Objet : SSL certificate If you have multiple signed certificates (Verisign) in your keystore how does Tomcat know which one to use? Afin de préserver l'environnement, merci de n'imprimer ce courriel qu'en cas de nécessité. Please consider the environment before printing this mail. Ce message et toutes les pièces jointes (ci-après le « message ») sont confidentiels et établis à lintention exclusive de ses destinataires. Toute utilisation de ce message non conforme à sa destination, toute diffusion ou toute publication, totale ou partielle, est interdite, sauf autorisation expresse. Si vous recevez ce message par erreur, merci de le détruire sans en conserver de copie et den avertir immédiatement lexpéditeur. Internet ne permettant pas de garantir lintégrité de ce message, la Caisse des Dépôts et Consignations décline toute responsabilité au titre de ce message sil a été modifié, altéré, déformé ou falsifié. Par ailleurs et malgré toutes les précautions prises pour éviter la présence de virus dans nos envois, nous vous recommandons de prendre, de votre côté, les mesures permettant d'assurer la non-introduction de virus dans votre système informatique. This email message and any attachments (the email) are confidential and intended only for the recipient(s) indicated. If you are not an intented recipient, please be advised that any use, dissemination, forwarding or copying of this email whatsoever is prohibited without Caisse des Depots et Consignations's prior written consent. If you have received this email in error, please delete it without saving a copy and notify the sender immediately. Internet emails are not necessarily secured, and declines responsibility for any changes that may have been made to this email after it was sent. While we take all reasonable precautions to ensure that viruses are not transmitted via emails, we recommend that you take your own measures to prevent viruses from entering your computer system. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate
I am not sure of this. But I believe you can install your self signed certificate on your browser, that way it will trust it next time. --Luis R. On 1/11/07, Jim Reynolds [EMAIL PROTECTED] wrote: I have configured SSL a while back and created a temporary certificate following the documentation that is under SSL. Not a major problem, but while developing with this, everytime I click on a page using Mozilla, I get a popup stating the following: Unable to verify the identify of devsite as a trusted site. I would assume this is because I created it, and that it is not a verisign or certified certificate. This is a pain because while doing QA, etc. I am constantly getting this error. Is there a way to create a certificate that would work in this instance that possibly I could certify, and just use for development QA? Thanks, - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
David Wall wrote: ...if the user accesses your site with http://, the port 80 Connector (or 8080 if testing or using a non-standard port) has a redirectPort element that causes Tomcat to automatically issue a redirect using https:// Are you sure? I thought redirectPort was only useful for redirecting _https_ requests which were sent to the wrong port... Paul S. -- No virus found in this outgoing message. Checked by AVG Anti-Virus. Version: 7.1.362 / Virus Database: 267.13.10/189 - Release Date: 30/Nov/2005 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Certificate Beginner Question
From: Paul Singleton [mailto:[EMAIL PROTECTED] Subject: Re: SSL Certificate Beginner Question David Wall wrote: ...if the user accesses your site with http://, the port 80 Connector (or 8080 if testing or using a non-standard port) has a redirectPort element that causes Tomcat to automatically issue a redirect using https:// Are you sure? I thought redirectPort was only useful for redirecting _https_ requests which were sent to the wrong port... Don't know if he's sure or not, but he is correct. If the deployment descriptor has transport-guarantee set to CONFIDENTIAL, Tomcat automatically switches the request to https. See section 12.8 of the servlet spec. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
* Bill Barker wrote (30/11/05 05:42): Scott Purcell [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html There are two likely problems, but I don't know which one applies to you. 1) Since you are using 5.5.12, if you installed the libtcnative.dll with Tomcat, then you need to configure SSL via http://tomcat.apache.org/tomcat-5.5-doc/apr.html. In particular, you need to extract the private-key into an OpenSSL format. Alternatively, you can rename the dll for now, and work on just getting the Java Connector working. 2) You imported your cert into a different keystore file than the one that use used to generate the CSR. Import the cert into the original one and you will be fine. If you used OpenSSL to generate the CSR, than the easiest is to convert to a pkcs12 keystore as described above. Alternatively, you can try using http://www.comu.de/docs/tomcat_ssl.htm. 3) (Maybe a long shot) Windows xp firewall is blocking the port. Does netstat -ln show anything listening on port 8443? Do the tomcat logs mention port 8443? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Did you include a security contraint element in your web.xml file? Something like this: security-constraint web-resource-collection web-resource-nameHTTPS for all of these pages of the application./web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint [EMAIL PROTECTED] wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Certificate Beginner Question
