Hello,
I did this:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
%JAVA_HOME%\bin\keytool -export -alias tomcat -keypass changeit -file
server.crt
%JAVA_HOME%\bin\keytool -import -file server.crt -alias tomcat -keypass
changeit -keystore
%JAVA_HOME%/jre/lib/security/cacerts
with Tomcat configuration like this:
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS"
keystoreFile="%JAVA_HOME%/jre/lib/security/cacerts"
keystorePass="changeit"/>
but when I start Tomcat always be in a loop with this error:
..........................................
SSLException: No available certificate or key corresponds to the
SSL cipher suites which are enabled.
...........................................
I was looking for a solution but always with the same error.
SOLUTION:
I did this:
%JAVA_HOME%\bin\keytool -genkey -alias tomcat -keypass changeit -keyalg RSA
-keystore
%JAVA_HOME%/jre/lib/security/cacerts
that is I created the certificated directly to the jvm keystore And tomcat
starts without problems now.
Anybody know this issue?
Thanks in advance
>From: "kike velez" <[EMAIL PROTECTED]>
>Reply-To: Yale CAS mailing list <[email protected]>
>To: [email protected]
>Subject: RE: SSL :Certificates to JVM keystore?
>Date: Sun, 24 Sep 2006 20:26:46 +0200
>MIME-Version: 1.0
>X-Originating-IP: [80.102.225.80]
>X-Originating-Email: [EMAIL PROTECTED]
>X-Sender: [EMAIL PROTECTED]
>Received: from pantheon-po09.its.yale.edu ([130.132.50.55]) by
>bay0-mc1-f6.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sun, 24
>Sep 2006 11:33:13 -0700
>Received: from tp.its.yale.edu (tp.its.yale.edu [130.132.59.225])by
>pantheon-po09.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
>k8OIRCxA005708;Sun, 24 Sep 2006 14:27:19 -0400
>Received: from mr3.its.yale.edu (mr3.its.yale.edu [130.132.50.9])by
>tp.its.yale.edu (8.13.1/8.13.1) with ESMTP id k8OIRAU3030492for
><[email protected]>; Sun, 24 Sep 2006 14:27:10 -0400
>Received: from bay0-omc3-s10.bay0.hotmail.com
>(bay0-omc3-s10.bay0.hotmail.com[65.54.246.210])by mr3.its.yale.edu
>(8.12.11.20060308/8.12.11) with ESMTP idk8OIR9KO005796for
><[email protected]>; Sun, 24 Sep 2006 14:27:09 -0400
>Received: from hotmail.com ([65.55.131.94]) by
>bay0-omc3-s10.bay0.hotmail.comwith Microsoft SMTPSVC(6.0.3790.1830); Sun,
>24 Sep 2006 11:26:47 -0700
>Received: from mail pickup service by hotmail.com with Microsoft
>SMTPSVC;Sun, 24 Sep 2006 11:26:47 -0700
>Received: from 65.55.131.123 by by126fd.bay126.hotmail.msn.com with
>HTTP;Sun, 24 Sep 2006 18:26:46 GMT
>X-Message-Info: LsUYwwHHNt0m0GlE8CESSIfHVaxuaGz5EYIV1GrkGmk=
>X-OriginalArrivalTime: 24 Sep 2006 18:26:47.0645
>(UTC)FILETIME=[FED538D0:01C6E006]
>X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
>X-Yale-Not-Spam: For more info see:
>http://www.yale.edu/email/spam/content.html
>X-Yale-Spam-Score: (-0.001)
>X-Scanned-By: MIMEDefang 2.52 on 130.132.50.9
>X-BeenThere: [email protected]
>X-Mailman-Version: 2.1.6
>Precedence: list
>List-Id: Yale CAS mailing list <cas.tp.its.yale.edu>
>List-Unsubscribe:
><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]>
>List-Archive: <http://tp.its.yale.edu/pipermail/cas>
>List-Post: <mailto:[email protected]>
>List-Help: <mailto:[EMAIL PROTECTED]>
>List-Subscribe:
><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]>
>Errors-To: [EMAIL PROTECTED]
>Return-Path: [EMAIL PROTECTED]
>
>Thank you Petro for your reply and for clarify my doubts.
