Re: SSL setup - Apache Tomcat service won't start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Khisanth, On 9/26/16 7:45 AM, TJ wrote: > I have Apache Tomcat/9.0.0.M10 on Windows 10 64bit and want to > setup SSL. Am following > https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and gone > through the steps of creating the keystore with a single self > signed cert using: > > "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA > > Thats fine and confirmed the certificate is in there. > > Next I alter the server.xml file as follows and go to restart the > Tomcat service: > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" > keystoreFile="c:\users\khisanth\.keystore" keystorePass="changeit" > /> certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> > > > Problem is the service will not restart. If I remove the added > comments it will restart fine. I am logged in as administrator. What do the logs say? %CATALINA_BASE%\logs\catalina.log or, if running as a Windows Service: %CATALINA_BASE%\logs\stdout-*.log While debugging startup errors, it's usually helpful to run Tomcat interactively from the command prompt, like this: C:\> %CATALINA_HOME%\bin\startup.bat Then you get the stdout log right there in the terminal, including any errors with the connector configurations. > The apache server status page does mention HTTPS. Apache httpd or Apache Tomcat? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX6tvtAAoJEBzwKT+lPKRYDHsQAIrw4rcFPwyG7AFEC9gK7z2D uO+l8OmAnj3Kk8Sl+l3JVa4tkMFM9yXRgxCGd4dJEgQUypVP7K31/wg6OjzPpp/r 7iHseL2oJ5rLTfJXbB1y2BQQl/K55Y1M5dANSM3nmmy4+Mz8x8gNbFi+0FiUvgRv JaIRUiEjn2tnUudDLQS0+E0p+IHhYgAuETr4X7p0CKkldMgb/f9w7avGSwDZBw9+ 4a2pkLwXO9alvKT8X/LX92beVCG/OYXwCOVvInOJi6HUvkMLFN9k0RIji+V2rzYS fUJ3AORZ9ODrtrQG/0dZJ/liZgX4uCbKSZBfi5cXbQP78nf8d8B9agjqDeVCFaJi +vN7NEmooWg+AEAtboQwDj58MsoXfaN81Lb95ennBWPv/uqAYJwXlKHTBXadhG1W f9j/dv+GIvBOa6YMh0z2OWzDS9gLD/R4d6ReIxsNnHdC9Iwsj/E1+dwpGSgDOVY/ O54IXRa2AD2hH8iuHRMGJQ5plWSeEBKZLQHLseXW0TdOZnpOiVNwAYB5vkp1QZ9V zheM3Tb8Xqnt58dTx60NB2riMWblTagtwLOITwnoujcbtRXBCl3ARDu2gzUg52uH aElGTDcHoGQAIGVTYeAhVHQm/lshb5WIE594ZHlC1ApQ+a6QWhXEuxM41GXzmQfH 5ZrxwnYwz/eCjLiq+VLX =ZYYx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
Chuck
The tomcat keystore was the wrong file. Thanks for the hint. I had a
tomcat.keystore and a keystore.tomcat.
Better naming would have avoided the embarrassment of using a user-group.
Thanks for the assistance and your time
Chip
> From: chuck.caldar...@unisys.com
> To: users@tomcat.apache.org
> Date: Sun, 8 May 2011 10:08:23 -0500
> Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert
>
> > From: chip chipper [mailto:chipper7...@hotmail.com]
> > Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert
>
> > May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule
> > begin
> > WARNING:
> > [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> > 'maxSpareThreads' to '75' did not find a matching property.
>
> Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a
> .
>
> > May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule
> > begin
> > WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> > 'liveDeploy' to 'false' did not find a matching property.
>
> Ditto for liveDeploy on a .
>
> > May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule
> > begin
> > WARNING:
> > [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
> > property 'debug' to '1' did not find a matching property.
>
> Ditto for debug on a .
>
> Looks like you have grabbed an ancient server.xml and tried to use it with
> Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide
> and set what you need properly.
>
> > May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init
> > SEVERE: Failed to initialize end point associated with ProtocolHandler
> > ["http-bio-8443"]
> > java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
>
> > My understanding of this is that there is an ASN.1 encoding error.
> > The length is bigger than expected.
>
> Can you examine the certificates using keytool and see what it thinks of them?
>
> > keytool ... -keystore mykeystore
> >
> > openssl ... -out keystore.tomcat
> >
> > keytool ... -keystore tomcat.keystore
>
> I count three different keystore names here; which are we to believe?
