date:20240331

Re: PKCS#8 encryption algorithm unrecognized

2024-03-31 Thread Mark Thomas


On 25/03/2024 16:56, Timothy Resh wrote:

Sorry for the delay.  Our certificate creation process was automated
several years ago and I had to go through the code to figure out the
commands being used for the certificates

First, we use the createcert.exe from the Sybase 17 installation to


I don't have access to that application so I am unable to follow the 
provided instructions.


Given you do have access to the application, it will likely be simpler 
if you provide a test key and certificate that don't work that we can 
use for investigation.


If you want to provide those offline, feel free to email the pem files 
to me directly.


Mark



generate a DB cert for ODBC connectivity.  Please see the following link
for more information.
https://infocenter.sybase.com/help/index.jsp?topic=/com.sybase.help.sqlanywhere.12.0.1/dbadmin/gencert-ml-ref1.html
-t encryption type
-b length
-ca "1"  Create Certificate Authority
-u 3,4,5,6

- 3. Key Encipherment
- 4. Data Encipherment
- 5. Key Agreement
- 6. Certificate Signing

-v 6 years
-co Public Certificate
-x Generates a self-signed certificate

*C:\tmp12>ECHO. | "C:\Program Files\SQL Anywhere 17\Bin64\createcert.exe"
-t "rsa" -b "2048" -ca "1" -io "C:\tmp12\DB\Application Certificate
Files\Private Keys\ASA12 SAMM Vessel.pem" -ko "C:\tmp12\DB\Application
Certificate Files\Private Keys\ASA12 SAMM Vessel.key" -kp "changeit" -x -co
"C:\tmp12\DB\Application Certificate Files\Public Keys\ASA12 SAMM
Vessel.pub" -sc "US" -scn "WSD-2DNX4M3.mydomain.com
" -sl "Norfolk" -so "Vessel Ships" -sou
"Engineering" -sst "VA" -u 3,4,5,6 -v "6"*









*SQL Anywhere X.509 Certificate Generator Version 17.0.10.6160Warning: The
certificate will not be compatible with older versionsof the software
including version 12.0.1 prior to build 3994 and version 16.0prior to build
1691. Use the -3des switch if you require compatibility.Generating key
pair...Certificate will be a self-signed rootSerial number [generate GUID]:
Generated serial number: 42455c10a27d441db3e3d09f39f35452*


This creates a  ASA12 SAMM Vessel.pub  that is then copied to the Tomcat
Application Server as "Client Configuration.pem"

our next commands are all openssl or keytool

openssl.exe genrsa -aes256 -passout pass:"changeit" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" 2048
1>nul 2>&1
openssl.exe req -new -key "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -subj "/CN=
WSD-2DNX4M3.mydomain.com/OU=USN/OU=PKI/OU=DoD/O=U.S.Government/C=US" -out
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -passin
pass:"changeit"1>nul 2>&1

echo basicConstraints = CA:FALSE  1>"C:\tmp12\openssl\v3.ext"
echo keyUsage = digitalSignature, keyEncipherment
  1>>"C:\tmp12\openssl\v3.ext"
ECHO [SAN]   1>>"C:\tmp12\openssl\v3.ext"
ECHO subjectAltName=DNS:WSD-2DNX4M3.mydomain.com
1>>"C:\tmp12\openssl\v3.ext"

openssl.exe x509 -req -extfile "C:\tmp12\openssl\v3.ext" -signkey
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -in
"C:\tmp12\Certificate\Keystore\WSD-2DNX4M3.mydomain.com.csr" -out
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -passin
pass:"changeit" -days "2190" -extensions SAN
Certificate request self-signature ok
subject=CN = WSD-2DNX4M3.mydomain.com, OU = USN, OU = PKI, OU = DoD, O =
U.S.Government, C = US

COPY "C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer"
"C:\tmp12\Certificates\CA\"   1>nul 2>&1

openssl.exe pkcs12 -export -in "C:\tmp12\Certificate\Public
Key\WSD-2DNX4M3.mydomain.com.cer" -inkey "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -name WSD-2DNX4M3.mydomain.com -CAfile
"C:\tmp12\Certificate\Public Key\WSD-2DNX4M3.mydomain.com.cer" -caname
WSD-2DNX4M3.mydomain.com -passin pass:"changeit" -passout pass:"changeit"

keytool.exe -importkeystore -deststorepass "changeit" -destkeypass
"changeit" -destkeystore "C:\tmp12\Certificate\Keystore\Vessel.jks"
-srckeystore "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12" -srcstoretype PKCS12 -srcstorepass
"changeit" -alias WSD-2DNX4M3.mydomain.com
Importing keystore C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.p12 to
C:\tmp12\Certificate\Keystore\Vessel.jks...
DEL /Q "C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.p12"

openssl.exe rsa -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -passin pass:"changeit"
openssl.exe rsa -aes256 -in "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.2" -out "C:\tmp12\Certificate\Private
Key\WSD-2DNX4M3.mydomain.com.key.3" -passin pass:"changeit" -passout
pass:"changeit"
openssl.exe pkcs8 -topk8 -v1 PBE-SHA1-3DES -in
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key.3" -out
"C:\tmp12\Certificate\Private Key\WSD-2DNX4M3.mydomain.com.key" -passin
pass:"changeit"

