Yes. Sent from my iPhone
> On Mar 26, 2015, at 12:53, Gianluca Diodato <gianluca.diod...@gmail.com> > wrote: > > Hi Dmitriy, > I have created my certificate with xca gui and export into a file .crt with > PEM format. > And now? I have to import this file in my keystore for change Tomcat? > > Best > Gianluca > > Il giorno mercoledì 25 marzo 2015 15:51:35 UTC+1, Dmitriy Kopylenko ha > scritto: >> >> I just want to add that there is an excellent GUI software for managing all >> of this stuff (built on OpenSSL), namely xca: >> http://sourceforge.net/projects/xca/ >> >> Best, >> D. >> >>> On Mar 25, 2015, at 10:42 AM, Waldbieser, Carl <wald...@lafayette.edu> >>> wrote: >>> >>> Gianluca, >>> >>> This site [1] has useful `keytool` examples. You should be able to view >>> the contents of your keystore with something like: >>> >>> $ keytool -l -v -keystore /path/to/your/keystore.jks >>> >>> There are some useful troubleshooting tips on SO [2]. >>> >>> To configure Tomcat to use the keystore, you need to set up a connector >>> like the following in $CATALINA_HOME/conf/server.xml: >>> >>> <Connector >>> protocol="org.apache.coyote.http11.Http11Protocol" >>> >>> SSLImplementation="edu.internet2.middleware.security.tomcat6.DelegateToApplicationJSSEImplementation" >>> port="443" >>> scheme="https" >>> secure="true" >>> clientAuth="false" >>> SSLEnabled="true" >>> emptySessionPath="true" >>> sslProtocol="TLS" >>> keystoreFile="/path/to/your/keystore.jks" >>> keystorePass="YourKeystorePassword" >>> truststoreFile="/path/to/your/keystore.jks" >>> truststorePass="YourKeystorePassword" >>> truststoreAlgorithm="DelegateToApplication" >>> /> >>> >>> The exact parameters may vary a bit depending on your version of Tomcat or >>> other preferences you may have. >>> >>> >>> [1] >>> https://www.sslshopper.com/article-most-common-java-keytool-keystore-commands.html >>> [2] >>> http://stackoverflow.com/questions/2138940/import-pem-into-java-key-store >>> >>> Thanks, >>> Carl >>> >>> ----- Original Message ----- >>> From: "Gianluca Diodato" <gianluca...@gmail.com> >>> To: jasig-c...@googlegroups.com >>> Cc: cas-...@lists.jasig.org, cas-...@lists.jasig.org, >>> cas-...@lists.jasig.org, wald...@lafayette.edu >>> Sent: Wednesday, March 25, 2015 10:21:05 AM >>> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >>> remote machine , Java Cas Client other machine >>> >>> Carl, >>> thank you very much for detailed answer. >>> I'm in until 4)... I have created this files: >>> - casserver.crt >>> - casserver.key >>> - casserver.csr >>> - rootCA.pem >>> - rootCA.key >>> - rootCA.srl >>> >>> In 5) I have to install the private key and public certificate in my CAS >>> server using java `keytool` (i don't know how... ) and configuring Tomcat >>> to use the keystore I created( i'm in!!). >>> It is this the instruction? keytool -import -trustcacerts -alias *mydomain* >>> -file *mydomain.crt* -keystore >>> >>> *keystore.jks*Thanks >>> Gianluca >>> >>> Il giorno mercoledì 25 marzo 2015 14:21:07 UTC+1, Waldbieser, Carl ha >>> scritto: >>>> >>>> Gianluca, >>>> >>>> For development, I like to use the openssl tools to create my own CA and >>>> use it to sign my own certificates rather than using a self-signed >>>> certificate. >>>> Here are the notes I use. Lines starting with ($) are the actual commands >>>> I enter into the terminal. >>>> >>>> ================ >>>> Create My Own CA >>>> ================ >>>> >>>> # Create CA key >>>> $ openssl genrsa -des3 -out rootCA.key 2048 >>>> # Create and self-sign CA cert. >>>> $ openssl req -x509 -new -nodes -key rootCA.key -days 1024 -out rootCA.pem >>>> >>>> ------------ >>>> Create a Key >>>> ------------ >>>> $ openssl genrsa -out example.key 2048 >>>> >>>> ------------------------------------ >>>> Create a Certificate Signing Request >>>> ------------------------------------ >>>> $ openssl req -new -key