>
>And yes. I think this information must be on the page
>http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
>
>Thanks again
>
>
> >From: "Andrew Petro" <[EMAIL PROTECTED]>
> >Reply-To: Yale CAS mailing list <[email protected]>
> >To: "'Yale CAS mailing list'" <[email protected]>
> >Subject: RE: SSL :Certificates to JVM keystore?
> >Date: Sat, 23 Sep 2006 19:39:24 -0700
> >MIME-Version: 1.0
> >Received: from pantheon-po09.its.yale.edu ([130.132.50.55]) by
> >bay0-mc1-f17.bay0.hotmail.com with Microsoft SMTPSVC(6.0.3790.2444); Sat,
> >23 Sep 2006 19:45:04 -0700
> >Received: from tp.its.yale.edu (tp.its.yale.edu [130.132.59.225])by
> >pantheon-po09.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP id
> >k8O2hMNJ022488;Sat, 23 Sep 2006 22:43:32 -0400
> >Received: from mr2.its.yale.edu (mr2.its.yale.edu [130.132.50.8])by
> >tp.its.yale.edu (8.13.1/8.13.1) with ESMTP id k8O2hKRs017682for
> ><[email protected]>; Sat, 23 Sep 2006 22:43:20 -0400
> >Received: from ns2.unicon.net (ns2.unicon.net [12.164.136.139])by
> >mr2.its.yale.edu (8.12.11.20060308/8.12.11) with ESMTP
>idk8O2hBAK001080for
> ><[email protected]>; Sat, 23 Sep 2006 22:43:11 -0400
> >Received: from saber.unicon.net (mailduit [12.164.148.152])by
> >ns2.unicon.net (8.9.3/8.9.0) with ESMTP id TAA10282for
> ><[email protected]>; Sat, 23 Sep 2006 19:39:26 -0700 (MST)
> >Received: from Janus (ip68-99-95-247.ph.ph.cox.net
> >[::ffff:68.99.95.247])(AUTH: LOGIN apetro, SSL:
> >TLSv1/SSLv3,128bits,RC4-MD5)by saber.unicon.net with esmtp; Sat, 23 Sep
> >2006 19:39:26 -0700id 002D71BD.4515EFDE.00006191
> >X-Message-Info: LsUYwwHHNt3KJwDQ/nXFuYeaBLZZ9gPg7eIXAz0j4Is=
> >X-Mailer: Microsoft Office Outlook 11
> >X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2900.2962
> >Thread-Index: AcbfYx0f5LqoC5PGSJ2f8911gYOB6QAHc3og
> >X-YaleITSMailFilter: Version 1.2c (attachment(s) not renamed)
> >X-Yale-Not-Spam: For more info see:
> >http://www.yale.edu/email/spam/content.html
> >X-Yale-Spam-Score: (0)
> >X-Scanned-By: MIMEDefang 2.52 on 130.132.50.8
> >X-MIME-Autoconverted: from quoted-printable to 8bit by tp.its.yale.edu
> >idk8O2hKRs017682
> >X-BeenThere: [email protected]
> >X-Mailman-Version: 2.1.6
> >Precedence: list
> >List-Id: Yale CAS mailing list <cas.tp.its.yale.edu>
> >List-Unsubscribe:
> ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]>
> >List-Archive: <http://tp.its.yale.edu/pipermail/cas>
> >List-Post: <mailto:[email protected]>
> >List-Help: <mailto:[EMAIL PROTECTED]>
> >List-Subscribe:
> ><http://tp.its.yale.edu/mailman/listinfo/cas>,<mailto:[EMAIL PROTECTED]>
> >Errors-To: [EMAIL PROTECTED]
> >Return-Path: [EMAIL PROTECTED]
> >X-OriginalArrivalTime: 24 Sep 2006 02:45:04.0461 (UTC)
> >FILETIME=[704F8FD0:01C6DF83]
> >
> >Hello,
> >
> >CAS is an authentication mechanism wherein the Central Authentication
> >Service server serves as the "trusted intermediary" brokering
> >authentication
> >between participants. Participants need not trust one another so long as
> >they all trust the CAS server.
