On Friday, October 6, 2017 at 2:39:34 AM UTC-4, Dayne Ellanna wrote:
>
> I am having the worst time getting tomcat to do https for dspace. I
> followed the instructions on the dspace site but cannot make heads or tails
> of the instructions as I am definitely not a certificate expert. The
> instructions use generic names and don't explain where root ca's come from
> or generating certificate requests and from what do I generate these. Can
> someone give me very specific instructions about how to set up the https on
> tomcat to run dspace. So far I have gotten dspace to run successfully as
> http://myserver.domain:8080/xmlui. As per instructions on the dspace
> site I have tried to create the RSA key, and we use incommon for our certs
> which I can obtain, but have not been able to figure out the beginning to
> end process for this. I tried using curl to test but no success. I really
> need a succinct explanation of all the pieces, where to get them or how to
> generate them in order to run the ssl. HELP!
>
We also proxy through Apache HTTPD, via AJP, in part because setting up
certificates for Tomcat is such a pain.
We are also an InCommon member so I can speak to that. You'll need the
"InCommon RSA Server CA" intermediate certificate. On this Gentoo Linux
system it's in '/etc/ssl/certs/InCommon-RSA-Server-CA.pem' and should be
similarly named on yours. It is signed by "USERTrust RSA Certification
Authority", in USERTrust_RSA_Certification_Authority.crt or something
similar, which is the root certificate. You can see the gory details of
certificates, including the CN (e.g. "InCommon RSA Server CA") with
'openssl x509 -noout -text -in /path/to/some/certificate.pem'. (Sorry, I
only use 'keytool' when I can't avoid it, and don't know by heart the
options for this operation.)
It's impossible to write specific letter-for-letter instructions for this
topic that cover all supported platforms, because they disagree as to where
things like CATALINA_BASE and JAVA_HOME are. If you'd tell us what OS,
distribution and version you're using, that would help. If you did *not*
use your OS' package manager to install Tomcat, or Java, then it would help
to tell us where you installed them. In the meantime, you probably can
forget about '$JAVA_HOME/bin' and assume that 'keytool' is available just
like any other command. If you search your system for 'server.xml' that
should help you locate '$CATALINA_BASE/conf'.
I recommend inventing some keystore password other than "changeit", because
everybody knows that's the default password and thus it is no security at
all.
Whenever you have a question about Tomcat, it would be helpful to state the
specific version that you are using. When you have a question about DSpace
(or its documentation), it would be helpful to state the specific version
that you are using.
--
You received this message because you are subscribed to the Google Groups
"DSpace Technical Support" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to dspace-tech+unsubscr...@googlegroups.com.
To post to this group, send email to dspace-tech@googlegroups.com.
Visit this group at https://groups.google.com/group/dspace-tech.
For more options, visit https://groups.google.com/d/optout.