>
> > >port="8443" maxThreads="200"
> >scheme="https" secure="true" SSLEnabled="true"
> >keystoreFile="C:/cert/my.keystore" keystorePass="changeit"
> >clientAuth="false" sslProtocol="TLS"/>
>
> And a fourth keystore name here.
>
> Also, what you have above does not correspond with the maxSpareThreads error
> message displayed in the log. Either you're confusing everyone by reporting
> one set of log entries along with an unrelated config, or you're not running
> the config you think you are. It would be useful if you posted your entire
> server.xml file, with comments removed.
>
> > > SSLEngine="off" />
>
> You can't run APR with JSSE handling the SSL negotiation, so turning
> SSLEngine off is not useful. Besides, you don't appear to have the
> tcnative-1.dll installed, and you've forced use of the BIO connector, so
> changing the AprLifeCycleListener is ineffective.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
RE: SSL setup for tomcat 7.0.10 using a CA cert
> From: chip chipper [mailto:chipper7...@hotmail.com]
> Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert
> May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a .
> May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'liveDeploy' to 'false' did not find a matching property.
Ditto for liveDeploy on a .
> May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
> property 'debug' to '1' did not find a matching property.
Ditto for debug on a .
Looks like you have grabbed an ancient server.xml and tried to use it with
Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide and
set what you need properly.
> May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init
> SEVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-8443"]
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> My understanding of this is that there is an ASN.1 encoding error.
> The length is bigger than expected.
Can you examine the certificates using keytool and see what it thinks of them?
> keytool ... -keystore mykeystore
>
> openssl ... -out keystore.tomcat
>
> keytool ... -keystore tomcat.keystore
I count three different keystore names here; which are we to believe?
> port="8443" maxThreads="200"
>scheme="https" secure="true" SSLEnabled="true"
>keystoreFile="C:/cert/my.keystore" keystorePass="changeit"
>clientAuth="false" sslProtocol="TLS"/>
And a fourth keystore name here.
Also, what you have above does not correspond with the maxSpareThreads error
message displayed in the log. Either you're confusing everyone by reporting
one set of log entries along with an unrelated config, or you're not running
the config you think you are. It would be useful if you posted your entire
server.xml file, with comments removed.
>SSLEngine="off" />
You can't run APR with JSSE handling the SSL negotiation, so turning SSLEngine
off is not useful. Besides, you don't appear to have the tcnative-1.dll
installed, and you've forced use of the BIO connector, so changing the
AprLifeCycleListener is ineffective.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
> From: Martin Gainty [mailto:mgai...@hotmail.com] > Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert > take all the 32bit folders off the PATH > best to SET CLASSPATH= > download the 64bit windoze version of Tomcat7 from > http://tomcat.apache.org/download-70.cgi All of the above is completely irrelevant, as usual. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
Chip-
take all the 32bit folders off the PATH
best to SET CLASSPATH=
download the 64bit windoze version of Tomcat7 from
http://tomcat.apache.org/download-70.cgi
reconfigure and let us know if there any further issues
Martin Gainty
__
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger
sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung
oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem
Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung.
Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung
fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le
destinataire prévu, nous te demandons avec bonté que pour satisfaire informez
l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est
interdite. Ce message sert à l'information seulement et n'aura pas n'importe
quel effet légalement obligatoire. Étant donné que les email peuvent facilement
être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité
pour le contenu fourni.
> From: chipper7...@hotmail.com
> To: users@tomcat.apache.org
> Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert
> Date: Sun, 8 May 2011 08:09:12 -0400
>
>
>
> I have been trying to install a certificate on a Tomcat 7.0.10 on a Windows
> 64 bit 2008 server and getting this error.
>
> Error Message
> DerInputStream.getLength(): lengthTag=109, too big.
>
> 2011-05-07 21:19:08 Commons Daemon procrun stderr initialized
> May 7, 2011 9:19:09 PM org.apache.catalina.core.AprLifecycleListener init
> INFO:
> The APR based Apache Tomcat Native library which allows optimal
> performance in production environments was not found on the
> java.library.path: D:\Tomcat
> 7.0\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\apache-ant-1.8.2\bin\;C:\Program
> Files\Java\jdk1.6.0_25\bin\;C:\OpenSSL-Win32\bin\
> May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin
> WARNING:
> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'maxSpareThreads' to '75' did not find a matching property.