example.key -out example.csr >>>> >>>> ---------- >>>> Sign a CSR >>>> ---------- >>>> openssl x509 -req -in example.csr -CA rootCA.pem -CAkey rootCA.key >>>> -CAcreateserial -out example.crt -days 500 >>>> >>>> >>>> So first, I generate a CA key and cert (first 2 commands). This is >>>> something you only need to do once, but you have to keep the key somewhere >>>> you can find it, and you need to remember the password you choose for it >>>> as >>>> you will use this key to sign your certs. >>>> >>>> Next, whenever you set up a develoment *server*, you create a private key >>>> for the server (command under "Create a Key" section) and a certificate >>>> signing request (section "Create a certificate signing request). >>>> >>>> Finally, you use the CA you generated to sign the CSR and generate a >>>> public certificate for the server (section "Sign a CSR"). These steps are >>>> basically what real CAs do, but they need to be a lot more careful with >>>> their keys and their CA public certs are typically already included in >>>> your >>>> browser. >>>> >>>> It is worth noting that the OpenSSL tool commands above generate keys and >>>> certs in PEM format, which is a text format you can view in an editor. >>>> The >>>> CAS server runs as a Java servlet, so it uses a Java keystore format (a >>>> file that sometimes has a .jks extension). You need to use the Java >>>> `keytool` command to import certificates and private keys into the Java >>>> keystore. >>>> >>>> Browsers will typically accept certificates in a variety of formats. >>>> >>>> So for your CAS setup, I would: >>>> >>>> 1) Generate a CA key and certificate. >>>> 2) Generate a private key for my CAS server. >>>> 3) Generate a CSR for the CAS server private key. >>>> 4) Use my CA key to sign the CAS server CSR and create a public >>>> certificate. >>>> 5) Install the private key and public certificate in my CAS server using >>>> java `keytool` and configuring Tomcat to use the keystore I created. >>>> Alternatively, if I have Apache in front of Tomcat and am using >>>> something like mod_ajp, I can just use the PEM files in my Apache config >>>> and not worry about SSL in Tomcat. >>>> 6) Import my CA public cert into my browser. >>>> 7) Test that the CAS server cert is accepted by my browser (hit the >>>> /logout URL and verify the cert gives me the "green lock" icon). >>>> 8) Repeat steps 2-5 for my server with the CAS client app. >>>> 9) Since the CAS client app is actually going to make an HTTPS request >>>> to CAS using a back-channel, you have to make sure that the >>>> HTTPS Java client it uses trusts your CA. I am not sure how to >>>> configure this *specifically* for only that client, but I believe >>>> you can import your CA into the system-wide Java CA-certs keystore. >>>> Its name is typically "cacerts", but the location on your >>>> system may vary. >>>> >>>> Thanks, >>>> Carl >>>> >>>> ----- Original Message ----- >>>> From: "Gianluca Diodato" <gianluca...@gmail.com <javascript:>> >>>> To: jasig-c...@googlegroups.com <javascript:> >>>> Cc: cas-...@lists.jasig.org <javascript:>, cas-...@lists.jasig.org >>>> <javascript:>, wald...@lafayette.edu <javascript:> >>>> Sent: Wednesday, March 25, 2015 6:24:44 AM >>>> Subject: Re: [cas-user] SSL problem (I need tutorial!!) Cas Server on >>>> remote machine , Java Cas Client other machine >>>> >>>> Hi Carl, >>>> thanks to your answer. >>>> First of all, yes it is a development environment. >>>> I create my own CA into server machine (CAS Server) with this tutorial >>>> (http://tekyhost.com/ubuntu-12-04-and-tomcat-7-ssl-implementation/) and >>>> everything works fine (https://localhost:8443/cas/login and on other >>>> mychine https://my_ip_server:8443/cas/login). I follows this >>>> tutorial http://jasig.github.io/cas/4.0.x/index.html and for the >>>> authentication i create a db (mySQL) with a table