Re: Trying to understand How Tomcat uses Keystore for SSL

[Don Flinn]

IT WORKS

My next question is whether the Tomcat team would want this Java program
that does the heavy lifting for letsencrypt, which I would be happy to
clean up and make available as open source.  The guts of the program comes
from -  http://acme4j.shredzone.org, which is under the Apache license.

I've made a number of enhancements, e;g. a GUI front end; the ability to do
the letsencrypt authorization without any user intervention; the ability to
sit on an admin node retrieve and install the retrieved letsencrypt SSL
certificates on a remote tomcat node.

If the answer is yes, let me know the procedure to make it available as
open sourcce.

Don

On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn  wrote:

> Didn't read closely enough.  The protocol that I used is no longer
> applicable for Tomcat 9.
>
> Don
>
> On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn  wrote:
>
>> Chris
>>
>> Thank you for your excellent reply and references.
>>
>> I've been doing a lot of reading on SSL, certificates, keys, algorithms,
>> etc. Woo!  However I still don't have it correct.
>>
>> I've retrieved certificates from letsencrypt and following your
>> suggestions did the following.
>>
>> Created a pkcs12 store using the following command line.
>> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key"
>> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout
>> "pass:changeit"
>>
>> where the domain-chain.crt contains two certificates  and ICDTrustRoot
>> contains one as shown below -
>> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
>> -in domaincert1.crt   (the first cert in domain-chain.crt)
>> subject= /CN=info.finwoks.com
>> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>>
>> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
>> -in domaincert2.crt (the second cert in domain-chain.crt)
>> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
>>
>> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer
>> -in ICDTrustRoot.crt
>> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
>> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
>> so I have the three certificates and the private key which is shared with
>> letsencrypt called domain.key
>> My server.xml contains:
>> >sslImplementationName="org.apache.tomcat.util.net.openssl.O
>> penSSLImplementation"
>>port="8443"  maxThreads="200"
>>scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
>>keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit"
>>   clientAuth="false" sslProtocol="TLS"
>>/>
>>
>> However when I restart Tomcat is get the following error in the Tomcat
>> error log and of course it fails in the handshake with the browser
>>
>> org.apache.catalina.core.StandardService.initInternal Failed to
>> initialize connector [Connector[HTTP/1.1-8443]]
>>  org.apache.catalina.LifecycleException: Failed to initialize component
>> [Connector[HTTP/1.1-8443]]
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
>> at org.apache.catalina.core.StandardService.initInternal(Standa
>> rdService.java:549)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at org.apache.catalina.core.StandardServer.initInternal(Standar
>> dServer.java:873)
>> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
>> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
>> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
>> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
>> at java.lang.reflect.Method.invoke(Unknown Source)
>> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
>> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
>> Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.cre
>> ate(J)J
>> at org.apache.tomcat.jni.Pool.create(Native Method)
>> at org.apache.tomcat.util.net.openssl.OpenSSLEngine.(Op
>> enSSLEngine.java:75)
>> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplemente
>> dProtocols(OpenSSLUtil.java:61)
>> at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46)
>> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(OpenSS
>> LUtil.java:41)
>> at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.get
>> SSLUtil(OpenSSLImplementation.java:36)
>> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSs
>> l(AbstractJsseEndpoint.java:82)
>> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261)
>> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd
>> point.java:798)
>> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547)
>> at 

Re: Trying to understand How Tomcat uses Keystore for SSL

[Don Flinn]

Didn't read closely enough.  The protocol that I used is no longer
applicable for Tomcat 9.

Don

On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn  wrote:

