Cool On Thu, Mar 6, 2008 at 6:43 AM, strauss <[EMAIL PROTECTED]> wrote:
> A day later, I have SSL working on both mid-tier 7.1 patch 2 on tomcat > 5.5.26 and kinetic web on tomcat 5.5.20, and mid-tier 7.1 patch 1 on > tomcat 5.5.17. Here are some recipes for success if you have a > certificate for IIS on your Windows web server. I detest funky command line > syntax games, but this is one of those times when there are simply no other > tools... it's like I'm back in 1981 running CP/M 3.0 again. Enjoy ;) > > ---------------------------------------------- > Preparing a certificate obtained for IIS for use with Tomcat on same > server > > ============================================================ > Tomcat 5.5.17 (install by mid-tier 7.x) or 5.5.20 (install by RKM 7.x or > Kinetic web) > ============================================================ > > Step 1: Export Certificate from Microsoft IIS 6.0 as a .pfx file > > Add the Certificate Snap-in > > 1. On the computer containing the certificate you want, select Start > > Run, and then type mmc to open the Microsoft Management Console. > 2. On the Console menu, click Add/Remove Snap-in > 3. Click Add button. This will open the Add Standalone Snap-in box. > 4. Select Certificates from the list and then click Add. > 5. Select Computer account and click Next. > 6. Select Local computer and click Finished. > 7. Click Close on the Add Standalone Snap-in box. > 8. Click OK on the Add/Remove Snap-in box. > > Export the certificate from IIS 6 > > 1. Under the Tree tab in the Microsoft Management Console expand > Certificates. > 2. Select the Personal folder and then the certificate you want to export. > 3. On the Action menu select All Tasks > Export > 4. Click Next. > 5. Select Yes, export the private key and click Next. > 6. Select Personal Information Exchange ¨C PKCS #12 (.PFX) and then click > Next. > 7. Enter the password you used when you created the certificate (or a new > one if there was none) and click Next. This will create a .pfx file. > 8. In these examples the file created was "certfile.pfx" with a password > of "password." > > > Step 2: Point Tomcat 5.5.17 or 5.5.20 to the new Cert > > 1. Open C:\Program Files (x86)\Kinetic Apps\apache- > tomcat-5.5.20\conf\server.xml in a text or XML editor > 2. Uncomment the SSL Connector if not already done. > 3. Add the following attributes: > > keystoreFile="c:\PATH TO CERT.pfx" > keystorePass="password" > keystoreType="PKCS12" > > <Connector port="9443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > clientAuth="false" sslProtocol="TLS" > keystoreFile="C:\certfile.pfx" > keystorePass="password" > keystoreType="PKCS12" > /> > > Restart Tomcat. Point browser to https://localhost:8443. If it doesn't > load look in the log files to identify the problem. > The browser _should_ give a certificate error when it loads since the > certificate is only valid for the webserver name, not localhost; > Test again with the URL > https://webserverFQDN:8443<https://webserverfqdn:8443/>where webserverFQDN is > the server name that was submitted to the certificate > authority. > > ============================================================ > Tomcat 5.5.26 with APR (Apache Portable Runtime) enabled > ============================================================ > > Step 1: Same as above. > > Step 1a: Install OpenSSL (Win32 OpenSSL v0.9.8g) from > http://www.slproweb.com/products/Win32OpenSSL.html > > Step 2: Convert .pfx file to two .pem files > > 1. Copy the .pfx file to a working directory under OpenSSL - > C:\OpenSSL\working in this example. > 2. In a command window, run the following commands. > > C:\OpenSSL\working>c:\openssl\bin\openssl pkcs12 -in certfile.pfx -nocerts > -out certkey.pem > Enter Import Password: password > MAC verified OK > Enter PEM pass phrase: password > Verifying - Enter PEM pass phrase: > > C:\OpenSSL\working>c:\openssl\bin\openssl pkcs12 -in certfile.pfx -clcerts > -nokeys -out certcert.pem > Enter Import Password: > MAC verified OK > > > Step 3: Point Tomcat 5.5.26 to the new Cert > > 1. Open C:\Program Files (x86)\Apache Software Foundation\Tomcat > 5.5\conf\server.xml in a text or XML editor > 2. Uncomment the SSL Connector if not already done. > 3. Add the following attributes: > > SSLEngine="on" > SSLCertificateFile="c:\PATH TO CERT.pem" > SSLCertificateKeyFile="c:\PATH TO KEY.pem" > SSLPassword="password" > > <Connector port="8443" maxHttpHeaderSize="8192" > maxThreads="150" minSpareThreads="25" maxSpareThreads="75" > enableLookups="false" disableUploadTimeout="true" > acceptCount="100" scheme="https" secure="true" > SSLEngine="on" > SSLCertificateFile="C:\OpenSSL\working\certcert.pem" > SSLCertificateKeyFile="C:\OpenSSL\working\certkey.pem" > SSLPassword="password" > /> > > Restart Tomcat. Point browser to https://localhost:8443. If it doesn't > load look in the log files to identify the problem. > The browser _should_ give a certificate error when it loads since the > certificate is only valid for the webserver name, not localhost; > Test again with the URL > https://webserverFQDN:8443<https://webserverfqdn:8443/>where webserverFQDN is > the server name that was submitted to the certificate > authority. > ---------------------------------------------- > > With credit to kb articles at GeoTrust web site, one of which I posted > last night. Some of their information was obtained from the following link: > http://www.endofnow.com/2005/07/12/ssl-for-iis-and-tomcat-using-one-certificate/ > > Christopher Strauss, Ph.D. > Call Tracking Administration Manager > University of North Texas Computing & IT Center > http://itsm.unt.edu/ > > > -----Original Message----- > > From: Action Request System discussion list(ARSList) > > [mailto:[EMAIL PROTECTED] On Behalf Of William H. Will Du Chene > > Sent: Tuesday, March 04, 2008 9:12 PM > > To: [email protected] > > Subject: Re: Implementing SSL on Tomcat on Windows servers > > > > Did it work, Chris? The curiosity is killin' me... I'm still > > loitering around the cubicle... > > > _______________________________________________________________________________ > UNSUBSCRIBE or access ARSlist Archives at www.arslist.org > Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are" > _______________________________________________________________________________ UNSUBSCRIBE or access ARSlist Archives at www.arslist.org Platinum Sponsor: www.rmsportal.com ARSlist: "Where the Answers Are"