> May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host} Setting property
> 'liveDeploy' to 'false' did not find a matching property.
> May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin
> WARNING:
> [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting
> property 'debug' to '1' did not find a matching property.
> May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init
> INFO: Initializing ProtocolHandler ["http-bio-8443"]
> May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init
> SEVERE: Failed to initialize end point associated with ProtocolHandler
> ["http-bio-8443"]
> java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big.
> at sun.security.util.DerInputStream.getLength(Unknown Source)
> at sun.security.util.DerValue.init(Unknown Source)
> at sun.security.util.DerValue.(Unknown Source)
> at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown
> Source)
> at java.security.KeyStore.load(Unknown Source)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:409)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:308)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:561)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:451)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:159)
> at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:365)
> at
> org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483)
> at
> org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345)
> at
> org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
> at
> org.apache.catalina.connector.Connector.initInternal(Connector.java:910)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
> at
> org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
> at
> org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
> at org.apache.catalina.util.Life
Re: ssl setup in tomcat
On 20/10/2010 12:44, Hemanth Gundlapudi wrote: > Hi , > > I am planning to setup secure connection in our environment which consist of > apache webserver, tomcat ( two instances running on the same machine) which > talks to a third party application maintained by third party vendor. What are your exact HTTPD, Tomcat versions? How are you planning to configure the connection between HTTPD and Tomcat? > I have ssl.crt and ssl.key files in apache, in tomcat i have ca trust store > and jks file. > > Please let me what Tomcat certificates should be shared to apache and what > needs to be shared with third party application. If it is public key pls let > me know the keytool command to pull the public key. Your question is unclear, can you please rephrase it? p > thanks in advance > > Hemanth > > 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: SSL setup question
the infinite loop is fixed in 6.0.18, the system will still not start, since the JVM you're running with doesn't support the type of cipher that you're keystore is trying to use search http://tomcat.markmail.org for the same error, it's been answered before Filip Neil B. Cohen wrote: I'm having a problem setting up SSL with Tomcat. The situation is this: I have a system running IBM's Netcool/Portal software. We added SSL to the Portal a while back. I created a certificate for the machine. However, Netcool/Portal does not create a keystore file - you simply copy the certificate as a text file into a specific directory and it works from there. Netcool/Portal has its own version of the JDK. Now, on the same machine, I have installed a current JDK (v1.6) and my own installation of Tomcat (v6.0.16). Runs just fine on port 8080. I want to add SSL capability to the Tomcat setup so I can talk to it using https. I created a keystore file using the certificate we generated for Netcool, as follows: keytool -importcert -v -trustcacerts -alias tomcat -keystore /keystore.kdb -file /opt/netcool/portal//server.crt Then, keytool -list -keystore ./keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Nov 20, 2008, trustedCertEntry, Certificate fingerprint (MD5): 11:87:A8:7C:BB:55:AC:68:46:34:4F:45:7D:62:9C:AF So I have a keystore. I set up the tomcat server.xml file: And when I start Tomcat, I get an infinite loop in the log file that looks like: Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 886 ms Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 Nov 20, 2008 1:40:18 PM com.sun.faces.config.ConfigureListener contextInitialize d INFO: Initializing Sun's JavaServer Faces implementation (1.2_04-b20-p03) for co ntext '/NCAdmin' Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener "listeners.ContextListener" is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener "listeners.SessionListener" is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed I'm not an SSL expert, so I'm not sure where to look. Am I missing an intermediate certificate somewhere? Or have I configured the keystore incorrectly? I'd appreciate any pointers or suggestions for getting this running. Thanks very much, nbc NAME: Neil B. Cohen (Verisign Inc.) PHONE: 703-948-4471 DOMAIN: [EMAIL PROTECTED]
Re: SSL setup help
The entry
keystoreFile="${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore" is
almost certainly wrong. For this to work, you would have to start Tomcat
with the weird
entry -D/usr/local/jre1.6.0_06/bin/keystore.key=/path/to/my/keystore/keys.
Tomcat does variable substitution when parsing the various config xml files
based on System properties when it sees something like ${variable}. (This is
a Tomcat-specific feature, so you can't count on porting it to another
container).