> >
> >End users and their web browsers must trust the CAS server (otherwise the
> >user shouldn't feel comfortable typing in her password!) They must also
> >trust the channel of communication between one another. The standard way
> >for securing the channel between browser and website is SSL. So it is
> >obligatory that your CAS server be accessed by the end user over SSL.
> >
> >The "client application", the non-CAS web application that the user's
> >really
> >trying to authenticate to, must also trust the CAS server (otherwise it
> >shouldn't care who the CAS server says the user is). And it must trust
>the
> >channel whereby it communicates with the CAS server. The standard way
>for
> >securing the channel over which web requests are fulfilled (and CAS
> >services
> >are really lightweight XML over HTTP "web services) is SSL. So it is
> >obligatory that your CAS server offer the ticket validation services over
> >SSL.
> >
> >SSL is a public key encryption technology. If you pay a good chuck of
> >money
> >for a "real" commercial SSL certificate, then it will be signed by a
> >certifying authority that "everyone" trusts implicitly and it just works.
> >For your real production CAS server it makes a lot of sense to throw
>money
> >at this problem and buy such an SSL certificate, with the resulting
> >improved
> >user factors both for end users and applications using CAS.
> >
> >For smaller CAS deployments and certainly in development it makes a lot
>of
> >sense to use a "self-signed" certificate. Since self-signed SSL
> >certificates are essentially just made up on the fly, it is necessary to
> >distribute the corresponding public key. Your self-signed SSL cert is
>only
> >meaningful to me inasmuch as I have by a secure mechanism already
>received
> >the corresponding public key.
> >
> >For Java web applications, installing that public key into the JVM
>keystore
> >of the client application will result in the Java CAS client in the
>client
> >application being able to verify the security of the channel (SSL)
>between
> >it and the CAS server and so it will be able to validate service tickets.
> >
> >
> >That was a long way of saying "Yes, it is necessary to import the public
> >key
> >portion SSL certificate into the JVM keystore of any client Java web
> >applications using your CAS server, unless your SSL certificate is
> >implicitly trusted by virtue of its being expensive."
> >
> >And of course, whether you have a self signed certificate or a commercial
> >certificate, you will need to install it into your Tomcat keystore for
>your
> >CAS server so that it can offer the CAS web application over SSL, if
>Tomcat
> >is going to be your SSL endpoint. (Apache, or some expensive hardware
>box
> >in front of your CAS server, might instead be your SSL endpoint for your
> >CAS
> >server.)
> >
> >This help any?
> >
> >Would it help if something very much like the above were pasted atop the
> >CAS
> >documentation page on SSL considerations?
> >
> >http://www.ja-sig.org/wiki/display/CAS/Solving+SSL+issues
> >
> >Andrew
> >
> > > -----Original Message-----
> > > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
> >On
> > > Behalf Of kike velez
> > > Sent: Saturday, September 23, 2006 3:50 PM
> > > To: [email protected]
> > > Subject: SSL :Certificates to JVM keystore?
> > >
> > > Hello
> > >
> > > I looking for this question on the archive but i don´t have this issue
> >to
> > > clear.
> > >
> > > Its obligatory to import the ssl certificates to de jvm keystore?
> > > if the answer is yes Why?
> > >
> > > I see in the Tomcat documentation and i don´t see nothing about it.
> > >
> > > Thanks in advance
> >
> >
> >_______________________________________________
> >Yale CAS mailing list
> >[email protected]
> >http://tp.its.yale.edu/mailman/listinfo/cas
>
>
>_______________________________________________
>Yale CAS mailing list
>[email protected]
>http://tp.its.yale.edu/mailman/listinfo/cas
_______________________________________________
Yale CAS mailing list
[email protected]
http://tp.its.yale.edu/mailman/listinfo/cas
