Re: Is SSL keystore with AJP connector possible?
Hi Ryan- in my case, it turned that the SSL settings were configured in another part of the application - HP Service Center in this case. The server.xml file is still using the AJP connector. I know that doesn't help you much here though unless you're using the same app. -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p4687935.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
mandg wrote: Thanks guys- that was all good info. So I gather now that I'll leave the AJP connector configuration alone and instead focus on getting the APR piece to work for SSL - I do in fact have the tcnative-1.dll file present in my /bin directory so I'm pretty confident now that my server is invoking the APR connector and not the JSEE. Thus, my keystore attributes I was originally using were not relevent. Here is my current connector config from the server.xml: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=$CATALINA_HOME/webapps/keystore/hpsmprod.crt SSLCertificateKeyFile=$CATALINA_HOME/webapps/keystore/hpsmprod.pem clientAuth=false SSLProtocol=TLSv1/ However, when I startup Tomcat (installed as a service), I see the 2 errors below in my tomcat6-stedd log file: SEVERE: Failed to start connector [Connector[HTTP/1.1-8443]] LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [730048] Only one usage of each socket address (protocol/network address/port) is normally permitted. I have verified that there's nothing else listening on 8443 using netstat and tcpview prior to starting Tomcat. Is it possible that the xml is trying to start up a duplicate instance on 8443? Well, apart from the one you show above, do you have any other non-commented-out Connector sections in your server.xml file ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Well, there is the AJP connector but I gather that shouldn't matter - here's the full server.xml: ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=$CATALINA_HOME/webapps/keystore/hpsmprod.crt SSLCertificateKeyFile=$CATALINA_HOME/webapps/keystore/hpsmprod.pem clientAuth=false SSLProtocol=TLSv1/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3881358.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
mandg wrote: Well, there is the AJP connector but I gather that shouldn't matter - here's the full server.xml: ?xml version='1.0' encoding='utf-8'? Server port=8005 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / Listener className=org.apache.catalina.core.JasperListener / Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / GlobalNamingResources Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector port=8080 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=8443 / Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=$CATALINA_HOME/webapps/keystore/hpsmprod.crt SSLCertificateKeyFile=$CATALINA_HOME/webapps/keystore/hpsmprod.pem clientAuth=false SSLProtocol=TLSv1/ Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / Engine name=Catalina defaultHost=localhost Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false /Host /Engine /Service /Server -- You are right, it does not /look/ like you have two Tomcat Connector's trying to listen on the same port 8443. The error message is quite explicit about the error however, and it usually does not lie. So something does not fit. My guess at this point is that you /do/ have something else which opens port 8443, and you just overlooked it. I can't prove that though, since you are on your machine and I am not. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
On 19/01/2012 05:29, mandg wrote: handler start failed: java.lang.Exception: Socket bind failed: [730048] Only one usage of each socket address (protocol/network address/port) is normally permitted. Is there an existing version of the application already running? Does the application bind to a socket too? p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Is SSL keystore with AJP connector possible?
If you are running windows, have you tried to connect to IIS via HTTPS and then via AJP to tomcat? I find that this is much easier solution then trying to configure HTTPS on tomcat or apache httpd.
Re: Is SSL keystore with AJP connector possible?
Good questions about the application - I really don't know so I've passed this on to the consultants doing the install. I think there is something related to the application because when I specified https port 8444 in place of 8443 withing the connector I got the same error message on startup. Thanks and I'll keep this updated as I learn more. -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3882571.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Is SSL keystore with AJP connector possible?
