Re: Trying to understand How Tomcat uses Keystore for SSL

[Joleen Barker]

Perfect. Thank you for the clarification I was having a problem putting it
all together. I got it now.

-Joleen

On Mon, Nov 27, 2017 at 10:47 AM, Don Flinn  wrote:

> Hi Joleen,
>
> My previous mail was cryptic.  Below is a fuller explanation of what I did
> to get things running.
>
> First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and up has
> been expanded.  Chris suggested that I use PKCS12 rather than JDK keystore,
> which I have done. I'm also using the APR configuration.  So redirected
> connector that I'm using looks like:
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
> port="8443" maxThreads="150" SSLEnabled="true">
>
> 
>  keystoreType="PKCS12"
>  certificateFile="C:/users/don/Security/domain-chain.crt"
> certificateChainFile="C:/users/don/Security/ICDTrustRoot.crt"
> type="RSA" />
> 
>
> 
>
> The domain key is the private key I used when getting the certificates from
> letsencrypt.  The certificate I got from letsencrypt I called
> domain-chain.crt. Lastly I downloaded the ICDTrustRoot.crt from the
> letsencrypt at https://letsencrypt.org/certificates.  You will notice that
> I'm using Window's syntax, which is just for the pathname where the
> certificates live.  You would use a Linux path syntax if you are running
> Linux.  You need three certificates for letsencrypt; a cert for your
> domain, one for the intermediate and finally the root certificate.
>
> What I call domain-chain.crt holds two certificates; my domain certificate
> and the intermediate.  In order to see what these were I separated them in
> a text editor and called them domaincert1.crt and the second
> domaincert2.crt
> Then I used openssl to see what was in them.  For example:
>
> openssl x509 -noout -subject -issuer -in domaincert1.crt
> this printed out
> subject= /CN=info.finwoks.com
> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
>
> So that one was my domain cert issued by the letsencrypt intermediate
>
> The second one certificate gave
> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
>
> which is the intermediate.
>
> I downloaded the certificates using the java program mentioned in my
> previous e-mail. Depending on your particular setup, you can get the four
> items using different methods.  I would suggest that you check what the
> various certificates contain by using the ssl commands. I've also read that
> the order of the certificates should be
>
> Your domain
> Intermediate
> Known Root
>
> So that's the order I used.  A caution, in my reading I have found some
> directions not to be accurate.
>
> If what I have written is not clear, please let me know and I'll try to
> clear it up.
>
> Don
>
>
>
>
> On Mon, Nov 27, 2017 at 5:52 AM, Joleen Barker 
> wrote:
>
> > Hello Don,
> >
> > I'm trying to understand these as well. I had a question regarding the
> data
> > and commands you used to display the certificate information. You wrote
> > that you used the following command to create a pkcs12 store:
> >
> > openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key"
> -certfile
> > "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit"
> >
> > To display the 2 certs you show one example command to see the first one
> > as:
> >
> > openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN=
> > info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt
> Authority
> > X3
> >
> > Where did the "domaincert1.crt" come from? I did not see anything in the
> > first command reference this and I was not sure how someone would know
> this
> > name and the second one called domaincert2.crt.
> >
> > Thank you,
> >
> > Joleen
> >
> > On Sun, Nov 26, 2017 at 10:35 PM, Don Flinn  wrote:
> >
> > > IT WORKS
> > >
> > > My next question is whether the Tomcat team would want this Java
> program
> > > that does the heavy lifting for letsencrypt, which I would be happy to
> > > clean up and make available as open source.  The guts of the program
> > comes
> > > from -  http://acme4j.shredzone.org, which is under the Apache
> license.
> > >
> > > I've made a number of enhancements, e;g. a GUI front end; the ability
> to
> > do
> > > the letsencrypt authorization without any user intervention; the
> ability
> > to
> > > sit on an admin node retrieve and install the retrieved letsencrypt SSL
> > > certificates on a remote tomcat node.
> > >
> > > If the answer is yes, let me know the procedure to make it available as
> > > open sourcce.
> > >
> > > Don
> > >
> > > On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn  wrote:
> > >
> > > > Didn't read closely enough.  The protocol that I used is no longer
> > > > applicable for Tomcat 9.
> > > >
> > > > Don
> > > >
> > > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn 
> wrote:
> > > >
> > > >> Chris
> > > >>
> > > >> Thank you for your 

Re: Trying to understand How Tomcat uses Keystore for SSL

[Don Flinn]

Hi Joleen,

My previous mail was cryptic.  Below is a fuller explanation of what I did
to get things running.

