Re: Trying to understand How Tomcat uses Keystore for SSL
Perfect. Thank you for the clarification I was having a problem putting it all together. I got it now. -Joleen On Mon, Nov 27, 2017 at 10:47 AM, Don Flinnwrote: > Hi Joleen, > > My previous mail was cryptic. Below is a fuller explanation of what I did > to get things running. > > First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and up has > been expanded. Chris suggested that I use PKCS12 rather than JDK keystore, > which I have done. I'm also using the APR configuration. So redirected > connector that I'm using looks like: > > protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" maxThreads="150" SSLEnabled="true"> > > > keystoreType="PKCS12" > certificateFile="C:/users/don/Security/domain-chain.crt" > certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt" > type="RSA" /> > > > > > The domain key is the private key I used when getting the certificates from > letsencrypt. The certificate I got from letsencrypt I called > domain-chain.crt. Lastly I downloaded the ICDTrustRoot.crt from the > letsencrypt at https://letsencrypt.org/certificates. You will notice that > I'm using Window's syntax, which is just for the pathname where the > certificates live. You would use a Linux path syntax if you are running > Linux. You need three certificates for letsencrypt; a cert for your > domain, one for the intermediate and finally the root certificate. > > What I call domain-chain.crt holds two certificates; my domain certificate > and the intermediate. In order to see what these were I separated them in > a text editor and called them domaincert1.crt and the second > domaincert2.crt > Then I used openssl to see what was in them. For example: > > openssl x509 -noout -subject -issuer -in domaincert1.crt > this printed out > subject= /CN=info.finwoks.com > issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > So that one was my domain cert issued by the letsencrypt intermediate > > The second one certificate gave > subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 > > which is the intermediate. > > I downloaded the certificates using the java program mentioned in my > previous e-mail. Depending on your particular setup, you can get the four > items using different methods. I would suggest that you check what the > various certificates contain by using the ssl commands. I've also read that > the order of the certificates should be > > Your domain > Intermediate > Known Root > > So that's the order I used. A caution, in my reading I have found some > directions not to be accurate. > > If what I have written is not clear, please let me know and I'll try to > clear it up. > > Don > > > > > On Mon, Nov 27, 2017 at 5:52 AM, Joleen Barker > wrote: > > > Hello Don, > > > > I'm trying to understand these as well. I had a question regarding the > data > > and commands you used to display the certificate information. You wrote > > that you used the following command to create a pkcs12 store: > > > > openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" > -certfile > > "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit" > > > > To display the 2 certs you show one example command to see the first one > > as: > > > > openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN= > > info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt > Authority > > X3 > > > > Where did the "domaincert1.crt" come from? I did not see anything in the > > first command reference this and I was not sure how someone would know > this > > name and the second one called domaincert2.crt. > > > > Thank you, > > > > Joleen > > > > On Sun, Nov 26, 2017 at 10:35 PM, Don Flinn wrote: > > > > > IT WORKS > > > > > > My next question is whether the Tomcat team would want this Java > program > > > that does the heavy lifting for letsencrypt, which I would be happy to > > > clean up and make available as open source. The guts of the program > > comes > > > from - http://acme4j.shredzone.org, which is under the Apache > license. > > > > > > I've made a number of enhancements, e;g. a GUI front end; the ability > to > > do > > > the letsencrypt authorization without any user intervention; the > ability > > to > > > sit on an admin node retrieve and install the retrieved letsencrypt SSL > > > certificates on a remote tomcat node. > > > > > > If the answer is yes, let me know the procedure to make it available as > > > open sourcce. > > > > > > Don > > > > > > On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn wrote: > > > > > > > Didn't read closely enough. The protocol that I used is no longer > > > > applicable for Tomcat 9. > > > > > > > > Don > > > > > > > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn > wrote: > > > > > > > >> Chris > > > >> > > > >> Thank you for your
Re: Trying to understand How Tomcat uses Keystore for SSL
Hi Joleen, My previous mail was cryptic. Below is a fuller explanation of what I did to get things running. First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and up has been expanded. Chris suggested that I use PKCS12 rather than JDK keystore, which I have done. I'm also using the APR configuration. So redirected connector that I'm using looks like: keystoreType="PKCS12" The domain key is the private key I used when getting the certificates from letsencrypt. The certificate I got from letsencrypt I called domain-chain.crt. Lastly I downloaded the ICDTrustRoot.crt from the letsencrypt at https://letsencrypt.org/certificates. You will notice that I'm using Window's syntax, which is just for the pathname where the certificates live. You would use a Linux path syntax if you are running Linux. You need three certificates for letsencrypt; a cert for your domain, one for the intermediate and finally the root certificate. What I call domain-chain.crt holds two certificates; my domain certificate