AW: Tomcat and openSSL
I'm currently working on the same thing, (Solaris: Apache, SSL, Tomcat, mod_jk...), and found while reading BUILDING this part for configure - options for mod_jk: --enable-EAPI This parameter is needed when using Apache-1.3 and mod_ssl, otherwise you will get the error message: this module might crash under EAPI! when loading libjk.so in httpd. Don't know if by W2K there is similar flag needed. Good Luck -Ursprüngliche Nachricht- Von: Daniel J. Obregon [mailto:[EMAIL PROTECTED] Gesendet am: Dienstag, 20. Juli 2004 14:50 An: Tomcat Users List Betreff: Re: Tomcat and openSSL I would recommend using Apache to handle the ssl connections for you. I've been using apache as the ssl connection point in our production environment and using mod_jk to send things on to tomcat. I had tried using the ssl connector bundled with tomcat, but after awhile, it just seemed to reach a point where it no longer served up web pages. Perhaps it was just a config thing... At any rate, if you've already got apache ssl working correctly, you just have to add a line to your conf file: Before: Files ~ \.(cgi|shtml|phtml?)$ SSLOptions +StdEnvVars /Files After: Files ~ \.(cgi|shtml|jsp|phtml|php3?)$ SSLOptions +StdEnvVars /Files Good Luck! - Dan - Hi all, I'm new to this list and although I read the instructions on how to use the list, I'd like to apologize in advance if I ever misuse the list! - |Question| - I'm currently working on security with Apache Tomcat and openssl under Windows 2000. I'd like to set up Tomcat to be able to use it with SSL. I installed openssl on Windows and I'm now trying to create a CA and certificates. How am I exactly supposed to configure Tomcat and how does it relate to openssl? Did I even need to download openssl in the first place? Instructions on the web are unclear and several relate to older versions of Tomcat. (I'm running Tomcat 5.0.25). Thanks to all, David. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
AW: Tomcat 4 - OpenSSL - IE client certificate works partially
This is the answere: http://www.comu.de/docs/tomcat_ssl.htm and its really easy. -Ursprungliche Nachricht- Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Juli 2002 16:43 An: tomcat-user Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: AW: Tomcat 4 - OpenSSL - IE client certificate workspartially
Hello, this pretty much sounds like the same problem I was experiencing and posted earlier today. Sadly, your link below only gives hints on how to intall a SERVER certificate, but not on how to configure everything to ask for a CLIENT cert. I have exactly the same problem where the initial handshake with the exchange of the SERVER cert is just fine, but then the connection breaks leaving you with absolutely NO LOG-entry as to why it broke So far, I was only able to get an error-message out of Netscape (6.x) saying unknown SSL Error -12227 Would it make sense to post this on the tomcat-development-list? Regards, Peter Werno On Mon, 1 Jul 2002 16:50:21 +0200 Power-Netz \(Schwarz\) [EMAIL PROTECTED] wrote: This is the answere: http://www.comu.de/docs/tomcat_ssl.htm and its really easy. -Ursprungliche Nachricht- Von: Henrik Schultz [mailto:[EMAIL PROTECTED]] Gesendet: Montag, 1. Juli 2002 16:43 An: tomcat-user Betreff: Tomcat 4 - OpenSSL - IE client certificate works partially Greetings all... For those not interested in client certificates at the deep technical level, this is probably not your favorite cup of tea. Otherwise read on. Enabling SSL in Tomcat is really no sweat using your own home-made certificates, thanks to the excellent HOW-TO. Once you get your root CA certificate installed in the right places, and a suitable certificate installed in Tomcat, everything works just fine. However, creating client certificates that works with IE has (at least for me) shown to be a real pain. I've experimented for months, and tried numerous postings on this list, but noone seemed to know the finer details. It was only recently I had a breakthrough, in that a trial certificate from Verisign allowed me to compare that and a home-made one, and find the bits that makes the difference, that is, what it takes for it to be shown on the selection list in IE when the server asks for a client certificate. Last night I succeeded. The right combination of keytool and openssl maneuvres to setup a private CA, finally generated a certificate that installed without a hitch in IE, and came up when I subsequently connected to my SSL enabled Tomcat. So far so good. However there is still one major obstacle ... the server aborts the connection right away :- IE tells me: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. In other words, the usual message that indicates that the server screwed up, and closed the connection. Interestingly enough the Verisign certificate works just fine. So there is apparently still a difference to Tomcat. Have tried to connect using openssl s_client - works A-OK, also with my home-made certificate. Have looked in the tomcat logs to no avail. There is no trace anywhere why the connection breaks. So the question to the list is: how would I go by diagnosing this? I believe that the problem must be related to the SSL container (?) that responds to the traffic on port 443, and does all the SSL handshaking, because my application never sees anything. Just like in Apache there's an error log for all the pages that fail - isn't there such a log in Tomcat? Thanks for any input or advice you might have! PS. If anyone is interested in a writeup or HOW-TO of making client certificates for Tomcat, let me know. This is certainly tricky stuff! Henrik Schultz Senior Systems Architect Consultant to Maersk Data AS Tel.: +45 39 10 21 13 Mobile: +45 22 12 24 29 E-mail: [EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]