users (2 columns: email, >>>> password(MD5)). In the other machine I'm developing a web application >>>> (J2EE >>>> in Eclipse) and I'm searching to connect login page to cas login page via >>>> web.xml adding filters >>>> (https://cuit.columbia.edu/cas-ify-java-application) >>>> >>>> via SSL. >>>> For my client machine, have I to create another own CA or have I to import >>>> server CA into $JAVA_HOME/jre/lib/security/cacerts (client)?? >>>> Sorry but all this is new for me!! >>>> >>>> Thanks >>>> Gianluca >>>> >>>> Il giorno martedì 24 marzo 2015 16:29:55 UTC+1, Waldbieser, Carl ha >>>> scritto: >>>>> >>>>> >>>>> Gianluca, >>>>> >>>>> Is this a development environment or is it a production environment >>>> where >>>>> user's web browsers need to trust the certificate? In the latter case, >>>> you >>>>> will need to generate a private key, make a certificate request, and get >>>>> certificate signed from a Certificate Authority (CA). >>>>> >>>>> In a development environment, it is possible to be your own CA. You >>>> would >>>>> basically do the same things as in production, but you would need to add >>>>> the local CA certificates to the browsers you will be testing. If you >>>> use >>>>> proxy CAS, your CAS server will also need to trust your private CA. >>>>> >>>>> Thanks, >>>>> Carl Waldbieser >>>>> ITS System Programmer >>>>> Lafayette College >>>>> >>>>> ----- Original Message ----- >>>>> From: "Gianluca Diodato" <gianluca...@gmail.com <javascript:>> >>>>> To: cas-...@lists.jasig.org <javascript:> >>>>> Sent: Tuesday, March 24, 2015 11:10:29 AM >>>>> Subject: [cas-user] SSL problem (I need tutorial!!) Cas Server on remote >>>>> machine , Java Cas Client other machine >>>>> >>>>> Hi All, >>>>> can anyone help me with my configuration problem as subject?? >>>>> I need to configure my envorinment to SSL like this: >>>>> >>>>> Machine 1: CAS SERVER -- Ubuntu 12.04 - Tomcat 7 - JDK 1.6 -- SSL >>>>> certificate generate with openssl + apr and added to Tomcat + Users into >>>>> MysqlDB (WORKS) >>>>> Machine 2: Cas Client java 3.3.3 (jar) imported into my webapp with only >>>>> welcome page at moment -- Eclipse Luna + Tomcat 7 + JDK 1.6 >>>>> >>>>> In machine 2 how to generate trusted certificate in order to connect my >>>>> client to CAS Server to login my users? >>>>> Anyone know if exists tutorial or guide step-by-step even basic. >>>>> >>>>> Please, help me >>>>> >>>>> Gianluca >>>>> >>>>> -- >>>>> You are currently subscribed to cas-...@lists.jasig.org <javascript:> >>>> as: >>>>> wald...@lafayette.edu <javascript:> >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>>> >>>>> -- >>>>> You are currently subscribed to cas-...@lists.jasig.org <javascript:> >>>> as: >>>>> jasig-cas-user...@googlegroups.com <javascript:> >>>>> To unsubscribe, change settings or access archives, see >>>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>>> >>>> -- >>>> You are currently subscribed to cas-...@lists.jasig.org <javascript:> as: >>>> jasig-cas-user...@googlegroups.com <javascript:> >>>> To unsubscribe, change settings or access archives, see >>>> http://www.ja-sig.org/wiki/display/JSG/cas-user >>> >>> -- >>> You are currently subscribed to cas-...@lists.jasig.org as: >>> dkopy...@unicon.net >>> To unsubscribe, change settings or access archives, see >>> http://www.ja-sig.org/wiki/display/JSG/cas-user >> >> -- >> You are currently subscribed to cas-...@lists.jasig.org as: >> jasig-cas-user...@googlegroups.com >> To unsubscribe, change settings or access archives, see >> http://www.ja-sig.org/wiki/display/JSG/cas-user > > -- > You are currently subscribed to cas-user@lists.jasig.org as: > dkopyle...@unicon.net > To unsubscribe, change settings or access archives, see > http://www.ja-sig.org/wiki/display/JSG/cas-user -- You are currently subscribed to cas-user@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
