Tomcat SSL question (Emergency)
Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) - Root Cause - java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:422) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at
RE: Tomcat SSL question (Emergency)
Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324
RE: Tomcat SSL question (Emergency)
Dave, Thank you for the quick response. I already put keystorePass attribute in factory node (shown below). Should I add keypass attribute in the node as well? Tomcat version that I currently running is 4.0.3 and Factory (server.xml) node which has explained at SSL Configuration HOW-TO (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html) on Apache website does not have keypass attribute on it? Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ I am a bit confusing that I applied and received the server certificate from Verisign (i.e. verisign.cer) and it should be the public key and .keystore file (i.e. .keystore) that we generated using keytool will be the private key. Should I put public key on keystoreFile or private key on it? Also when you are using keytool to generate the .keystore file, you will be asked to provide the keystore password and tomcat password. Which password should I use for the keystorePass attribute? Thank you, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 2:57 AM To: [EMAIL PROTECTED] Subject: RE: Tomcat SSL question (Emergency) Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39