First, I'm using Tomcat 9 and the protocol for the Tomcat 8.5 and up has
been expanded.  Chris suggested that I use PKCS12 rather than JDK keystore,
which I have done. I'm also using the APR configuration.  So redirected
connector that I'm using looks like:




 keystoreType="PKCS12"





The domain key is the private key I used when getting the certificates from
letsencrypt.  The certificate I got from letsencrypt I called
domain-chain.crt. Lastly I downloaded the ICDTrustRoot.crt from the
letsencrypt at https://letsencrypt.org/certificates.  You will notice that
I'm using Window's syntax, which is just for the pathname where the
certificates live.  You would use a Linux path syntax if you are running
Linux.  You need three certificates for letsencrypt; a cert for your
domain, one for the intermediate and finally the root certificate.

What I call domain-chain.crt holds two certificates; my domain certificate
and the intermediate.  In order to see what these were I separated them in
a text editor and called them domaincert1.crt and the second domaincert2.crt
Then I used openssl to see what was in them.  For example:

openssl x509 -noout -subject -issuer -in domaincert1.crt
this printed out
subject= /CN=info.finwoks.com
issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

So that one was my domain cert issued by the letsencrypt intermediate

The second one certificate gave
subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3

which is the intermediate.

I downloaded the certificates using the java program mentioned in my
previous e-mail. Depending on your particular setup, you can get the four
items using different methods.  I would suggest that you check what the
various certificates contain by using the ssl commands. I've also read that
the order of the certificates should be

Your domain
Intermediate
Known Root

So that's the order I used.  A caution, in my reading I have found some
directions not to be accurate.

If what I have written is not clear, please let me know and I'll try to
clear it up.

Don




On Mon, Nov 27, 2017 at 5:52 AM, Joleen Barker 
wrote:

> Hello Don,
>
> I'm trying to understand these as well. I had a question regarding the data
> and commands you used to display the certificate information. You wrote
> that you used the following command to create a pkcs12 store:
>
> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile
> "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit"
>
> To display the 2 certs you show one example command to see the first one
> as:
>
> openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN=
> info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority
> X3
>
> Where did the "domaincert1.crt" come from? I did not see anything in the
> first command reference this and I was not sure how someone would know this
> name and the second one called domaincert2.crt.
>
> Thank you,
>
> Joleen
>
> On Sun, Nov 26, 2017 at 10:35 PM, Don Flinn  wrote:
>
> > IT WORKS
> >
> > My next question is whether the Tomcat team would want this Java program
> > that does the heavy lifting for letsencrypt, which I would be happy to
> > clean up and make available as open source.  The guts of the program
> comes
> > from -  http://acme4j.shredzone.org, which is under the Apache license.
> >
> > I've made a number of enhancements, e;g. a GUI front end; the ability to
> do
> > the letsencrypt authorization without any user intervention; the ability
> to
> > sit on an admin node retrieve and install the retrieved letsencrypt SSL
> > certificates on a remote tomcat node.
> >
> > If the answer is yes, let me know the procedure to make it available as
> > open sourcce.
> >
> > Don
> >
> > On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn  wrote:
> >
> > > Didn't read closely enough.  The protocol that I used is no longer
> > > applicable for Tomcat 9.
> > >
> > > Don
> > >
> > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn  wrote:
> > >
> > >> Chris
> > >>
> > >> Thank you for your excellent reply and references.
> > >>
> > >> I've been doing a lot of reading on SSL, certificates, keys,
> algorithms,
> > >> etc. Woo!  However I still don't have it correct.
> > >>
> > >> I've retrieved certificates from letsencrypt and following your
> > >> suggestions did the following.
> > >>
> > >> Created a pkcs12 store using the following command line.
> > >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key"
> > >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout
> > >> "pass:changeit"
> > >>
> > >> where the domain-chain.crt contains two certificates  and ICDTrustRoot
> > >> contains one as shown below -
> > >> PS 