"Michael A. Tucker" <[EMAIL PROTECTED]> wrote in message
news:[EMAIL PROTECTED]
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I'm trying to setup SSL on a web app that I have running on a server. I
> created my keystore.key file and then uncommented this section in my
> server.xml file:
>
>> Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>>maxThreads="150" scheme="https" secure="true"
>>
>> keystoreFile="${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore"
>> keystorePass="changeit"
>>clientAuth="false" sslProtocol="TLS"
>
> Now when I go to https://localhost:8443/ I get "failed to connect" page
> load error. I think I'm not doing something wrong in the server.xml
> file, but I'm not sure what. I already have another program running on
> 443 so could that interfere? I also don't know what APR means in the
> SSL doc.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJEbv2iSj9VAB3NO8RAkyLAJ0ZhVqiOz0cKuZILoYMYQTjojD8awCfXjHY
> pI7vAxr3JZan3Mq87uzrhMU=
> =8iED
> -END PGP SIGNATURE-
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL setup help
Hi,
To configure tomcat using SSL on Windows I use:
multi-host tomcat ssl on windows
download and install java 1.5 jdk
set JAVA_HOME to the root of the JDK directory
add JAVA_HOME\bin to the path
install Visual C++ 2008 redistributable
download and install openssl
http://www.openssl.org --> related -->binaries (at the top)
place the files in c:\program files\openssl
set OPENSSL_HOME to c:\program files\openssl
add OPENSSL_HOME\bin to the path
search for an openssl.cnf on google
download and install tomcat
download tomcat and extract to c:\program files\apache software
foundation\tomcat
set CATALINE_HOME to c:\program files\apache software foundation\tomcat
download tomcat native and extract to CATALINA_HOME\bin
add CATALINA_HOME\bin to the path
set CLASSPATH to
.;%CATALINA_HOME%\libservlet-api.jar;%CATALINA_HOME%\lib\jsp-api.jar
cd %CATALINA_HOME\conf
mkdir ssl
cd ssl
genrsa -aes256 -out key.pem 8192
Enter pass phrase for key.pem: proactix
req -new -key key.pem -sha1 -x509 -out cert.pem
The same should be similar on Linux
Regards,
Serge Fonville
On Wed, Nov 5, 2008 at 4:29 PM, Michael A. Tucker <
[EMAIL PROTECTED]> wrote:
> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA1
>
> I'm trying to setup SSL on a web app that I have running on a server. I
> created my keystore.key file and then uncommented this section in my
> server.xml file:
>
> > Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> >maxThreads="150" scheme="https" secure="true"
> >
> keystoreFile="${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore"
> keystorePass="changeit"
> >clientAuth="false" sslProtocol="TLS"
>
> Now when I go to https://localhost:8443/ I get "failed to connect" page
> load error. I think I'm not doing something wrong in the server.xml
> file, but I'm not sure what. I already have another program running on
> 443 so could that interfere? I also don't know what APR means in the
> SSL doc.
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.6 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
>
> iD8DBQFJEbv2iSj9VAB3NO8RAkyLAJ0ZhVqiOz0cKuZILoYMYQTjojD8awCfXjHY
> pI7vAxr3JZan3Mq87uzrhMU=
> =8iED
> -END PGP SIGNATURE-
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>
RE: SSL Setup From Site
> From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: Re: SSL Setup From Site > > I don't really care, but could I put in some bogus > certificate for development, or just let it go. Yes, just create a self-signed certificate. The instructions for doing so with the non-APR connector are partway down in this section of the doc: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Prepare%20the%20C ertificate%20Keystore Look at the paragraph that starts with "To create a new keystore from scratch". - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
Charles, got it. I [x] checked the native on the install, then installed Tomcat. After that I removed the tcnative-1.dll and restarted tomcat. I added my info to the server.xml and restarted. Yippie! So now I have SSL running on tomcat 5.5.20. Anyway, this brings up one last question. When it comes up now, it says this is not a valid certificate. I would assume this is because all I did was created a keystore and password. I did not create nor issue a certificate. I don't really care, but could I put in some bogus certificate for development, or just let it go. Thanks for all help, On 12/13/06, Hassan Schroeder <[EMAIL PROTECTED]> wrote: On 12/13/06, Jim Reynolds <[EMAIL PROTECTED]> wrote: > I am running version 5.5.17 and I am not seeing anything in the logs > regarding APR. You might want to grep for 'Starting ' because a Tomcat install with out-of-the-box logging will show something like this at startup: Dec 13, 2006 11:46:36 AM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 13, 2006 11:46:36 AM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 And if a Connector failed to start, you should see *something* loggedl :-) -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
On 12/13/06, Jim Reynolds <[EMAIL PROTECTED]> wrote: I am running version 5.5.17 and I am not seeing anything in the logs regarding APR. You might want to grep for 'Starting ' because a Tomcat install with out-of-the-box logging will show something like this at startup: Dec 13, 2006 11:46:36 AM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 13, 2006 11:46:36 AM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 And if a Connector failed to start, you should see *something* loggedl :-) -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Setup From Site