> Chris
>
> Thank you for your excellent reply and references.
>
> I've been doing a lot of reading on SSL, certificates, keys, algorithms,
> etc. Woo!  However I still don't have it correct.
>
> I've retrieved certificates from letsencrypt and following your
> suggestions did the following.
>
> Created a pkcs12 store using the following command line.
> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key"
> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout
> "pass:changeit"
>
> where the domain-chain.crt contains two certificates  and ICDTrustRoot
> contains one as shown below -
> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
> -in domaincert1.crt   (the first cert in domain-chain.crt)
> subject= /CN=info.finwoks.com
> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>
> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
> -in domaincert2.crt (the second cert in domain-chain.crt)
> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
>
> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer
> -in ICDTrustRoot.crt
> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
> so I have the three certificates and the private key which is shared with
> letsencrypt called domain.key
> My server.xml contains:
> sslImplementationName="org.apache.tomcat.util.net.openssl.
> OpenSSLImplementation"
>port="8443"  maxThreads="200"
>scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
>keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit"
>   clientAuth="false" sslProtocol="TLS"
>/>
>
> However when I restart Tomcat is get the following error in the Tomcat
> error log and of course it fails in the handshake with the browser
>
> org.apache.catalina.core.StandardService.initInternal Failed to
> initialize connector [Connector[HTTP/1.1-8443]]
>  org.apache.catalina.LifecycleException: Failed to initialize component
> [Connector[HTTP/1.1-8443]]
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> at org.apache.catalina.core.StandardService.initInternal(Standa
> rdService.java:549)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.core.StandardServer.initInternal(Standar
> dServer.java:873)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> at java.lang.reflect.Method.invoke(Unknown Source)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
> Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.cre
> ate(J)J
> at org.apache.tomcat.jni.Pool.create(Native Method)
> at org.apache.tomcat.util.net.openssl.OpenSSLEngine.(
> OpenSSLEngine.java:75)
> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplemente
> dProtocols(OpenSSLUtil.java:61)
> at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46)
> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(OpenSS
> LUtil.java:41)
> at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.get
> SSLUtil(OpenSSLImplementation.java:36)
> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSs
> l(AbstractJsseEndpoint.java:82)
> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261)
> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd
> point.java:798)
> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547)
> at org.apache.coyote.http11.AbstractHttp11Protocol.init(Abstrac
> tHttp11Protocol.java:66)
> at org.apache.catalina.connector.Connector.initInternal(Connect
> or.java:1010)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> ... 12 more
>
> I'm running Tomcat 9 in Amazon Web services using Windows Server.  I don't
> know what I'm doing wrong.  Further help will be appreciated. It appears I
> have the pkcs12 wrong.
>
> Don
>
> On Tue, Nov 14, 2017 at 4:33 PM, Christopher Schultz <
> ch...@christopherschultz.net> wrote:
>
>> -BEGIN PGP SIGNED MESSAGE-
>> Hash: SHA256
>>
>> Don,
>>
>> On 11/14/17 1:57 AM, Don Flinn wrote:
>> > I've done some reading on SSL and understand the protocol is as
>> > follows; Client/Browser sends ClientHello and server Tomcat replies
>> > with ServerHello.  This 

Re: Trying to understand How Tomcat uses Keystore for SSL

[Don Flinn]

Chris

Thank you for your excellent reply and references.

I've been doing a lot of reading on SSL, certificates, keys, algorithms,
etc. Woo!  However I still don't have it correct.

I've retrieved certificates from letsencrypt and following your suggestions
did the following.

Created a pkcs12 store using the following command line.
openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile
"ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit"

where the domain-chain.crt contains two certificates  and ICDTrustRoot
contains one as shown below -
PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer -in
domaincert1.crt   (the first cert in domain-chain.crt)
subject= /CN=info.finwoks.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer -in
domaincert2.crt (the second cert in domain-chain.crt)
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer -in
ICDTrustRoot.crt
subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
so I have the three certificates and the private key which is shared with
letsencrypt called domain.key
My server.xml contains:


However when I restart Tomcat is get the following error in the Tomcat
error log and of course it fails in the handshake with the browser

org.apache.catalina.core.StandardService.initInternal Failed to initialize
connector [Connector[HTTP/1.1-8443]]
 org.apache.catalina.LifecycleException: Failed to initialize component
[Connector[HTTP/1.1-8443]]
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
at org.apache.catalina.core.StandardService.initInternal(
StandardService.java:549)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.core.StandardServer.initInternal(
StandardServer.java:873)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494)
Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.
create(J)J
at org.apache.tomcat.jni.Pool.create(Native Method)
at org.apache.tomcat.util.net.openssl.OpenSSLEngine.
(OpenSSLEngine.java:75)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols(
OpenSSLUtil.java:61)
at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46)
at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(
OpenSSLUtil.java:41)
at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil(
OpenSSLImplementation.java:36)
at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl(
AbstractJsseEndpoint.java:82)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261)
at org.apache.tomcat.util.net.AbstractEndpoint.init(
AbstractEndpoint.java:798)
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547)
at org.apache.coyote.http11.AbstractHttp11Protocol.init(
AbstractHttp11Protocol.java:66)
at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
... 12 more

I'm running Tomcat 9 in Amazon Web services using Windows Server.  I don't
know what I'm doing wrong.  Further help will be appreciated. It appears I
have the pkcs12 wrong.

