Importing Verisign, Thawte, or any certificate into Tomcat Standalone SSL
Hi, I have a very similar problem to that posed by Mark Liu in earlier messages: Self-generating a certificate with keytool: keytool -genkey -alias tomcat -keyalg RSA works fine. However, importing a Verisign, or even openssl certificate causes problems. The importing part is ok. However, then I cannot connect to https:\\localhost. Looks like handshake fails when I start the tomcat web server. I put the certificate in p7b (pkcs7) format but I cannot import it then. Are there any other ideas anyone can suggest? I urgently need a fix to this problem. My environment is Windows XP with Tomcat 4.1.18 Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Importing Verisign, Thawte, or any certificate into Tomcat Standalone SSL
Its not often that one finds a solution to his own problem. Here it is though: Go to this website: http://www.comu.de/docs/tomcat_ssl.htm Follow the instructions EXACTLY. The step regarding the java comu.ImportKey may not work, in that case go to http://www.ks.uiuc.edu/Research/biocore/localServer/install/installCert. shtml and download ImportKey.jar And to execute the importkey program type in java -cp ImportKey.jar comu.Importkey ... There will be some German output at the end. A file called keystore.tomcat will be generated. Make sure server.xml points to this file. Enjoy!! -Original Message- From: Shivaji, Shivkumar Sent: Wednesday, March 19, 2003 4:16 PM To: [EMAIL PROTECTED] Subject: Importing Verisign, Thawte, or any certificate into Tomcat Standalone SSL Hi, I have a very similar problem to that posed by Mark Liu in earlier messages: Self-generating a certificate with keytool: keytool -genkey -alias tomcat -keyalg RSA works fine. However, importing a Verisign, or even openssl certificate causes problems. The importing part is ok. However, then I cannot connect to https:\\localhost. Looks like handshake fails when I start the tomcat web server. I put the certificate in p7b (pkcs7) format but I cannot import it then. Are there any other ideas anyone can suggest? I urgently need a fix to this problem. My environment is Windows XP with Tomcat 4.1.18 Thanks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat Standalone SSL and client certificates?
oh I got a good one here all, in tomcat-docs/ssl-howto.html under section Introduction to SSL, I quote: In certain cases, the server may also request a Certificate from your web browser, asking for proof that you are who you claim to be. This is known as Client Authentication, although in practice this is used more for business-to-business (B2B) transactions than with individual users. Most SSL-enabled web servers do not request Client Authentication. can tomcat do Client Authentication? if so how, as i need to doit? -Jason Pyeron -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron http://www.pyerotechnics.com - - Owner Lead Pyerotechnics Development, Inc. - - +1 410 808 6646 (c) 500 West University Parkway #1S - - +1 410 467 2266 (f) Baltimore, Maryland 21210-3253 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Tomcat standalone + SSL.
Hello there... I have asked this question before but maybe with the wrong subject, so here i try again. I have a web app that needs to use SSL at one point, but not from the beginning. Now i understand tat once i start using SSL i need to stay in that mode, and that is fine. My problem is that when i'm in https mode, i need to get from the session some objects that were put there when the app was using http mode. I asumme this is becouse tomcat is creating a new session and encrypting it's id when https is used. But how can i have access to those objects? Has anyone experienced this situation? How did you fix it? Thanks in advance. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat standalone + SSL.
