Re: Configuring server.xml for SSL breaks Tomcat
Matt, 2 suggestions: 1. Upgrade your JDK to 1.4.x. JSSE is now integrated with the Java Runtime and, you never know, this step alone might fix your problem. 2. Create and configure the SSL connector using the Admin tool instead of manually editing server.xml. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring server.xml for SSL breaks Tomcat
Thanks. I tried both suggestions exhaustively but don't any much better success. I have apache running SSL on this same server. Should I be working on the jk2 connector instead, to use Apache's SSL? That looked more complicated at first. Thanks, Matt Matt, 2 suggestions: 1. Upgrade your JDK to 1.4.x. JSSE is now integrated with the Java Runtime and, you never know, this step alone might fix your problem. 2. Create and configure the SSL connector using the Admin tool instead of manually editing server.xml. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Configuring server.xml for SSL breaks Tomcat
I'm using 4.1.27 on debian 3.0 with the JDK 1.3 from Blackdown, and the last independent JSSE from Sun, the one intended for jdk1.3. Tomcat runs as user tomcat4, whose home dir is /usr/share/tomcat4 and whose login shell is /bin/false. Tomcat runs fine when I don't try to get SSL working. Annoyingly enough, it ran for a minute with SSL working, but that was with the default password on the keystore which I thought was a bad idea, long-term. So I created a new key, put it in the same place (with the same name), and restarted tomcat. Only Tomcat wouldn't start at all, not even the non-SSL connector. So, I tried to go back to the old key. No good; same problem. Finally I went back to a /conf/server.xml file with the SSL connector commented out, and I could get Tomcat to restart (non-SSL only). I've tried about ten times to recreate the key with the default password and every time I reconfigure server.xml to start an SSL connector, Tomcat won't start. I am creating the key as root, since I can't login as tomcat4; I use /usr/lib/j2se/1.3/bin/keytool -genkey -alias tomcat -keyalg RSA and then I copy the key to /usr/share/tomcat4 and chown it to tomcat4. This is what worked the one time. I have also tried using -keystore /usr/share/tomcat4/.keystore, which hasn't helped. I've deleted all the old .keystores from the system, so I know it's not trying to open an old one. Basically, all I'm doing to server.xml is removing the comments around the pre-configured SSL connector. So it looks like this: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector I know certificates can be touchy, but I'm at a loss to understand why this worked once, and is failing to work now. And why would it prevent Tomcat from working in non-SSL? Thanks, Matt Morgan Manager of Information Systems Brooklyn Museum of Art
RE: Configuring server.xml for SSL breaks Tomcat
I don't know what your time span has been for working with this, but I ran into a problem using WebLogic where my key had expired. My self-signed certificate had not expired, but the key had. I used the OpenSSL software. When I recreated the key with arguments to make it expire in a year, instead of the default of 30 days, I did not have the problem again. -Original Message- From: Matt Morgan [mailto:[EMAIL PROTECTED] Sent: Thu 9/25/2003 3:24 PM To: [EMAIL PROTECTED] Cc: Subject: Configuring server.xml for SSL breaks Tomcat I'm using 4.1.27 on debian 3.0 with the JDK 1.3 from Blackdown, and the last independent JSSE from Sun, the one intended for jdk1.3. Tomcat runs as user tomcat4, whose home dir is /usr/share/tomcat4 and whose login shell is /bin/false. Tomcat runs fine when I don't try to get SSL working. Annoyingly enough, it ran for a minute with SSL working, but that was with the default password on the keystore which I thought was a bad idea, long-term. So I created a new key, put it in the same place (with the same name), and restarted tomcat. Only Tomcat wouldn't start at all, not even the non-SSL connector. So, I tried to go back to the old key. No good; same problem. Finally I went back to a /conf/server.xml file with the SSL connector commented out, and I could get Tomcat to restart (non-SSL only). I've tried about ten times to recreate the key with the default password and every time I reconfigure server.xml to start an SSL connector, Tomcat won't start. I am creating the key as root, since I can't login as tomcat4; I use /usr/lib/j2se/1.3/bin/keytool -genkey -alias tomcat -keyalg RSA and then I copy the key to /usr/share/tomcat4 and chown it to tomcat4. This is what worked the one time. I have also tried using -keystore /usr/share/tomcat4/.keystore, which hasn't helped. I've deleted all the old .keystores from the system, so I know it's not trying to open an old one. Basically, all I'm doing to server.xml is removing the comments around the pre-configured SSL connector. So it looks like this: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector I know certificates can be touchy, but I'm at a loss to understand why this worked once, and is failing to work now. And why would it prevent Tomcat from working in non-SSL? Thanks, Matt Morgan Manager of Information Systems Brooklyn Museum of Art - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Configuring server.xml for SSL breaks Tomcat
Thanks. Well, the Tomcat docs don't say anything about what the default expiry is for keys self-generated with keytool, but this is work that I did all today, and in general I was trying to use the keys within seconds of creating them. Any other thoughts? Are these keys I'm creating persistent in some way--cached somewhere, or anything like that? It doesn't seem like it. King,Daniel wrote: I don't know what your time span has been for working with this, but I ran into a problem using WebLogic where my key had expired. My self-signed certificate had not expired, but the key had. I used the OpenSSL software. When I recreated the key with arguments to make it expire in a year, instead of the default of 30 days, I did not have the problem again. -Original Message- From: Matt Morgan [mailto:[EMAIL PROTECTED] Sent: Thu 9/25/2003 3:24 PM To: [EMAIL PROTECTED] Cc: Subject: Configuring server.xml for SSL breaks Tomcat I'm using 4.1.27 on debian 3.0 with the JDK 1.3 from Blackdown, and the last independent JSSE from Sun, the one intended for jdk1.3. Tomcat runs as user