Don

On Tue, Nov 14, 2017 at 4:33 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Don,
>
> On 11/14/17 1:57 AM, Don Flinn wrote:
> > I've done some reading on SSL and understand the protocol is as
> > follows; Client/Browser sends ClientHello and server Tomcat replies
> > with ServerHello.  This establishes the protocol they will use. The
> > server then sends the certificate and the public key - in the
> > clear The browser encrypts a message containing the servers domain,
> > all encrypted with the server's public key to the CA which the
> > browser trusts.  The public key is in the certificate. The CA
> > de-crypts the message with the server's private key.  So the
> > server's name/ domain must be not encrypted. If the server can
> > decrypt the message it knows the server and it then sends a ack
> > message back to the browser encrypted with the client's private
> > key.
>
> Most of that is correct (enough) except for the last part: the server
> never has the client's private key. The 

Re: where to put jars used by several apps

[Nasry Al-Haddad]

One issue you might face in this configuration is if you have multiple versions 
of the same library existing on the same path, let's say com.example v1.0 and 
v2.0, and each is a dependency for one or more webapps. If a webapp depending 
on 2.0 requires class com.example.X which is available in both versions, and if 
the class loader looks in v1.0 jar file first, then you might see some CNF 
exceptions and such.

To workaround this ensure both statements below are true:
1. The class loader searches in WEB-INF jar files before common.loader (I think 
it should be the case)

2. Update your build process to include in WEB-INF only jar files that have an 
older version in common.loader path (just to not break any webapp especially 
the one being installed).

If you end up updating all webapps to use the latest version of the library 
com.example, you'll end up with all webapps having the latest version in 
WEB-INF and the unused older version in common.loader path. Then update the 
common.loader path by removing the old version and adding the new one, and 
remove it from WEB-INF directories.

This might incur more work on managing the webapps. But if you could have an 
automated build process that decides where to put dependency jar files and have 
it as a step for all webapps builds, then it could be a time/space saver later.

⁣Regards,
Nasry Al-Haddad

Sent from BlueMail ​

On Nov 25, 2017, 16:35, at 16:35, rich...@xentu.com wrote:
>I've written a few jersey webapps, and each has about 20 jar files
>included as Maven dependencies.
>
>The inclusion of those jars increases the size of the resulting wars by
>
>a factor of over 100. Uploading a war via 'Tomcat Web Application
>Manager' takes several minutes, presumably due in part to the war size.
>
>Given that these webapps require the same set of jars in their
>WEB-INF/lib/, I thought I could place them in say
>
>C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey
>
>where all webapps could find them.
>
>In catalina.properties, I appended this new directory to the
>common.loader list of paths:
>
>common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,
>
>${catalina.base}/lib/jersey/*.jar
>
>Then, in each jersey webapp, I'd modify pom.xml to exclude those files
>from the war.
>
>
>   maven-war-plugin
>   3.2.0
>   
> WEB-INF/lib/*.jar
>   
>
>
>This approach seems to work.
>
>So, the question I'm seeking advise on is this:
>
>If I have a collection of jars that I want to keep on Tomcat, for some
>but not all webapps, and those jars are not to be included in the wars,
>
>is this an acceptable technique? Or is it going to land me in trouble?
>Does the order of locations in common.loader matter?
>
>
>Thanks for any advice
>Richard
>
>-
>To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>For additional commands, e-mail: users-h...@tomcat.apache.org

Re: where to put jars used by several apps

[Ray Holme]

I see by your paths that you are an MS person. Your solution is clever but has 
the distribution problem that a war file may not be enough.
For Unix based folks (MAC, Linux), there is a much easier solution. Put your 
common jars in some directory that you like (for me /opt/web_jars/acquired). 
Then HARD link the jars to where you want them e.g.   ln 
/opt/web_jars/acquired/commons-logging-1.2.jar 
/opt/apache/webapps/application/WEB-INF/libThis does not solve the problem for 
a target machine running multiple applications, but it sure does solve the 
problem for a development machine with multiple applications and target 
machines running any one of them. War files work fine.
Your solution does have one major advantage - war fles are smaller.But if you 
change any of those jars, you need to distribute those changes and the war file 
does NOT do it.!
 

On Saturday, November 25, 2017 9:35 AM, "rich...@xentu.com" 
 wrote:
 

 I've written a few jersey webapps, and each has about 20 jar files 
included as Maven dependencies.

The inclusion of those jars increases the size of the resulting wars by 
a factor of over 100. Uploading a war via 'Tomcat Web Application 
Manager' takes several minutes, presumably due in part to the war size.

Given that these webapps require the same set of jars in their 
WEB-INF/lib/, I thought I could place them in say

C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey

where all webapps could find them.

In catalina.properties, I appended this new directory to the 
common.loader list of paths:

common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,
 
${catalina.base}/lib/jersey/*.jar

Then, in each jersey webapp, I'd modify pom.xml to exclude those files 
from the war.


  maven-war-plugin
  3.2.0
  
    WEB-INF/lib/*.jar
  


This approach seems to work.

So, the question I'm seeking advise on is this:

If I have a collection of jars that I want to keep on Tomcat, for some 
but not all webapps, and those jars are not to be included in the wars, 
is this an acceptable technique? Or is it going to land me in trouble? 
Does the order of locations in common.loader matter?


Thanks for any advice
Richard

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org