I did not include a security constraint. Is this needed for SSL? I spend some time looking at this element, and I was under the impression that it was for form authentication? -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 30, 2005 10:16 AM To: Tomcat Users List Subject: Re: SSL Certificate Beginner Question Did you include a security contraint element in your web.xml file? Something like this: security-constraint web-resource-collection web-resource-nameHTTPS for all of these pages of the application./web-resource-name url-pattern/secure/*/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint [EMAIL PROTECTED] wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- You probably want to add the following attributes to the Connector above: keystoreFile=keys/tomcatkeys keystorePass=123 Obviously, make the keystoreFile point to the name of the Java keystore that you put your certificate inside, along with the password for that keystore. I believe the base is $CATALINA_HOME if you use a relative pathname like above. You'll also need to update your webapp's web.xml file with something like (that is, if you want Tomcat to enforce SSL on your webapp): (after any servlet-mapping XML elements, before the session-config and/or welcome-file-list XML elements of web-app element in WEB-INF/web.xml) security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Hope that helps... David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Yes Thanks David, I did add the keystoreFile=XXX and keystorePass=xxx. But it still hangs. Since I was on Windows I used a full path to the file. I forgot about the security constraint element. Thanks I will give that a try and post back. Do I need the security element if I just try https://localhost:8443? Just curious. I know when I asked for the cert, Verisign asked me for my dns name, so maybe the simple localhost will not work and only the dns entry will work. ... Thanks much for your time. Scott - Original Message - From: David Wall [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 10:25 PM Subject: Re: SSL Certificate Beginner Question -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- You probably want to add the following attributes to the Connector above: keystoreFile=keys/tomcatkeys keystorePass=123 Obviously, make the keystoreFile point to the name of the Java keystore that you put your certificate inside, along with the password for that keystore. I believe the base is $CATALINA_HOME if you use a relative pathname like above. You'll also need to update your webapp's web.xml file with something like (that is, if you want Tomcat to enforce SSL on your webapp): (after any servlet-mapping XML elements, before the session-config and/or welcome-file-list XML elements of web-app element in WEB-INF/web.xml) security-constraint web-resource-collection web-resource-nameEntire site/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint Hope that helps... David - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Thanks for the link ... I think first I need to be able to hit the https://localhost:8443 before going any further? Once that is working ... then hopefully I can figure out how to restrict certain pages. - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 10:43 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. OK, here's a direct link to the Servlet Spec: http://www.jcp.org/aboutJava/communityprocess/final/jsr154/ :: which, BTW, is the first Google hit on java servlet spec :-) I probably posted a lame request. Let me try again. OK. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html From your first email: How do I configure some of my pages to use https? :: I thought you had *already* configured your installation per that how-to, cert installed, SSL working, and you were trying to understand how to restrict some pages to SSL-only access. Sorry for misunderstanding. -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Certificate Beginner Question
Scott Purcell [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Real helpful ... I searched on SRV.12 and it brought up a bunch of links that have nothing to do with Tomcat config of SSL. I probably posted a lame request. Let me try again. I have purchased a certificate via Verisign, and I have installed the certificate into a keystore. I am running Windows XP and Tomcat 5.5.12. I put the keystore and Cert.cer in the Tomcat/bin directory for organiation. I read that the default is usually in the home directory where tomcat is installed on Unix. But that is another OS. I followed the docs here under Tomcat 5 SSL and ran across this: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html There are two likely problems, but I don't know which one applies to you. 1) Since you are using 5.5.12, if you installed the libtcnative.dll with Tomcat, then you need to configure SSL via http://tomcat.apache.org/tomcat-5.5-doc/apr.html. In particular, you need to extract the private-key into an OpenSSL format. Alternatively, you can rename the dll for now, and work on just getting the Java Connector working. 2) You imported your cert into a different keystore file than the one that use used to generate the CSR. Import the cert into the original one and you will be fine. If you used OpenSSL to generate the CSR, than the easiest is to convert to a pkcs12 keystore as described above. Alternatively, you can try using http://www.comu.de/docs/tomcat_ssl.htm. The final step is to configure your secure socket in the $CATALINA_HOME/conf/server.xml file, where $CATALINA_HOME represents the directory into which you installed Tomcat 5. An example Connector element for an SSL connector is included in the default server.xml file installed with Tomcat. It will look something like this: -- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !-- Connector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true; clientAuth=false sslProtocol=TLS/ -- Anyway I uncommented this snippet from my Tomcat server.xml file and restarted. But I cannot hit https://localhost:8443 like the read-me states. I have checked all $TOMCAT_HOME/logs and see nothing. It just hangs when trying to call it. I can hit http://localhost and all is happy. But the certificate states it is coming from a certain URL. So I am not sure how that all works. I hope this may help someone feed me back some relevant information. Scott - Original Message - From: Hassan Schroeder [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, November 29, 2005 9:37 PM Subject: Re: SSL Certificate Beginner Question Scott Purcell wrote: How do I configure some of my pages to use https? I do not know where to begin on this? Begin with the Servlet Spec. -- SRV.12 (Security) would be apropos :-) HTH! -- Hassan Schroeder - [EMAIL PROTECTED] Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com dream. code. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]