Re: Trying to understand How Tomcat uses Keystore for SSL

[Joleen Barker]

Hello Don,

I'm trying to understand these as well. I had a question regarding the data
and commands you used to display the certificate information. You wrote
that you used the following command to create a pkcs12 store:

openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile
"ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit"

To display the 2 certs you show one example command to see the first one as:

openssl x509 -noout -subject -issuer -in domaincert1.crt subject= /CN=
info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3

Where did the "domaincert1.crt" come from? I did not see anything in the
first command reference this and I was not sure how someone would know this
name and the second one called domaincert2.crt.

Thank you,

Joleen

On Sun, Nov 26, 2017 at 10:35 PM, Don Flinn  wrote:

> IT WORKS
>
> My next question is whether the Tomcat team would want this Java program
> that does the heavy lifting for letsencrypt, which I would be happy to
> clean up and make available as open source.  The guts of the program comes
> from -  http://acme4j.shredzone.org, which is under the Apache license.
>
> I've made a number of enhancements, e;g. a GUI front end; the ability to do
> the letsencrypt authorization without any user intervention; the ability to
> sit on an admin node retrieve and install the retrieved letsencrypt SSL
> certificates on a remote tomcat node.
>
> If the answer is yes, let me know the procedure to make it available as
> open sourcce.
>
> Don
>
> On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn  wrote:
>
> > Didn't read closely enough.  The protocol that I used is no longer
> > applicable for Tomcat 9.
> >
> > Don
> >
> > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn  wrote:
> >
> >> Chris
> >>
> >> Thank you for your excellent reply and references.
> >>
> >> I've been doing a lot of reading on SSL, certificates, keys, algorithms,
> >> etc. Woo!  However I still don't have it correct.
> >>
> >> I've retrieved certificates from letsencrypt and following your
> >> suggestions did the following.
> >>
> >> Created a pkcs12 store using the following command line.
> >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key"
> >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout
> >> "pass:changeit"
> >>
> >> where the domain-chain.crt contains two certificates  and ICDTrustRoot
> >> contains one as shown below -
> >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
> >> -in domaincert1.crt   (the first cert in domain-chain.crt)
> >> subject= /CN=info.finwoks.com
> >> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> >>
> >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer
> >> -in domaincert2.crt (the second cert in domain-chain.crt)
> >> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
> >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
> >>
> >> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer
> >> -in ICDTrustRoot.crt
> >> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3
> >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3
> >> so I have the three certificates and the private key which is shared
> with
> >> letsencrypt called domain.key
> >> My server.xml contains:
> >>  >>sslImplementationName="org.apache.tomcat.util.net.openssl.O
> >> penSSLImplementation"
> >>port="8443"  maxThreads="200"
> >>scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12"
> >>keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit"
> >>   clientAuth="false" sslProtocol="TLS"
> >>/>
> >>
> >> However when I restart Tomcat is get the following error in the Tomcat
> >> error log and of course it fails in the handshake with the browser
> >>
> >> org.apache.catalina.core.StandardService.initInternal Failed to
> >> initialize connector [Connector[HTTP/1.1-8443]]
> >>  org.apache.catalina.LifecycleException: Failed to initialize component
> >> [Connector[HTTP/1.1-8443]]
> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112)
> >> at org.apache.catalina.core.StandardService.initInternal(Standa
> >> rdService.java:549)
> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >> at org.apache.catalina.core.StandardServer.initInternal(Standar
> >> dServer.java:873)
> >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107)
> >> at org.apache.catalina.startup.Catalina.load(Catalina.java:606)
> >> at org.apache.catalina.startup.Catalina.load(Catalina.java:629)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
> >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
> >> at java.lang.reflect.Method.invoke(Unknown Source)
> >> 

Re: where to put jars used by several apps

[richard]

On 2017-11-25 14:35, rich...@xentu.com wrote:

I've written a few jersey webapps, and each has about 20 jar files
included as Maven dependencies.

