Gianluca,
This site [1] has useful `keytool` examples. You should be able to view the
contents of your keystore with something like:
$ keytool -l -v -keystore /path/to/your/keystore.jks
There are some useful troubleshooting tips on SO [2].
To configure Tomcat to use the keystore, you need to set up a connector like
the following in $CATALINA_HOME/conf/server.xml:
<Connector
protocol="org.apache.coyote.http11.Http11Protocol"
SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation"
port="443"
scheme="https"
secure="true"
clientAuth="false"
SSLEnabled="true"
emptySessionPath="true"
sslProtocol="TLS"
keystoreFile="/path/to/your/keystore.jks"
keystorePass="YourKeystorePassword"
truststoreFile="/path/to/your/keystore.jks"
truststorePass="YourKeystorePassword"
truststoreAlgorithm="DelegateToApplication"
/>
The exact parameters may vary a bit depending on your version of Tomcat or
other preferences you may have.
[1]
https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html
[2] http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store
Thanks,
Carl
----- Original Message -----
From: "Gianluca Diodato" <[email protected]>
To: [email protected]
Cc: [email protected], [email protected],
[email protected], [email protected]
Sent: Wednesday, March 25, 2015 10:21:05 AM
Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote
machine , Java Cas Client other machine
Carl,
thank you very much for detailed answer.
I'm in until 4)... I have created this files:
- casserver.crt
- casserver.key
- casserver.csr
- rootCA.pem
- rootCA.key
- rootCA.srl
In 5) I have to install the private key and public certificate in my CAS
server using java `keytool` (i don't know how... ) and configuring Tomcat
to use the keystore I created( i'm in!!).
It is this the instruction? keytool -import -trustcacerts -alias *mydomain*
-file *mydomain.crt* -keystore
*keystore.jks*Thanks
Gianluca
Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha
scritto:
>
> Gianluca,
>
> For development, I like to use the openssl tools to create my own CA and
> use it to sign my own certificates rather than using a self-signed
> certificate.
> Here are the notes I use. Lines starting with ($) are the actual commands
> I enter into the terminal.
>
> ================
> Create My Own CA
> ================
>
> # Create CA key
> $ openssl genrsa -des3 -out rootCA.key 2048
> # Create and self-sign CA cert.
> $ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem
>
> ------------
> Create a Key
> ------------
> $ openssl genrsa -out example.key 2048
>
> ------------------------------------
> Create a Certificate Signing Request
> ------------------------------------
> $ openssl req -new -key example.key -out example.csr
>
> ----------
> Sign a CSR
> ----------
> openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key
> -CAcreateserial -out example.crt -days 500
>
>
> So first, I generate a CA key and cert (first 2 commands). This is
> something you only need to do once, but you have to keep the key somewhere
> you can find it, and you need to remember the password you choose for it as
> you will use this key to sign your certs.
>
> Next, whenever you set up a develoment *server*, you create a private key
> for the server (command under "Create a Key" section) and a certificate
> signing request (section "Create a certificate signing request).
>
> Finally, you use the CA you generated to sign the CSR and generate a
> public certificate for the server (section "Sign a CSR"). These steps are
> basically what real CAs do, but they need to be a lot more careful with
> their keys and their CA public certs are typically already included in your
> browser.
>
> It is worth noting that the OpenSSL tool commands above generate keys and
> certs in PEM format, which is a text format you can view in an editor. The
> CAS server runs as a Java servlet, so it uses a Java keystore format (a
> file that sometimes has a .jks extension). You need to use the Java
> `keytool` command to import certificates and private keys into the Java
> keystore.
>
> Browsers will typically accept certificates in a variety of formats.
>
> So for your CAS setup, I would:
>
> 1) Generate a CA key and certificate.
> 2) Generate a private key for my CAS server.
> 3) Generate a CSR for the CAS server private key.
> 4) Use my CA key to sign the CAS server CSR and create a public
> certificate.
> 5) Install the private key and public certificate in my CAS server using
> java `keytool` and configuring Tomcat to use the keystore I created.
> Alternatively, if I have Apache in front of Tomcat and am using
> something like mod_ajp, I can just use the PEM files in my Apache config
> and not worry about SSL in Tomcat.