> From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: Re: SSL Setup From Site > > In order to use the native (I believe that is what I was > doing in my server.xml file) I want to include "native" > with a checkbox, or I do not want to include Native? > > I have got spun around here. You're not the only one :-) If you're configuring Tomcat SSL according to the documentation here: http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html then do NOT select the Native check box. If you're configuring SSL for Tomcat using the APR connector with this doc: http://tomcat.apache.org/tomcat-5.5-doc/apr.html then DO select the Native check box. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
I tried the install again, and now see the optional components. In order to use the native (I believe that is what I was doing in my server.xml file) I want to include "native" with a checkbox, or I do not want to include Native? I have got spun around here. On 12/13/06, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: Re: SSL Setup From Site > > the installer does not ask any questions. I used the .exe. It doesn't ask the question explicitly. On the Choose Components window, if you open up the Tomcat entry by clicking on the + sign, you'll see the optional component check boxes. The Native one is for the APR .dll file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Setup From Site
> From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: Re: SSL Setup From Site > > the installer does not ask any questions. I used the .exe. It doesn't ask the question explicitly. On the Choose Components window, if you open up the Tomcat entry by clicking on the + sign, you'll see the optional component check boxes. The Native one is for the APR .dll file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
I am running version 5.5.17 and I am not seeing anything in the logs regarding APR. Logs I have are: admin catalina host-manager jakarta-service localhost manager stderr stdout I grepped the logs for APR and came up with nothing. Also, I just installed 5.5.20, and 6.0 to try and find where the #$#$@ tcnative-1.dll is and I do not see them in either new install. Also, the installer does not ask any questions. I used the .exe. Thanks, On 12/13/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: what version of Tomcat and what are the logs saying? Filip Quoting Jim Reynolds <[EMAIL PROTECTED]>: > After creating a new Host, I now want to set up SSL on it. Following > the docs I did the following: > > 1) create keystore > E:\Tomcat\bin\DEVKEY>keytool -genkey -alias tomcat -keyalg RSA > -keystore E:/Tomc > at/bin/DEVKEY/devKeystore > answered questions. > > 2) made sure passwords were same. (changeit) > > 3) uncomment out the >port="443" minProcessors="5" maxProcessors="75" > enableLookups="true" disableUploadTimeout="true" > acceptCount="100" debug="0" scheme="https" secure="true" > keystoreFile="E:/Tomcat/bin/DEVKEY/devKeystore" > keystorePass="changeit" > clientAuth="false" sslProtocol="TLS"/> > // added above keystore location. > > 4) restarted tomcat, but I do not get ssl? > > http://devsite (still happy) > https://devsite (canot connect) > > I am running all local here, no external hassles. Now while reading > the docs for nth time, I am wondering if I need to create a > certificate or not? It is hard to tell as they roll into discussing > openSSL or verisign/Thawte. > > Anyway, If I am missing a step here, please let me know, > > Sincerely > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
what version of Tomcat and what are the logs saying? Filip Quoting Jim Reynolds <[EMAIL PROTECTED]>: After creating a new Host, I now want to set up SSL on it. Following the docs I did the following: 1) create keystore E:\Tomcat\bin\DEVKEY>keytool -genkey -alias tomcat -keyalg RSA -keystore E:/Tomc at/bin/DEVKEY/devKeystore answered questions. 2) made sure passwords were same. (changeit) 3) uncomment out the // added above keystore location. 4) restarted tomcat, but I do not get ssl? http://devsite (still happy) https://devsite (canot connect) I am running all local here, no external hassles. Now while reading the docs for nth time, I am wondering if I need to create a certificate or not? It is hard to tell as they roll into discussing openSSL or verisign/Thawte. Anyway, If I am missing a step here, please let me know, Sincerely - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Setup From Site
> From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: Re: SSL Setup From Site > > I did do the exe installer, but many searches did not > find the tcnative.dll. You have to explicitly click on a check box in the installer to get it, at least on 5.5.20. It's tcnative-1.dll, and should be only in Tomcat's bin directory, if it's anywhere at all. > Anyway, could they put that dll into a .jar? No, thank goodness. (Well, they could for packaging purposes, but they don't. Windows wouldn't be able to find it inside a .jar file.) If APR is not installed and the APR listener is not commented out in server.xml, you should get an INFO-level log message during Tomcat startup about APR not being found. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup From Site
