Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Michael Osipov]

Am 2020-07-11 um 23:52 schrieb Valentin:

Hello,

I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
use a certificate located in *cert:LocalMachine\My*

I mention that I am an administrator of this machine.
This certificate is also used by IIS.

What I did was to configure my server.xml file like this :



The error I got in tomcat logs was that the keyAlias doesn't exist but I
used the CN mentioned in the description of my certificate.

Is it possible for tomcat to use the windows certificate store ?
The only link I found about this was :
https://bz.apache.org/bugzilla/show_bug.cgi?id=56021


I have used Windows-MY several times now with HttpClient, curl and 
OpenSSL. The native Crypto API of the Windows Cert Store provides 
several name formats for the key alias.

First of all, set CAPI_TRACE env var to see more output.
Native does this: 
https://github.com/AdoptOpenJDK/openjdk-jdk8u/blob/master/jdk/src/windows/native/sun/security/mscapi/security.cpp#L561-L563
CERT_NAME_FRIENDLY_DISPLAY_TYPE (fallback CERT_NAME_SIMPLE_DISPLAY_TYPE) 
from 
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-certgetnamestringa


My recommendation is to write the simplest code, open Windows-MY iterate 
over all keys, print keys and then you will know what these display 
names are. The DNS name you use is obviously not the right one since it 
had to be CERT_NAME_DNS_TYPE.


Good luck,

Michael

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: [Tomcat 9.0.37] Https / SSL on Windows server 2016 with windows certificate store

[Daniel Savard]

Le sam. 11 juil. 2020 à 17:52, Valentin  a écrit :

> Hello,
>
> I try to configure my tomcat 9.0.37 installed on a windows server 2016 to
> use a certificate located in *cert:LocalMachine\My*
>
> I mention that I am an administrator of this machine.
> This certificate is also used by IIS.
>
> What I did was to configure my server.xml file like this :
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>SSLEnabled="true"
>maxThreads="150" scheme="https" secure="true"
>keyAlias="myserver.domain.com"
>keystoreFile=""
>keystorePass=""
>keystoreType="Windows-My"
>clientAuth="false" sslProtocol="TLS" />
>
> The error I got in tomcat logs was that the keyAlias doesn't exist but I
> used the CN mentioned in the description of my certificate.
>
> Is it possible for tomcat to use the windows certificate store ?
> The only link I found about this was :
> https://bz.apache.org/bugzilla/show_bug.cgi?id=56021
>
> Thanks for your help
>
> Valentin.M
>

In documentation:
http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore

"Tomcat currently operates only on JKS, PKCS11 or PKCS12 format keystores."

Windows local certificates are stored in the Windows registry.
https://docs.microsoft.com/en-us/windows-hardware/drivers/install/local-machine-and-current-user-certificate-stores

Since IIS is a Windows-only product, this is the simple thing for them to
do. Tomcat runs on various platforms and should support open and neutral
keystore formats instead.

-
Daniel Savard

Re: Tomcat 9.0.12 shows in browser but tomcat8 installed

[Felix Schumacher]

Am 12.07.20 um 10:14 schrieb Christoph Kukulies:
> Strange. I’m running an apache2 and a tomcat8 (AFAIK) on my server.
>
>
> When I open a browser on my server remotely and enter http://localhost:8080/ 
>  I’m getting the tomcat
> congratulations page saying:
>
> Apache Tomcat/9.0.12
>
> How can I determine which tomcat I’m running? Could it be that I once had 
> installed Tomcat 9 and it is still installed as a service?
> System is Ubuntu 18.04.4.

I would first have a look at which process is running on port 8080 and
which processes are likely to be tomcats:

$ ss -pln | grep 8080
tcp    LISTEN  0   
100 
 
*:8080   
*:*  users:(("java",pid=460709,fd=40))

and

$ ps aux | grep catalina
felix 460709  3.1  0.8 8353292 137908 pts/0  Sl   11:13   0:05
/usr/lib/jvm/jdk-14.0.1+7/bin/java
-Djava.util.logging.config.file=/home/felix/Developer/tomcat/output/build/conf/logging.properties
-Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager
-Djdk.tls.ephemeralDHKeySize=2048
-Djava.protocol.handler.pkgs=org.apache.catalina.webresources
-Dorg.apache.catalina.security.SecurityListener.UMASK=0027
-Dignore.endorsed.dirs= -classpath
/home/felix/Developer/tomcat/output/build/bin/bootstrap.jar:/home/felix/Developer/tomcat/output/build/bin/tomcat-juli.jar
-Dcatalina.base=/home/felix/Developer/tomcat/output/build
-Dcatalina.home=/home/felix/Developer/tomcat/output/build
-Djava.io.tmpdir=/home/felix/Developer/tomcat/output/build/temp
org.apache.catalina.startup.Bootstrap start

On my machine, there is one process listening on port 8080 (pid=460709)
and one process likely a tomcat (which has surprisingly the same pid :) )

After that, I would have look into the directories listed as
catalina.base and catalina.home (which in this example are identical)
and try to decide, whether they were part of a system package
installation or a manual installation.

If I still don't know what to do next, I would come back to the mailing
list with the information I found out by this. Maybe enhanced with the
output of (dpkg -l | grep -i tomcat)

Felix

>
>
> Christoph 
>
>
>
>

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 9.0.12 shows in browser but tomcat8 installed

[Christoph Kukulies]

Strange. I’m running an apache2 and a tomcat8 (AFAIK) on my server.


When I open a browser on my server remotely and enter http://localhost:8080/ 
 I’m getting the tomcat
congratulations page saying:

Apache Tomcat/9.0.12

How can I determine which tomcat I’m running? Could it be that I once had 
installed Tomcat 9 and it is still installed as a service?
System is Ubuntu 18.04.4.


Christoph