I think i've been schooled in this already, so please disregard this unless still want to comment on it... Thanks again and sorry for this post, but it was made one minute before I was kindly informed by Milt Epstein that there is no way of doing what i ask here... On Fri, 2002-12-06 at 16:48, Alexander Wallace wrote: Hello there... I have asked this question before but maybe with the wrong subject, so here i try again. I have a web app that needs to use SSL at one point, but not from the beginning. Now i understand tat once i start using SSL i need to stay in that mode, and that is fine. My problem is that when i'm in https mode, i need to get from the session some objects that were put there when the app was using http mode. I asumme this is becouse tomcat is creating a new session and encrypting it's id when https is used. But how can i have access to those objects? Has anyone experienced this situation? How did you fix it? Thanks in advance. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: nutty steps for setting up tomcat standalone ssl
Thank you very much, but I have some problems to do as your steps, could you explain it for me again? My error message showed below. Sorry for bother again. Best Regards, Kevin - Original Message - From: Tim O'Neil [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, May 15, 2001 8:25 PM Subject: nutty steps for setting up tomcat standalone ssl 1) Delete your old keyring (/root/.keystore) file completely unless you can't for whatever reason. Now build a new keyring file; 2) keytool -genkey -alias tomcat -keyalg RSA Note your keyring password, you'll need it later. This step seems important for reasons I outline later. 3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem Before 3, I think there is one step: openssl req -new -out REQ.pem -keyout KEY.pem according to the user-guide. I added it here 4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem I'm confused here, my openssl(0.9.5.a) on RH7 don't understand -import or import, is because the version? or openssl should be keytool here? if so, the above procedures is the same with the user-guide, I'll get the unmatched public error message here. 5) keytool -delete -alias tomcat This leaves you with an empty, but valid keyring 6) Now do a keytool -genkey -alias tomcat -keyalg RSA Use the keyring password you used in step 2 7) Add the key to your keyring: keytool import -v -trustcacerts -alias tomcat -file CERT.pem I still need to do some testing, but I've found that Tomcat only seems to work if you have one key on your ring. I hope I've wrong. But if I am wrong, why is there no alias field in the info for the ssl connector group in server.xml? Also- The deal seems to be, regardless of what the guide says, Tomcat must use RSA algo keys. OR I myself have only gotten RSA keys to work, whichever. This leaves you with a self-signed server of course. The next fun project for me is to get it to use a Thawte cert, hopefully the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow this to happen.
nutty steps for setting up tomcat standalone ssl
1) Delete your old keyring (/root/.keystore) file completely unless you can't for whatever reason. Now build a new keyring file; 2) keytool -genkey -alias tomcat -keyalg RSA Note your keyring password, you'll need it later. This step seems important for reasons I outline later. 3) openssl req -x509 -in REQ.pem -key KEY.pem -out CERT.pem 4) openssl -import -v -trustcacerts -alias tomcat -file CERT.pem 5) keytool -delete -alias tomcat This leaves you with an empty, but valid keyring 6) Now do a keytool -genkey -alias tomcat -keyalg RSA Use the keyring password you used in step 2 7) Add the key to your keyring: keytool import -v -trustcacerts -alias tomcat -file CERT.pem I still need to do some testing, but I've found that Tomcat only seems to work if you have one key on your ring. I hope I've wrong. But if I am wrong, why is there no alias field in the info for the ssl connector group in server.xml? Also- The deal seems to be, regardless of what the guide says, Tomcat must use RSA algo keys. OR I myself have only gotten RSA keys to work, whichever. This leaves you with a self-signed server of course. The next fun project for me is to get it to use a Thawte cert, hopefully the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow this to happen.
RE: nutty steps for setting up tomcat standalone ssl
Hi, just a comment to your last remark: -Original Message- ---cut away Also- The deal seems to be, regardless of what the guide says, Tomcat must use RSA algo keys. OR I myself have only gotten RSA keys to work, whichever. This leaves you with a self-signed server of course. The next fun project for me is to get it to use a Thawte cert, hopefully the tool on http://www.comu.de/docs/tomcat_ssl.htm will allow this to happen. -Original Message- I tried to get Tomcat to work with a certificate in pkcs-format... (unfortunately at work I could not continue and at home I have no such certificate...) and found that in one source-file the keystore-type is set to JKS which is the default. In the java.security file it should be possible to specify another default keystore-type. Now the pkcs-certificates represent a complete keystore by themselves... and guess what: Java supports a keystore type of PKCS. The file is org.apache.tomcat.net.SSLSocketFactory.java hope this helps Alexander Jesse
RE: Tomcat standalone SSL, import of certificate