Chuck, you are very smart. I remembered doing this in my production box to get SSL working. I did do the exe installer, but many searches did not find the tcnative.dll. Actually I couldn't find any tcnative references anywhere. Perhaps there is another mechanism to use native in 5.5.17? Funny thing, my search on my whole system for the .dll found all the old bak in my production box. Anyway, could they put that dll into a .jar? On 12/13/06, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: SSL Setup From Site > > 4) restarted tomcat, but I do not get ssl? If you used the .exe download for Tomcat, you may have APR installed. Its SSL configuration is rather different than that for Tomcat's pure Java connector. The doc for APR is here: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Alternatively, disable APR by deleting or renaming bin\tcnative-1.dll, and then the standard SSL handling (which appears to be what you configured) will be in effect. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL Setup From Site
> From: Jim Reynolds [mailto:[EMAIL PROTECTED] > Subject: SSL Setup From Site > > 4) restarted tomcat, but I do not get ssl? If you used the .exe download for Tomcat, you may have APR installed. Its SSL configuration is rather different than that for Tomcat's pure Java connector. The doc for APR is here: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Alternatively, disable APR by deleting or renaming bin\tcnative-1.dll, and then the standard SSL handling (which appears to be what you configured) will be in effect. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
Thanks for the info. Finally figured out the problem.the certs were wrong in the keystore. Thanks for all your help though! -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4791758 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
You can download the strong encryption mechanisms here: http://java.sun.com/j2se/1.4.2/download.html (Right at the bottom of the page) Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2 On 06/06/06, Roch <[EMAIL PROTECTED]> wrote: How do I check to see if I have the strong encrytion algorithms in the JDK? -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4733795 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Cheers Jack... The claim "natural" is not synonymous with safe. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
How do I check to see if I have the strong encrytion algorithms in the JDK? -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4733795 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
Do you have the strong encryption algorithms installed in the JDK you are using? On 02/06/06, Roch <[EMAIL PROTECTED]> wrote: I'm getting the error that says "cannot communicate securely because they have no common encryption algorithms. -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4680316 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Cheers Jack... The claim "natural" is not synonymous with safe. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
I'm getting the error that says "cannot communicate securely because they have no common encryption algorithms. -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4680316 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
I finally got it to recognize the keystore and its able to get in. I still have clientauth="false". I had to add in ciphers also. I'm not getting any errors. But when I go to view the page, it won't come up. Is there anything else that I missed? Thanks. -- View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4678581 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
You can have a look here and see if you find any useful tips - this explains how I got SSL to work on Tomcat: http://jack.godau.googlepages.com/jbosscertificatesandopenssl Cheers Jack... On 31/05/06, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting is that it can't locate my keystore file. I have using the keystorefile attribute but its still not working. Can anyone help? Ro - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
Hi, Thank you the information. Does the keystore have to be located in a specific location? I have done everything listed but the keystore location is different. No specific location, /etc/tomcat was not existing and I created it because I like to have all the files related to configuration in /etc. Did you verified that your keystore contained the certificates? Are you really sure that the path indicated in your tomcat's configuration is right? Unfortunately, if you really follow the same steps, I don't know what could be the problem (I would need your bash_history, your configuration files, ... :-) Wat I could suggest is to quickly set-up a testing machine (I tested my setup on a vmware guest) and perform all the steps again, maybe you did something wrong. Regards, Gaël
Re: SSL Setup
Thank you the information. Does the keystore have to be located in a specific location? I have done everything listed but the keystore location is different. Ro -- View this message in context: http://www.nabble.com/SSL+Setup-t1710991.html#a4646730 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
