RE: SSL setup for tomcat 7.0.10 using a CA cert
Chip- take all the 32bit folders off the PATH best to SET CLASSPATH= download the 64bit windoze version of Tomcat7 from http://tomcat.apache.org/download-70.cgi reconfigure and let us know if there any further issues Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: chipper7...@hotmail.com To: users@tomcat.apache.org Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert Date: Sun, 8 May 2011 08:09:12 -0400 I have been trying to install a certificate on a Tomcat 7.0.10 on a Windows 64 bit 2008 server and getting this error. Error Message DerInputStream.getLength(): lengthTag=109, too big. 2011-05-07 21:19:08 Commons Daemon procrun stderr initialized May 7, 2011 9:19:09 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Tomcat 7.0\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\apache-ant-1.8.2\bin\;C:\Program Files\Java\jdk1.6.0_25\bin\;C:\OpenSSL-Win32\bin\ May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init INFO: Initializing ProtocolHandler [http-bio-8443] May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:409) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:308) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:561) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:451) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:159) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:365) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at
RE: SSL setup for tomcat 7.0.10 using a CA cert
From: Martin Gainty [mailto:mgai...@hotmail.com] Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert take all the 32bit folders off the PATH best to SET CLASSPATH= download the 64bit windoze version of Tomcat7 from http://tomcat.apache.org/download-70.cgi All of the above is completely irrelevant, as usual. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
From: chip chipper [mailto:chipper7...@hotmail.com] Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a Connector. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. Ditto for liveDeploy on a Host. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. Ditto for debug on a Context. Looks like you have grabbed an ancient server.xml and tried to use it with Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide and set what you need properly. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. My understanding of this is that there is an ASN.1 encoding error. The length is bigger than expected. Can you examine the certificates using keytool and see what it thinks of them? keytool ... -keystore mykeystore openssl ... -out keystore.tomcat keytool ... -keystore tomcat.keystore I count three different keystore names here; which are we to believe? Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:/cert/my.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ And a fourth keystore name here. Also, what you have above does not correspond with the maxSpareThreads error message displayed in the log. Either you're confusing everyone by reporting one set of log entries along with an unrelated config, or you're not running the config you think you are. It would be useful if you posted your entire server.xml file, with comments removed. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=off / You can't run APR with JSSE handling the SSL negotiation, so turning SSLEngine off is not useful. Besides, you don't appear to have the tcnative-1.dll installed, and you've forced use of the BIO connector, so changing the AprLifeCycleListener is ineffective. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
Chuck The tomcat keystore was the wrong file. Thanks for the hint. I had a tomcat.keystore and a keystore.tomcat. Better naming would have avoided the embarrassment of using a user-group. Thanks for the assistance and your time Chip From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sun, 8 May 2011 10:08:23 -0500 Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert From: chip chipper [mailto:chipper7...@hotmail.com] Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a Connector. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. Ditto for liveDeploy on a Host. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. Ditto for debug on a Context. Looks like you have grabbed an ancient server.xml and tried to use it with Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide and set what you need properly. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. My understanding of this is that there is an ASN.1 encoding error. The length is bigger than expected. Can you examine the certificates using keytool and see what it thinks of them? keytool ... -keystore mykeystore openssl ... -out keystore.tomcat keytool ... -keystore tomcat.keystore I count three different keystore names here; which are we to believe? Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:/cert/my.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ And a fourth keystore name here. Also, what you have above does not correspond with the maxSpareThreads error message displayed in the log. Either you're confusing everyone by reporting one set of log entries along with an unrelated config, or you're not running the config you think you are. It would be useful if you posted your entire server.xml file, with comments removed. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=off / You can't run APR with JSSE handling the SSL negotiation, so turning SSLEngine off is not useful. Besides, you don't appear to have the tcnative-1.dll installed, and you've forced use of the BIO connector, so changing the AprLifeCycleListener is ineffective. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org