A day later, I have SSL working on both mid-tier 7.1 patch 2 on tomcat 5.5.26
and kinetic web on tomcat 5.5.20, and mid-tier 7.1 patch 1 on tomcat 5.5.17.
Here are some recipes for success if you have a certificate for IIS on your
Windows web server. I detest funky command line syntax games, but this is one
of those times when there are simply no other tools... it's like I'm back in
1981 running CP/M 3.0 again. Enjoy ;)
----------------------------------------------
Preparing a certificate obtained for IIS for use with Tomcat on same server
============================================================
Tomcat 5.5.17 (install by mid-tier 7.x) or 5.5.20 (install by RKM 7.x or
Kinetic web)
============================================================
Step 1: Export Certificate from Microsoft IIS 6.0 as a .pfx file
Add the Certificate Snap-in
1. On the computer containing the certificate you want, select Start > Run, and
then type mmc to open the Microsoft Management Console.
2. On the Console menu, click Add/Remove Snap-in
3. Click Add button. This will open the Add Standalone Snap-in box.
4. Select Certificates from the list and then click Add.
5. Select Computer account and click Next.
6. Select Local computer and click Finished.
7. Click Close on the Add Standalone Snap-in box.
8. Click OK on the Add/Remove Snap-in box.
Export the certificate from IIS 6
1. Under the Tree tab in the Microsoft Management Console expand Certificates.
2. Select the Personal folder and then the certificate you want to export.
3. On the Action menu select All Tasks > Export
4. Click Next.
5. Select Yes, export the private key and click Next.
6. Select Personal Information Exchange ¨C PKCS #12 (.PFX) and then click Next.
7. Enter the password you used when you created the certificate (or a new one
if there was none) and click Next. This will create a .pfx file.
8. In these examples the file created was "certfile.pfx" with a password of
"password."
Step 2: Point Tomcat 5.5.17 or 5.5.20 to the new Cert
1. Open C:\Program Files (x86)\Kinetic
Apps\apache-tomcat-5.5.20\conf\server.xml in a text or XML editor
2. Uncomment the SSL Connector if not already done.
3. Add the following attributes:
keystoreFile="c:\PATH TO CERT.pfx"
keystorePass="password"
keystoreType="PKCS12"
<Connector port="9443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="C:\certfile.pfx"
keystorePass="password"
keystoreType="PKCS12"
/>
Restart Tomcat. Point browser to https://localhost:8443. If it doesn't load
look in the log files to identify the problem.
The browser _should_ give a certificate error when it loads since the
certificate is only valid for the webserver name, not localhost;
Test again with the URL https://webserverFQDN:8443 where webserverFQDN is the
server name that was submitted to the certificate authority.
============================================================
Tomcat 5.5.26 with APR (Apache Portable Runtime) enabled
============================================================
Step 1: Same as above.
Step 1a: Install OpenSSL (Win32 OpenSSL v0.9.8g) from
http://www.slproweb.com/products/Win32OpenSSL.html
Step 2: Convert .pfx file to two .pem files
1. Copy the .pfx file to a working directory under OpenSSL - C:\OpenSSL\working
in this example.
2. In a command window, run the following commands.
C:\OpenSSL\working>c:\openssl\bin\openssl pkcs12 -in certfile.pfx -nocerts -out
certkey.pem
Enter Import Password: password
MAC verified OK
Enter PEM pass phrase: password
Verifying - Enter PEM pass phrase:
C:\OpenSSL\working>c:\openssl\bin\openssl pkcs12 -in certfile.pfx -clcerts
-nokeys -out certcert.pem
Enter Import Password:
MAC verified OK
Step 3: Point Tomcat 5.5.26 to the new Cert
1. Open C:\Program Files (x86)\Apache Software Foundation\Tomcat
5.5\conf\server.xml in a text or XML editor
2. Uncomment the SSL Connector if not already done.
3. Add the following attributes:
SSLEngine="on"
SSLCertificateFile="c:\PATH TO CERT.pem"
SSLCertificateKeyFile="c:\PATH TO KEY.pem"
SSLPassword="password"
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on"
SSLCertificateFile="C:\OpenSSL\working\certcert.pem"
SSLCertificateKeyFile="C:\OpenSSL\working\certkey.pem"
SSLPassword="password"
/>
Restart Tomcat. Point browser to https://localhost:8443. If it doesn't load
look in the log files to identify the problem.
The browser _should_ give a certificate error when it loads since the
certificate is only valid for the webserver name, not localhost;
Test again with the URL https://webserverFQDN:8443 where webserverFQDN is the
server name that was submitted to the certificate authority.
----------------------------------------------
With credit to kb articles at GeoTrust web site, one of which I posted last
night. Some of their information was obtained from the following link:
http://www.endofnow.com/2005/07/12/ssl-for-iis-and-tomcat-using-one-certificate/
Christopher Strauss, Ph.D.
Call Tracking Administration Manager
University of North Texas Computing & IT Center
http://itsm.unt.edu/
> -----Original Message-----
> From: Action Request System discussion list(ARSList)
> [mailto:[EMAIL PROTECTED] On Behalf Of William H. Will Du Chene
> Sent: Tuesday, March 04, 2008 9:12 PM
> To: [email protected]
> Subject: Re: Implementing SSL on Tomcat on Windows servers
>
> Did it work, Chris? The curiosity is killin' me... I'm still
> loitering around the cubicle...
_______________________________________________________________________________
UNSUBSCRIBE or access ARSlist Archives at www.arslist.org
Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