Re: [EXT]Re: how to define database resource in just context.xml or server.xml

2024-03-31 Thread Mark Thomas


On 29/03/2024 21:58, Christopher Schultz wrote:

Rick,

On 3/29/24 14:33, Rick Noel wrote:

Our application is really a suite of 5applications.  And the
server.xml  I am talking about is on our dev machine, where we want
to run all 5 apps on the one web server.

The context.xml has global enviroiment variables (like mail server
related vars) that all the dev applications use. All the different
dev applications also use the same database.

So that is why we define resources in the context.xml  file
It sounds like you really *do* want to define the JDBC/JNDI resource in 
server.xml and the link it to your applications.


I think the correct way to do that is by defining it in server.xml and 
then linking it through your applications' WEB-INF/web.xml files.


You should not have to touch CATALINA_BASE/conf/context.xml.


The only reason you might want to touch context.xml is if you want to 
provide the same resource link to all web applications rather than have 
to specify it in each web application.


Mark



-chris


-Original Message-
From: Christopher Schultz 
Sent: Friday, March 29, 2024 2:21 PM
To: Tomcat Users List ; Rick Noel 

Subject: Re: [EXT]Re: how to define database resource in just 
context.xml or server.xml


Rick,

On 3/29/24 11:56, Rick Noel wrote:

If have the resource defined in
CATALINA_BASE/conf/context.xml
And
CATALINA_BASE/conf/server.xml


You really shouldn't have anything custom in 
CATALINA_BASE/conf/context.xml. That will affect every application 
deployed on the server. Perhaps you only have a single application 
deployed, but things can get really confusing when you edit that file.

It also makes upgrades more difficult.

I would recommend taking your  from 
CATALINA_BASE/conf/context.xml and putting it into the proper place:
your application's META-INF/context.xml file. You will need to 
surround it with  ...  since that file defines the 
context.


If you have  in your CATALINA_BASE/conf/server.xml file, you 
should remove it. If you want to disable auto-deploy, then you can 
always copy your application's META-INF/context.xml file into 
CATALINA_BASE/conf/[engine]/[host]/[contextpath].xml.


Finally, you should be able to delete your  from your 
CATALINA_BASE/conf/server.xml file entirely.


Do you have anything in your web.xml that is related? For example:

    
  jdbc/foo
  javax.sql.DataSource
  Container
    

I have one of those in my web.xml, but it's not clear to be whether or 
not I actually need it. I have *one* of them but my application uses 
two different JDBC resources. Both are declared in 
META-INF/context.xml and both are available to the application.


I think you need to use  in web.xml when you define 
"global naming resources" in server.xml. But if you put them into 
META-INF/context.xml it's obvious that (a) they aren't global and (b) 
the application expects them.


So I would remove any global naming resources you may have in 
server.xml and also remove anything you don't need in web.xml.


Doing all this will make upgrading Tomcat much easier.

-chris


-Original Message-
From: Christopher Schultz 
Sent: Friday, March 29, 2024 11:47 AM
To: users@tomcat.apache.org
Subject: [EXT]Re: how to define database resource in just context.xml
or server.xml

Rick,

On 3/29/24 09:48, Rick Noel wrote:

Can someone tell me why I need to have my database source defined in
both my context.xml and server.xml? I thought we are suppose to
define it in only one location?

It's definitely not a requirement to specify it in both places.


I can only log into my app if I have it defined in both my
context.xml and server.xml

Below  is my database resource   as defined in server.xml..

I have xxx out postgres URL for security reasons





     
type="javax.sql.DataSource"  driverClassName="org.postgresql.Driver"
 
url="jdbc:postgresql://xxx"
 username="postgres" 
password="postgres4now"
 maxTotal="30"  maxIdle="30" 
maxWaitMillis="-1"
 
removeAbandonedOnBorrow="true" removeAbandonedTimeout="90"
 testOnBorrow="true"  
validationQuery="select 1" validationQueryTimeout="3"
 testWhileIdle="true"  
timeBetweenEvictionRunsMillis="6"

 testOnReturn="true"
  />


 



Below is my database resource   as defined in context.xml




   



      type="javax.sql.DataSource"  
driverClassName="org.postgresql.Driver"

    url="jdbc:postgresql://xx
    username="postgres" password="postgres4now"
    maxTotal="30"  maxIdle="30" maxWaitMillis="-1"
    removeAbandonedOnBorrow="true"

Re: PKCS#8 encryption algorithm unrecognized

Re: [EXT]Re: how to define database resource in just context.xml or server.xml

2 matches

Site Navigation

Mail list logo

Footer information