Hi, Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting is that it can't locate my keystore file. I have using the keystorefile attribute but its still not working. Can anyone help? A more detailed email explaining what you tried would be needed to be able to help you. Are you using apache as a front-end? Because apache could be use to handle the ssl stuff. Anyway you will find below a working "four-steps" process explaining how to implement non only ssl encryption but also client authentication using self-signed certificates. I don't have so much time, so I just copy-paste from my documentation, so change the various names according to your server As I said, adding support for SSL or TLS in Tomcat can be divided in four general steps: 1 – Setting up the CA - Create /home/lams/openssl to hold the CA keys, server keys and (as we want to use SSL client authentication) the client keys. - Create a private key and certificate request for our CA: openssl req -new -newkey rsa:1024 -nodes -out ca.csr –keyout ca.key - Create a CA's self-signed certificate: openssl x509 -trustout -signkey ca.key -days 365 -req –in ca.csr -out ca.pem - Import the CA certificate into the JDK certificate authorities keystore: $JAVA_HOME/bin/keytool -import -keystore £JAVA_JOME/lib/security/cacerts –file ca.pem -alias itcilo_ca - Create a file to hold the CA's serial numbers. This file starts with the number "2": echo "02" > ca.srl 2 – Setting the web server - Create /etc/tomcat to contain both the keystore and the truststore files (Truststore is a keystore in which reside all the certificates with which a user can authenticate hisself on the server). - Create a keystore for the tomcat server. $JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize 1024 –keystore /etc/tomcat/server-keystore2.jks -storetype JKS - Create a certificate request for the web server. $JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test –file map-test.csr -keystore /etc/tomcat/server-keystore2.jks You need to edit the certificate request file slightly. Open it up in a text editor and amend the text which reads "NEW CERTIFICATE REQUEST" to "CERTIFICATE REQUEST" - Have your CA sign your certificate request: openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in map-test.csr –out map-test.crt -days 365 - Import your CA certificate into your server keystore: This step is necessary because we want to use SSL client authentication. $JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem - Import the signed server certificate into the server keystore: $JAVA_HOME/bin/keytool -import -alias map-test –keystore /etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt You should see a message "Certificate reply was installed in keystore". 3 - Setting up the ssl client - Create a client certificate request: openssl req -new -newkey rsa:512 -nodes -out santiago.req –keyout santiago.key - Have the CA sign the client certificate. openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in santiago.req –out santiago.pem -days 365 - Import the CA certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem - Import the client certificate into the truststore: $JAVA_HOME/bin/keytool -import -alias santiago –keystore /etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem - Generate a PKCS12 file containing the client key and certificate: openssl pkcs12 -export -clcerts -in santigao.pem –inkey santiago.key -out santiago.p12 –name "virgilio_certificate" - Import the PKCS12 file into the web browser to use as the client certificate and key (tools – internet options – contents – certificates, verify by clicking in "advanced" that "client authentication" is checked) 4 – Configure tomcat for ssl The following lines must be added to server.xml. The clientAuth parameter must be set to true as we want Tomcat to require all SSL clients to present a client Certificate in order to use this socket. Regards, Gaël
RE: SSL Setup
Rick, thanks for the link, I changed the name of tcnative-1.dll in \bin to tcnative-1.dll.old and restart tomcat and that worked. CONFIDENTIALITY: This e-mail (including any attachments) may contain confidential, proprietary and privileged information, and unauthorized disclosure or use is prohibited. If you received this e-mail in error, please notify the sender and delete this e-mail from your system. -Original Message- From: Rick van der Zwet [mailto:[EMAIL PROTECTED] Sent: Friday, November 11, 2005 4:25 PM To: Tomcat Users List Subject: Re: SSL Setup Teh, Bortie schreef: >I've been trying to setup SSL for tomcat, I have created the keystore, generated a csr, ordered a certificate, imported the certificate, and configured the server to respond on port 8443. My problem is that I can not get any pages to load when I use https://localhost:8443, but it works when I drop the 's'. I'm a novice with tomcat so any help will be appreciated. I've read the manuals over and over and all the configs look alright. > > Check http://issues.apache.org/bugzilla/show_bug.cgi?id=37455 if you are using Tomcat 5.5.12 Same problem applied to me, but still I did not find the right syntax to fix 'the bug'. Cheerz, Rick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Setup
Teh, Bortie schreef: I've been trying to setup SSL for tomcat, I have created the keystore, generated a csr, ordered a certificate, imported the certificate, and configured the server to respond on port 8443. My problem is that I can not get any pages to load when I use https://localhost:8443, but it works when I drop the 's'. I'm a novice with tomcat so any help will be appreciated. I've read the manuals over and over and all the configs look alright. Check http://issues.apache.org/bugzilla/show_bug.cgi?id=37455 if you are using Tomcat 5.5.12 Same problem applied to me, but still I did not find the right syntax to fix 'the bug'. Cheerz, Rick - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
