Pid <p...@pidster.com> wrote on 01/06/2012 04:30:30 AM: > From: Pid <p...@pidster.com> > To: Tomcat Users List <users@tomcat.apache.org> > Date: 01/06/2012 04:31 AM > Subject: Re: SSL Configuration Errors >
> > <Connector port="18080" protocol="HTTP/1.1" > > connectionTimeout="20000" > > redirectPort="8443" /> > > > > <Connector > Are you actually using Client auth? This Tomcat environment was setup long before I worked here, so I am just upgrading from an older version to 7.0.23 and trying to not use a self signed certificate. > > clientAuth="true" port="8443" minSpareThreads="5" maxSpareThreads="75" > > enableLookups="true" disableUploadTimeout="true" > > acceptCount="100" maxThreads="200" > > scheme="https" secure="true" SSLEnabled="true" > > keystoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat > > 7.0\conf\wcmdev-ssl.jks" > > keystoreType="JKS" keystorePass="******" > keystoreType has the default, you can remove it. > I don't like the look of those paths, this is neater: > keystoreFile="${catalina.base}\conf\wcmdev-ssl.jks" > > > truststoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat > > 7.0\conf\wcmdev-ssl.jks" > truststoreType has the default, you can remove it. > > truststoreType="JKS" truststorePass="******" > > SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2" > > sslProtocol="TLS" /> > sslProtocol is also the default, you can remove it. Removed. > > > <Connector port="8409" protocol="AJP/1.3" redirectPort="8443" /> > Are you actually using the AJP connector? Removed. > Can you remove all of the client auth config and just configure the > keystore alone, first to try to get the SSL working? Removed. > Did you follow the steps here? > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html Yes. I can get the sample-ssl.jks to work with the below connector port information. But when I edit the connector ports to add the new "wcmdev-ssl.jks" and imported Certificate(s) I received from the CSR I get the error, "java.io.IOException: Alias name tomcat does not identify a key entry" Weird because it is an alias. Is it looking for tomcat as the actual entry name or alias? It seems like it is not reading the keystore properly. Should I just create a new CSR from the sample-ssl.jks keystore? Here is the connector info for the sample-ssl.jks that works. <Service name="Catalina"> <Connector port="18080" protocol="HTTP/1.1" connectionTimeout="20000" redirectPort="8443"/> <Connector port="8443" SSLEnabled="true" scheme="https" secure="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" strategy="ms" keystoreFile="conf/sample-ssl.jks" keystorePass="***" keyAlias="tomcat" truststoreFile="conf/sample-ssl.jks" truststorePass="***"/> <Connector port="8543" SSLEnabled="true" scheme="https" secure="true" maxHttpHeaderSize="8192" maxThreads="150" minSpareThreads="25" maxSpareThreads="75" enableLookups="false" disableUploadTimeout="true" acceptCount="100" strategy="ms" keystoreFile="conf/sample-ssl.jks" keystorePass="***" keyAlias="tomcat" truststoreFile="conf/sample-ssl.jks" truststorePass="***"/> ****************************************************************************** This email and any files transmitted with it are intended solely for the use of the individual or agency to whom they are addressed. If you have received this email in error please notify the Navy Exchange Service Command e-mail administrator. This footnote also confirms that this email message has been scanned for the presence of computer viruses. Thank You! ******************************************************************************