> 6) Import my CA public cert into my browser.
> 7) Test that the CAS server cert is accepted by my browser (hit the
> /logout URL and verify the cert gives me the "green lock" icon).
> 8) Repeat steps 2-5 for my server with the CAS client app.
> 9) Since the CAS client app is actually going to make an HTTPS request
> to CAS using a back-channel, you have to make sure that the
> HTTPS Java client it uses trusts your CA. I am not sure how to
> configure this *specifically* for only that client, but I believe
> you can import your CA into the system-wide Java CA-certs keystore.
> Its name is typically "cacerts", but the location on your
> system may vary.
>
> Thanks,
> Carl
>
> ----- Original Message -----
> From: "Gianluca Diodato" <[email protected] <javascript:>>
> To: [email protected] <javascript:>
> Cc: [email protected] <javascript:>, [email protected]
> <javascript:>, [email protected] <javascript:>
> Sent: Wednesday, March 25, 2015 6:24:44 AM
> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on
> remote machine , Java Cas Client other machine
>
> Hi Carl,
> thanks to your answer.
> First of all, yes it is a development environment.
> I create my own CA into server machine (CAS Server) with this tutorial
> (http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and
> everything works fine (https://localhost:8443/cas/login and on other
> mychine https://my_ip_server:8443/cas/login). I follows this
> tutorial http://jasig.github.io/cas/4.0.x/index.html and for the
> authentication i create a db (mySQL) with a table users (2 columns: email,
> password(MD5)). In the other machine I'm developing a web application
> (J2EE
> in Eclipse) and I'm searching to connect login page to cas login page via
> web.xml adding filters (https://cuit.columbia.edu/cas-ify-java-application)
>
> via SSL.
> For my client machine, have I to create another own CA or have I to import
> server CA into $JAVA_HOME/jre/lib/security/cacerts (client)??
> Sorry but all this is new for me!!
>
> Thanks
> Gianluca
>
> Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha
> scritto:
> >
> >
> > Gianluca,
> >
> > Is this a development environment or is it a production environment
> where
> > user's web browsers need to trust the certificate? In the latter case,
> you
> > will need to generate a private key, make a certificate request, and get
> > certificate signed from a Certificate Authority (CA).
> >
> > In a development environment, it is possible to be your own CA. You
> would
> > basically do the same things as in production, but you would need to add
> > the local CA certificates to the browsers you will be testing. If you
> use
> > proxy CAS, your CAS server will also need to trust your private CA.
> >
> > Thanks,
> > Carl Waldbieser
> > ITS System Programmer
> > Lafayette College
> >
> > ----- Original Message -----
> > From: "Gianluca Diodato" <[email protected] <javascript:>>
> > To: [email protected] <javascript:>
> > Sent: Tuesday, March 24, 2015 11:10:29 AM
> > Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote
> > machine , Java Cas Client other machine
> >
> > Hi All,
> > can anyone help me with my configuration problem as subject??
> > I need to configure my envorinment to SSL like this:
> >
> > Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL
> > certificate generate with openssl + apr and added to Tomcat + Users into
> > MysqlDB (WORKS)
> > Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with only
> > welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6
> >
> > In machine 2 how to generate trusted certificate in order to connect my
> > client to CAS Server to login my users?
> > Anyone know if exists tutorial or guide step-by-step even basic.
> >
> > Please, help me
> >
> > Gianluca
> >
> > --
> > You are currently subscribed to [email protected] <javascript:>
> as:
> > [email protected] <javascript:>
> > To unsubscribe, change settings or access archives, see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >
> > --
> > You are currently subscribed to [email protected] <javascript:>
> as:
> > [email protected] <javascript:>
> > To unsubscribe, change settings or access archives, see
> > http://www.ja-sig.org/wiki/display/JSG/cas-user
> >
>
> --
> You are currently subscribed to [email protected] <javascript:> as:
> [email protected] <javascript:>
> To unsubscribe, change settings or access archives, see
> http://www.ja-sig.org/wiki/display/JSG/cas-user
>
>
--
You are currently subscribed to [email protected] as:
[email protected]
To unsubscribe, change settings or access archives, see
http://www.ja-sig.org/wiki/display/JSG/cas-user