I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3 connector is configured and not APR. Like a good newbie that I am with Tomcat, I followed the Tomcat instructions for configuring SSL. However, the docs seemed to step me through the steps for an APR-type connector, not AJP since I had specified a keystore and passphrase. When I reviewed the AJP connector documentation, I didn't find any attributes to specify for the keystore and passphrase. So my question is, can I use a keystore for the AJP type of connector? And if so, are there any good tutorials out there that can walk me through it. If not, can I simply edit out the AJP connector in my server.xml file and edit in the APR connector? Or will that somehow break the site/application that's running on Tomcat? -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3814537.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
On Thu, Jan 19, 2012 at 10:09 AM, mandg gsca...@federatedinv.com wrote: I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3 connector is configured and not APR. Like a good newbie that I am with Tomcat, I followed the Tomcat instructions for configuring SSL. However, the docs seemed to step me through the steps for an APR-type connector, not AJP since I had specified a keystore and passphrase. When I reviewed the AJP connector documentation, I didn't find any attributes to specify for the keystore and passphrase. So my question is, can I use a keystore for the AJP type of connector? And if so, are there any good tutorials out there that can walk me through it. If not, can I simply edit out the AJP connector in my server.xml file and edit in the APR connector? Or will that somehow break the site/application that's running on Tomcat? -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3814537.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Maybe this will help: http://www.mulesoft.com/tomcat-ssl read PART II - Configuring Tomcat to use SSL basically it says Notice that if you are using APR, the SSLCertificateFile and SSLCertificateKey-type attributes are used in place of the keystoreFile attribute. For more information on the differences between using APR in place of JSSE, consult Apache's Tomcat APR Documentationhttp://tomcat.apache.org/tomcat-6.0-doc/apr.html . Igor
RE: Is SSL keystore with AJP connector possible?
From: mandg [mailto:gsca...@federatedinv.com] Subject: Is SSL keystore with AJP connector possible? I see that the AJP/1.3 connector is configured and not APR. APR will be used automatically for HTTP Connectors if the tcnative-1.dll file is found in Tomcat's bin directory and the APR listener is present in server.xml (which it is by default). I followed the Tomcat instructions for configuring SSL. There are two sets of instructions for configuring SSL; one for APR, another for the pure Java ones. The two configurations are completely different. can I use a keystore for the AJP type of connector? SSL cannot be configured for AJP, since the expectation is that anything talking to Tomcat via AJP is doing so over a private, secure network. If you are using a front end (e.g., httpd, IIS) communicating via AJP with Tomcat, the SSL termination point would normally be in the front end, not within Tomcat. Read the Connector documentation first, then the SSL doc. http://tomcat.apache.org/tomcat-6.0-doc/config/http.html http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
On 19.01.2012 00:09, mandg wrote: I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3 connector is configured and not APR. Like a good newbie that I am with Tomcat, I followed the Tomcat instructions for configuring SSL. However, the docs seemed to step me through the steps for an APR-type connector, not AJP since I had specified a keystore and passphrase. When I reviewed the AJP connector documentation, I didn't find any attributes to specify for the keystore and passphrase. So my question is, can I use a keystore for the AJP type of connector? And if so, are there any good tutorials out there that can walk me through it. If not, can I simply edit out the AJP connector in my server.xml file and edit in the APR connector? Or will that somehow break the site/application that's running on Tomcat? Note that AJP is a protocol and APR is an implementation type. Tomcat supports HTTP, HTTPS and AJP as protocols, and BIO, NIO and APR as the implementation. Tomcat 7 supports all combinations, Tomcat 6 all combination except for AJP/NIO. AJP is an unencrypted protocol. So configuring SSL, keystore etc. for an AJP connector does not make sense. This is true for any AJP implementation, be it BIO, NIO or APR. HTH! Rainer - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Thanks guys- that was all good info. So I gather now that I'll leave the AJP connector configuration alone and instead focus on getting the APR piece to work for SSL - I do in fact have the tcnative-1.dll file present in my /bin directory so I'm pretty confident now that my server is invoking the APR connector and not the JSEE. Thus, my keystore attributes I was originally using were not relevent. Here is my current connector config from the server.xml: Connector port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=$CATALINA_HOME/webapps/keystore/hpsmprod.crt SSLCertificateKeyFile=$CATALINA_HOME/webapps/keystore/hpsmprod.pem clientAuth=false SSLProtocol=TLSv1/ However, when I startup Tomcat (installed as a service), I see the 2 errors below in my tomcat6-stedd log file: SEVERE: Failed to start connector [Connector[HTTP/1.1-8443]] LifecycleException: service.getName(): Catalina; Protocol handler start failed: java.lang.Exception: Socket bind failed: [730048] Only one usage of each socket address (protocol/network address/port) is normally permitted. I have verified that there's nothing else listening on 8443 using netstat and tcpview prior to starting Tomcat. Is it possible that the xml is trying to start up a duplicate instance on 8443? Thanks again for you time. -- View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3874653.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org