-Message d'origine- De: Drasko Kokic [mailto:[EMAIL PROTECTED]] Date: lundi 12 fvrier 2001 15:43 : [EMAIL PROTECTED] Objet: Tomcat standalone SSL, import of certificate Hello, I have installed SSL support for Tomcat3.2.1 on a Windows NT machine, and it works nicely for a dummy certificate generated (according to the Tomcat SSL instructions) with keytool. Now I want to import an openssl-generated certificate (from thawte) which we use already for SSL support of the Apache Web Server. But the keytool -import command (again from the instructions) gives me 'keytool error: Java.lang.Exception: Input not an X509 certificate' What could be the reason for this, since Apache-SSL uses the X509 format? I had a simular ptoblem but now it work... one problem is the type of codage used (DER or PEM)... don't remember, but I think openssl default is an ASCII firmat (PEM ?) and keytool default is a binary format (DER?) another problem was that my self-certified certs were not "trusted"... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
RE: Tomcat standalone SSL, import of certificate
Do you know how to get them "trusted", for free please. I don't want (ant not going to) pay $ to Verisign or other co.'s. Original Message On 2/13/01, 7:22:47 AM, "Coetmeur, Alain" [EMAIL PROTECTED] wrote regarding RE: Tomcat standalone SSL, import of certificate: -Message d'origine- De: Drasko Kokic [mailto:[EMAIL PROTECTED]] Date: lundi 12 fvrier 2001 15:43 : [EMAIL PROTECTED] Objet: Tomcat standalone SSL, import of certificate Hello, I have installed SSL support for Tomcat3.2.1 on a Windows NT machine, and it works nicely for a dummy certificate generated (according to the Tomcat SSL instructions) with keytool. Now I want to import an openssl-generated certificate (from thawte) which we use already for SSL support of the Apache Web Server. But the keytool -import command (again from the instructions) gives me 'keytool error: Java.lang.Exception: Input not an X509 certificate' What could be the reason for this, since Apache-SSL uses the X509 format? I had a simular ptoblem but now it work... one problem is the type of codage used (DER or PEM)... don't remember, but I think openssl default is an ASCII firmat (PEM ?) and keytool default is a binary format (DER?) another problem was that my self-certified certs were not "trusted"... - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] NOTICE: This communication may contain confidential or other privileged information. If you are not the intended recipient, or believe that you have received this communication in error, please do not print, copy, retransmit, disseminate, or otherwise use the information. Also, please indicate to the sender that you have received this email in error, and delete the copy you received. Any communication that does not relate to official Columbia business is that of the sender and is neither given nor endorsed by Columbia. Thank you. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Tomcat standalone SSL, import of certificate
Hello, I have installed SSL support for Tomcat3.2.1 on a Windows NT machine, and it works nicely for a dummy certificate generated (according to the Tomcat SSL instructions) with keytool. Now I want to import an openssl-generated certificate (from thawte) which we use already for SSL support of the Apache Web Server. But the keytool -import command (again from the instructions) gives me 'keytool error: Java.lang.Exception: Input not an X509 certificate' What could be the reason for this, since Apache-SSL uses the X509 format? Thanks, Karin __ Do You Yahoo!? Get personalized email addresses from Yahoo! Mail - only $35 a year! http://personal.mail.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Tomcat alias in tomcat standalone SSL
I'm trying to integrate Tomcat 3.2.1 with my application, and have modified the implementation of SSLSocketFactory to use my keystore and trust manager. I have a certificate in my keystore, but it has a different alias (not tomcat) and I cannot change the alias. Where in the tomcat source code does it specify that it will use the 'tomcat' alias for its SSL certificate? Can I change it? (I am assuming that it uses the alias tomcat because the instructions for generating the certificate for tomcat specifies that you should give it the alias tomcat.) Many thanks, Barbara Nelson. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]
Re: Tomcat alias in tomcat standalone SSL
Have you at least tried to use your certificate? if yes what errors are you getting?. It's easy to generate your own .keystore file using JSSE if your cert will not work. -- Pete -- - Original Message - From: "Barbara Nelson" [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Wednesday, February 07, 2001 5:36 PM Subject: Tomcat alias in tomcat standalone SSL I'm trying to integrate Tomcat 3.2.1 with my application, and have modified the implementation of SSLSocketFactory to use my keystore and trust manager. I have a certificate in my keystore, but it has a different alias (not tomcat) and I cannot change the alias. Where in the tomcat source code does it specify that it will use the 'tomcat' alias for its SSL certificate? Can I change it? (I am assuming that it uses the alias tomcat because the instructions for generating the certificate for tomcat specifies that you should give it the alias tomcat.) Many thanks, Barbara Nelson. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, email: [EMAIL PROTECTED]