The inclusion of those jars increases the size of the resulting wars
by a factor of over 100. Uploading a war via 'Tomcat Web Application
Manager' takes several minutes, presumably due in part to the war
size.

Given that these webapps require the same set of jars in their
WEB-INF/lib/, I thought I could place them in say

C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey

where all webapps could find them.

In catalina.properties, I appended this new directory to the
common.loader list of paths:

common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar,
${catalina.base}/lib/jersey/*.jar

Then, in each jersey webapp, I'd modify pom.xml to exclude those files
from the war.


  maven-war-plugin
  3.2.0
  
WEB-INF/lib/*.jar
  


This approach seems to work.

So, the question I'm seeking advise on is this:

If I have a collection of jars that I want to keep on Tomcat, for some
but not all webapps, and those jars are not to be included in the
wars, is this an acceptable technique? Or is it going to land me in
trouble? Does the order of locations in common.loader matter?


Thanks for any advice
Richard




Ray & Nasry, thanks for your observations.

Seems like my approach, in my situation at least, isn't going to cause 
me problems, so that's good.


I'm only deploying to one server & the only apps on it are ones I've 
written, so I can take care of the versions of the jars involved.


Regards
Richard





-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need Important Help in Context path

[Sascha Monteiro]

I just rename the file to MyTest.war

On Mon, Nov 27, 2017 at 7:05 PM, Vivek Patil 
wrote:

> Hello All,
>
> I am using Maven to build our application.
> So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in
> Tomcat I have use the URL as
> //localhost:8080/MyTest-1.00-SNAPSHOT1.0
>
> but I need to set the context path MyTest eventhough deployed WAR name as
> MyTest-1.00-SNAPSHOT1.0. I need the URL will be
> //localhost:8080/MyTest
>
> This link should always same if I changed the war name from
> MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0.
> **
>
> --
> Thanks & Regrads
> Vivek Patil
> Sr IT Engineer.
> Spring Computing Technologies Pvt. Ltd.
> Contact- +91-95792 16049.
>
>

Re: Need Important Help in Context path

[cyron]

just create MyTest.xml with contents like below, and drop it under
TomcatHome/conf/Catalina/localhost

--

--

hope it can help u


2017-11-27 17:05 GMT+09:00 Vivek Patil :

> Hello All,
>
> I am using Maven to build our application.
> So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in
> Tomcat I have use the URL as
> //localhost:8080/MyTest-1.00-SNAPSHOT1.0
>
> but I need to set the context path MyTest eventhough deployed WAR name as
> MyTest-1.00-SNAPSHOT1.0. I need the URL will be
> //localhost:8080/MyTest
>
> This link should always same if I changed the war name from
> MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0.
> **
>
> --
> Thanks & Regrads
> Vivek Patil
> Sr IT Engineer.
> Spring Computing Technologies Pvt. Ltd.
> Contact- +91-95792 16049.
>
>

Need Important Help in Context path

[Vivek Patil]

Hello All,

I am using Maven to build our application.
So the war name will be MyTest-1.00-SNAPSHOT1.0 .If I deploy the same in 
Tomcat I have use the URL as

//localhost:8080/MyTest-1.00-SNAPSHOT1.0

but I need to set the context path MyTest eventhough deployed WAR name 
as MyTest-1.00-SNAPSHOT1.0. I need the URL will be

//localhost:8080/MyTest

This link should always same if I changed the war name from 
MyTest-*1*.00-SNAPSHOT1.0**to MyTest-*2*.00-SNAPSHOT1.0.

**

--
Thanks & Regrads
Vivek Patil
Sr IT Engineer.
Spring Computing Technologies Pvt. Ltd.
Contact- +91-95792 16049.