and the intermediate. In order to see what these were I separated them in a text editor and called them domaincert1.crt and the second domaincert2.crt Then I used openssl to see what was in them. For example: openssl x509 -noout -subject -issuer -in domaincert1.crt this printed out subject= /CN=info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 So that one was my domain cert issued by the letsencrypt intermediate The second one certificate gave subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 which is the intermediate. I downloaded the certificates using the java program mentioned in my previous e-mail. Depending on your particular setup, you can get the four items using different methods. I would suggest that you check what the various certificates contain by using the ssl commands. I've also read that the order of the certificates should be Your domain Intermediate Known Root So that's the order I used. A caution, in my reading I have found some directions not to be accurate. If what I have written is not clear, please let me know and I'll try to clear it up. Don On Mon, Nov 27, 2017 at 5:52 AM, Joleen Barkerwrote: > Hello Don, > > I'm trying to understand these as well. I had a question regarding the data > and commands you used to display the certificate information. You wrote > that you used the following command to create a pkcs12 store: > > openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile > "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit" > > To display the 2 certs you show one example command to see the first one > as: > > openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN= > info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority > X3 > > Where did the "domaincert1.crt" come from? I did not see anything in the > first command reference this and I was not sure how someone would know this > name and the second one called domaincert2.crt. > > Thank you, > > Joleen > > On Sun, Nov 26, 2017 at 10:35 PM, Don Flinn wrote: > > > IT WORKS > > > > My next question is whether the Tomcat team would want this Java program > > that does the heavy lifting for letsencrypt, which I would be happy to > > clean up and make available as open source. The guts of the program > comes > > from - http://acme4j.shredzone.org, which is under the Apache license. > > > > I've made a number of enhancements, e;g. a GUI front end; the ability to > do > > the letsencrypt authorization without any user intervention; the ability > to > > sit on an admin node retrieve and install the retrieved letsencrypt SSL > > certificates on a remote tomcat node. > > > > If the answer is yes, let me know the procedure to make it available as > > open sourcce. > > > > Don > > > > On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn wrote: > > > > > Didn't read closely enough. The protocol that I used is no longer > > > applicable for Tomcat 9. > > > > > > Don > > > > > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn wrote: > > > > > >> Chris > > >> > > >> Thank you for your excellent reply and references. > > >> > > >> I've been doing a lot of reading on SSL, certificates, keys, > algorithms, > > >> etc. Woo! However I still don't have it correct. > > >> > > >> I've retrieved certificates from letsencrypt and following your > > >> suggestions did the following. > > >> > > >> Created a pkcs12 store using the following command line. > > >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" > > >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout > > >> "pass:changeit" > > >> > > >> where the domain-chain.crt contains two certificates and ICDTrustRoot > > >> contains one as shown below - > > >> PS
Re: Trying to understand How Tomcat uses Keystore for SSL
Hello Don, I'm trying to understand these as well. I had a question regarding the data and commands you used to display the certificate information. You wrote that you used the following command to create a pkcs12 store: openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit" To display the 2 certs you show one example command to see the first one as: openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN= info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 Where did the "domaincert1.crt" come from? I did not see anything in the first command reference this and I was not sure how someone would know this name and the second one called domaincert2.crt. Thank you, Joleen On Sun, Nov 26, 2017 at 10:35 PM, Don Flinnwrote: > IT WORKS > > My next question is whether the Tomcat team would want this Java program > that does the heavy lifting for letsencrypt, which I would be happy to > clean up and make available as open source. The guts of the program comes > from - http://acme4j.shredzone.org, which is under the Apache license. > > I've made a number of enhancements, e;g. a GUI front end; the ability to do > the letsencrypt authorization without any user intervention; the ability to > sit on an admin node retrieve and install the retrieved letsencrypt SSL > certificates on a remote tomcat node. > > If the answer is yes, let me know the procedure to make it available as > open sourcce. > > Don > > On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn wrote: > > > Didn't read closely enough. The protocol that I used is no longer > > applicable for Tomcat 9. > > > > Don > > > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn wrote: > > > >> Chris > >> > >> Thank you for your excellent reply and references. > >> > >> I've been doing a lot of reading on SSL, certificates, keys, algorithms, > >> etc. Woo! However I still don't have it correct. > >> > >> I've retrieved certificates from letsencrypt and following your > >> suggestions did the following. > >> > >> Created a pkcs12 store using the following command line. > >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" > >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout > >> "pass:changeit" > >> > >> where the domain-chain.crt contains two certificates and ICDTrustRoot > >> contains one as shown below - > >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer > >> -in domaincert1.crt (the first cert in domain-chain.crt) > >> subject= /CN=info.finwoks.com > >> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > >> > >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer > >> -in domaincert2.crt (the second cert in domain-chain.crt) > >> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 > >> > >> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer > >> -in ICDTrustRoot.crt > >> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 > >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 > >> so I have the three certificates and the private key which is shared > with > >> letsencrypt called domain.key > >> My server.xml contains: > >> >>sslImplementationName="org.apache.tomcat.util.net.openssl.O > >> penSSLImplementation" > >>port="8443" maxThreads="200" > >>scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12" > >>keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit" > >> clientAuth="false" sslProtocol="TLS" > >>/> > >> > >> However when I restart Tomcat is get the following error in the Tomcat > >> error log and of course it fails in the handshake with the browser > >> > >> org.apache.catalina.core.StandardService.initInternal Failed to > >> initialize connector [Connector[HTTP/1.1-8443]] > >> org.apache.catalina.LifecycleException: Failed to initialize component > >> [Connector[HTTP/1.1-8443]] > >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > >> at org.apache.catalina.core.StandardService.initInternal(Standa > >> rdService.java:549) > >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > >> at org.apache.catalina.core.StandardServer.initInternal(Standar > >> dServer.java:873) > >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) > >> at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > >> at java.lang.reflect.Method.invoke(Unknown Source) > >>
Re: where to put jars used by several apps
On 2017-11-25 14:35, rich...@xentu.com wrote: I've written a few jersey webapps, and each has about 20 jar files included as Maven dependencies. The inclusion of those jars increases the size of the resulting wars by a factor of over 100. Uploading a war via 'Tomcat Web Application Manager' takes several minutes, presumably due in part to the war size. Given that these webapps require the same set of jars in their WEB-INF/lib/, I thought I could place them in say C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey where all webapps could find them. In catalina.properties, I appended this new directory to the common.loader list of paths: common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar, ${catalina.base}/lib/jersey/*.jar Then, in each jersey webapp, I'd modify pom.xml to exclude those files from the war. maven-war-plugin 3.2.0 WEB-INF/lib/*.jar This approach seems to work. So, the question I'm seeking advise on is this: If I have a collection of jars that I want to keep on Tomcat, for some but not all webapps, and those jars are not to be included in the wars, is this an acceptable technique? Or is it going to land me in trouble? Does the order of locations in common.loader matter? Thanks for any advice Richard Ray & Nasry, thanks for your observations. Seems like my approach, in my situation at least, isn't going to cause me problems, so that's good. I'm only deploying to one server & the only apps on it are ones I've written, so I can take care of the versions of the jars involved. Regards Richard - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Need Important Help in Context path
I just rename the file to MyTest.war On Mon, Nov 27, 2017 at 7:05 PM, Vivek Patilwrote: > Hello All, > > I am using Maven to build our application. > So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in > Tomcat I have use the URL as > //localhost:8080/MyTest-1.00-SNAPSHOT1.0 > > but I need to set the context path MyTest eventhough deployed WAR name as > MyTest-1.00-SNAPSHOT1.0. I need the URL will be > //localhost:8080/MyTest > > This link should always same if I changed the war name from > MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0. > ** > > -- > Thanks & Regrads > Vivek Patil > Sr IT Engineer. > Spring Computing Technologies Pvt. Ltd. > Contact- +91-95792 16049. > >
Re: Need Important Help in Context path
just create MyTest.xml with contents like below, and drop it under TomcatHome/conf/Catalina/localhost -- -- hope it can help u 2017-11-27 17:05 GMT+09:00 Vivek Patil: > Hello All, > > I am using Maven to build our application. > So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in > Tomcat I have use the URL as > //localhost:8080/MyTest-1.00-SNAPSHOT1.0 > > but I need to set the context path MyTest eventhough deployed WAR name as > MyTest-1.00-SNAPSHOT1.0. I need the URL will be > //localhost:8080/MyTest > > This link should always same if I changed the war name from > MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0. > ** > > -- > Thanks & Regrads > Vivek Patil > Sr IT Engineer. > Spring Computing Technologies Pvt. Ltd. > Contact- +91-95792 16049. > >
Need Important Help in Context path
Hello All, I am using Maven to build our application. So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in Tomcat I have use the URL as //localhost:8080/MyTest-1.00-SNAPSHOT1.0 but I need to set the context path MyTest eventhough deployed WAR name as MyTest-1.00-SNAPSHOT1.0. I need the URL will be //localhost:8080/MyTest This link should always same if I changed the war name from MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0. ** -- Thanks & Regrads Vivek Patil Sr IT Engineer. Spring Computing Technologies Pvt. Ltd. Contact- +91-95792 16049.