Pid <p...@pidster.com> wrote on 01/06/2012 04:30:30 AM:
> From: Pid <p...@pidster.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Date: 01/06/2012 04:31 AM
> Subject: Re: SSL Configuration Errors
>
> > <Connector port="18080" protocol="HTTP/1.1"
> > connectionTimeout="20000"
> > redirectPort="8443" />
> >
> > <Connector
> Are you actually using Client auth?
This Tomcat environment was setup long before I worked here, so I am just
upgrading from an older version to 7.0.23 and trying to not use a self
signed certificate.
> > clientAuth="true" port="8443" minSpareThreads="5"
maxSpareThreads="75"
> > enableLookups="true" disableUploadTimeout="true"
> > acceptCount="100" maxThreads="200"
> > scheme="https" secure="true" SSLEnabled="true"
> > keystoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat
> > 7.0\conf\wcmdev-ssl.jks"
> > keystoreType="JKS" keystorePass="******"
> keystoreType has the default, you can remove it.
> I don't like the look of those paths, this is neater:
> keystoreFile="${catalina.base}\conf\wcmdev-ssl.jks"
>
> > truststoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat
> > 7.0\conf\wcmdev-ssl.jks"
> truststoreType has the default, you can remove it.
> > truststoreType="JKS" truststorePass="******"
> > SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
> > sslProtocol="TLS" />
> sslProtocol is also the default, you can remove it.
Removed.
>
> > <Connector port="8409" protocol="AJP/1.3" redirectPort="8443" />
> Are you actually using the AJP connector?
Removed.
> Can you remove all of the client auth config and just configure the
> keystore alone, first to try to get the SSL working?
Removed.
> Did you follow the steps here?
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
Yes.
I can get the sample-ssl.jks to work with the below connector port
information. But when I edit the connector ports to add the new
"wcmdev-ssl.jks" and imported
Certificate(s) I received from the CSR I get the error,
"java.io.IOException: Alias name tomcat does not identify a key entry"
Weird because it is an alias. Is it looking for tomcat as the actual entry
name or alias?
It seems like it is not reading the keystore properly. Should I just
create a new CSR from the sample-ssl.jks keystore?
Here is the connector info for the sample-ssl.jks that works.
<Service name="Catalina">
<Connector port="18080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443"/>
<Connector port="8443" SSLEnabled="true" scheme="https"
secure="true"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" strategy="ms"
keystoreFile="conf/sample-ssl.jks" keystorePass="***"
keyAlias="tomcat"
truststoreFile="conf/sample-ssl.jks" truststorePass="***"/>
<Connector port="8543" SSLEnabled="true" scheme="https"
secure="true"
maxHttpHeaderSize="8192" maxThreads="150"
minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" strategy="ms"
keystoreFile="conf/sample-ssl.jks" keystorePass="***"
keyAlias="tomcat"
truststoreFile="conf/sample-ssl.jks"
truststorePass="***"/>
******************************************************************************
This email and any files transmitted with it are intended solely for
the use of the individual or agency to whom they are addressed.
If you have received this email in error please notify the Navy
Exchange Service Command e-mail administrator. This footnote
also confirms that this email message has been scanned for the
presence of computer viruses.
Thank You!
******************************************************************************