tomcat4, whose home dir is /usr/share/tomcat4 and whose login shell is /bin/false. Tomcat runs fine when I don't try to get SSL working. Annoyingly enough, it ran for a minute with SSL working, but that was with the default password on the keystore which I thought was a bad idea, long-term. So I created a new key, put it in the same place (with the same name), and restarted tomcat. Only Tomcat wouldn't start at all, not even the non-SSL connector. So, I tried to go back to the old key. No good; same problem. Finally I went back to a /conf/server.xml file with the SSL connector commented out, and I could get Tomcat to restart (non-SSL only). I've tried about ten times to recreate the key with the default password and every time I reconfigure server.xml to start an SSL connector, Tomcat won't start. I am creating the key as root, since I can't login as tomcat4; I use /usr/lib/j2se/1.3/bin/keytool -genkey -alias tomcat -keyalg RSA and then I copy the key to /usr/share/tomcat4 and chown it to tomcat4. This is what worked the one time. I have also tried using -keystore /usr/share/tomcat4/.keystore, which hasn't helped. I've deleted all the old .keystores from the system, so I know it's not trying to open an old one. Basically, all I'm doing to server.xml is removing the comments around the pre-configured SSL connector. So it looks like this: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector I know certificates can be touchy, but I'm at a loss to understand why this worked once, and is failing to work now. And why would it prevent Tomcat from working in non-SSL? Thanks, Matt Morgan Manager of Information Systems Brooklyn Museum of Art - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Configuring server.xml for SSL breaks Tomcat
You are just talking about the key, but what is actually needed to use SSL (if Tomcat is like WebLogic) is a self-signed certificate, and there are several steps that you have to go through to create that correctly, even before the challenge of configuring Tomcat to use it. The example below uses OpenSSL, which comes standard with most flavors of Linux. Assume directory /usr/local/temp where you are going to create your certificate. 1. Go to /usr/local/temp, and create directory cert, 2. Go to directory cert. This will be referred to in the SSL section as the SSL working directory. From the SSL working directory, create directory demoCA, 3. Go to directory demoCA, and create two directories: A. newcerts B. private 4. In directory demoCA, create 2 text files: A. serial (no extension), and insert the value 01 and a return, B. index.txt which should be left empty. 5. Return to directory cert, and from a command shell issue the following command, to create a Certificate Authority (CA for short): openssl req -x509 -newkey rsa:512 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem days 1095 Command Summary for readability: openssl req -x509 -newkey rsa:512 -keyout ./demoCA/private/cakey.pem -out ./demoCA/cacert.pem days 1095 openssl will ask you numerous questions: Pass Phrase = ** Country (2 chars)= US State (spell out)= Idaho Locality (City) = Boise Organization = my org Org. Unit = my division Common Name = myorg.org emailAddress = [EMAIL PROTECTED] openssl uses the configuration file mentioned above for default values. If everything works, it will create the CA key, called cakey.pem, at: ./demoCA/private/cakey.pem and will will create the CA, called cacert.pem, at: ./demoCA/cacert.pem Store the pass phrase that you enter in a secure place. You will need it in step 8 ahead. 6. Next you need to create a key for a certificate request. From the SSL working directory, issue the command: openssl genrsa -out ./key.pem 512 days 1095 which will create the key file called key.pem in the working directory. 7. Next you need to create the certificate request. From the SSL working directory, issue the command: openssl req -new -key ./key.pem -out ./req.pem days 1095 You will once again be asked all the questions listed above. Additionally, you will be asked to choose a Challenge Password. Enter a Challenge Password; do not confuse this with the Pass Phrase in step 5. Hit return for the prompt An optional company name[]. 8. Next you will use the CA to create and sign cert.pem, an actual certificate. The CA will use ./cert/req.pem (the Certificate request) as the raw material from which to create the actual certificate. The CA and its key (the one in the subdirectory called private, not the one in the working directory) are used to sign the request. From the SSL working directory issue the command: openssl ca -in ./req.pem -out ./cert.pem days 1095 At that point you must enter the PEM pass phrase that you used to create the CA (see step 5 above). It must be exactly the same as before. Then you will have a signed certificate at: /usr/local/temp/cert/cert.pem Now make sure to change owner and permissions so that the server will be able to use all this stuff. From the SSL working directory, issue the commands: cd .. chown R youruser:youruser ./cert chmod R 700 ./cert 9. Next you must open cert.pem with a text editor, and remove all of the stuff above the line: -BEGIN CERTIFICATE- I don't know why openssl puts that stuff in there, but WebLogic will not work with it there. If you do not remove it, you will get an exception: java.security.KeyManagementException: ASN.1: Unxpected ASN.1 tag (that is Sun's misspelling of Unexpected, not mine). Configure Tomcat to user certificate at this point, along with moving the certificate from /usr/local/temp to the location where Tomcat expects it to be. This is stuff I do not know the details about yet. Then if you did everything correctly, you can restart the, and it will use your new Certificate. How will you know? When you connect to the server, you will be prompted with two dialog boxes (from Internet Explorer). The second one will say Security Alert. Select the button labeled View Certificate, and you will see: Issued to: myorg.org Issued by: myorg.org Instead of the default values used by Tomcat when it is using its demonstration certificates. -Original Message- From: Matt Morgan [mailto:[EMAIL PROTECTED] Sent: Thu 9/25/2003 4:55 PM To: Tomcat Users List Cc: Subject: Re: Configuring server.xml for SSL breaks Tomcat Thanks. Well, the Tomcat docs don't say anything about what the default expiry is for keys self-generated with keytool