subject:"SSL on Tomcat"

On Thu, Jul 7, 2016 at 12:24 PM, Sean Son 
wrote:

> Copying Daniel and Ognjen on this
>
> On Thu, Jul 7, 2016 at 12:02 PM, Sean Son <
> linuxmailinglistsem...@gmail.com> wrote:
>
>> Hello
>>
>>  I tried adding the keyAlias to the connector and when i restarted
>> Tomcat, and i browsed to the sever page, I got this error:
>>
>> Certificate Error
>> There are issues with the site's certificate chain
>> (net::ERR_CERT_COMMON_NAME_INVALID).
>>
>> Looks like adding the keyAlias to the connector did not fix anything
>> unfortunately.
>>
>>
>>
>>
>>
>>
>>
>> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
>> wrote:
>>
>>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>>
>>> > So I should modify my  connector to look like this?
>>> >
>>> > >> > protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>>> > keystorePass="password"
>>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>>> > SSLEnabled="true" scheme="https" secure="true"
>>> >clientAuth="false" sslProtocol="TLS" />
>>> >
>>> >
>>> Yes.
>>>
>>> -
>>> Daniel Savard
>>>
>>
>>
>
Sorry I noticed that this is the connector configuration in my server.xml
file:



I updated it with the keyAlias information.  This connector was provided to
me by someone.  Unfortunately I am still getting the same error message.

Re: Need help setting up SSL on Tomcat 8

Copying Daniel and Ognjen on this

On Thu, Jul 7, 2016 at 12:02 PM, Sean Son 
wrote:

> Hello
>
>  I tried adding the keyAlias to the connector and when i restarted Tomcat,
> and i browsed to the sever page, I got this error:
>
> Certificate Error
> There are issues with the site's certificate chain
> (net::ERR_CERT_COMMON_NAME_INVALID).
>
> Looks like adding the keyAlias to the connector did not fix anything
> unfortunately.
>
>
>
>
>
>
>
> On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
> wrote:
>
>> 2016-07-07 10:52 GMT-04:00 Sean Son :
>>
>> > So I should modify my  connector to look like this?
>> >
>> > > > protocol="org.apache.coyote.http11.Http11NioProtocol"
>> >maxThreads="150" keystoreFile="conf/tomcat.jks"
>> > keystorePass="password"
>> keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
>> > SSLEnabled="true" scheme="https" secure="true"
>> >clientAuth="false" sslProtocol="TLS" />
>> >
>> >
>> Yes.
>>
>> -
>> Daniel Savard
>>
>
>

Re: Need help setting up SSL on Tomcat 8

Hello

 I tried adding the keyAlias to the connector and when i restarted Tomcat,
and i browsed to the sever page, I got this error:

Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Looks like adding the keyAlias to the connector did not fix anything
unfortunately.







On Thu, Jul 7, 2016 at 10:55 AM, Daniel Savard 
wrote:

> 2016-07-07 10:52 GMT-04:00 Sean Son :
>
> > So I should modify my  connector to look like this?
> >
> >  > protocol="org.apache.coyote.http11.Http11NioProtocol"
> >maxThreads="150" keystoreFile="conf/tomcat.jks"
> > keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> > SSLEnabled="true" scheme="https" secure="true"
> >clientAuth="false" sslProtocol="TLS" />
> >
> >
> Yes.
>
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

2016-07-07 Thread Daniel Savard

2016-07-07 10:52 GMT-04:00 Sean Son :

> So I should modify my  connector to look like this?
>
>  protocol="org.apache.coyote.http11.Http11NioProtocol"
>maxThreads="150" keystoreFile="conf/tomcat.jks"
> keystorePass="password" keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}"
> SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS" />
>
>
Yes.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

So I should modify my  connector to look like this?



On Wed, Jul 6, 2016 at 6:50 AM, Ognjen Blagojevic <
ognjen.d.blagoje...@gmail.com> wrote:

> Sean,
>
> On 5.7.2016 17:14, Sean Son wrote:
>
>> Hello Daniel and all
>>
>> Here is the output.. the full output
>>
>> http://pastebin.com/AQckw6ig
>>
>
> Keytool output indicates that there are two entries in keystore:
>
> 1. Entry with alias "root", created Jun 16, 2016, which is intermediate
> certificate for Go Daddy:
>
> Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
> Issuer: CN=Go Daddy Root Certificate Authority - G2 ...
>
> This is "trustedCertEntry", which means that it does not contain a private
> key, and therefore may not be used for encryption necessary for TLS / HTTPS
> communication.
>
>
> 2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created Jun
> 16, 2016. This is certificate for domain example.com, signed by Go Daddy:
>
> Owner: CN=*.example.com, OU=Domain Control Validated
> Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...
>
> This is PrivateKeyEntry which means that it contains private and public
> key pair, and since owner is different from issuer it means it also
> contains associated certificate. This entry may be used to encrypt data for
> TLS / HTTPS communication.
>
>
> Therefore, you must point Tomcat to use second entry from your keystore.
> Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your
> connector configuration.
>
> -Ognjen
>
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-07-06 Thread Ognjen Blagojevic


Sean,

On 5.7.2016 17:14, Sean Son wrote:

Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig


Keytool output indicates that there are two entries in keystore:

1. Entry with alias "root", created Jun 16, 2016, which is intermediate 
certificate for Go Daddy:


Owner: CN=Go Daddy Secure Certificate Authority - G2 ...
Issuer: CN=Go Daddy Root Certificate Authority - G2 ...

This is "trustedCertEntry", which means that it does not contain a 
private key, and therefore may not be used for encryption necessary for 
TLS / HTTPS communication.



2. Entry with alias "{b81d8607-57e9-4c35-a058-cd46099e7797}", created 
Jun 16, 2016. This is certificate for domain example.com, signed by Go 
Daddy:


Owner: CN=*.example.com, OU=Domain Control Validated
Issuer: CN=Go Daddy Secure Certificate Authority - G2, ...

This is PrivateKeyEntry which means that it contains private and public 
key pair, and since owner is different from issuer it means it also 
contains associated certificate. This entry may be used to encrypt data 
for TLS / HTTPS communication.



Therefore, you must point Tomcat to use second entry from your keystore. 
Try adding keyAlias="{b81d8607-57e9-4c35-a058-cd46099e7797}" to your 
connector configuration.


-Ognjen



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-05 Thread Sean Son

On Fri, Jul 1, 2016 at 6:14 PM, Daniel Savard 
wrote:

> 2016-07-01 16:08 GMT-04:00 Christopher Schultz <
> ch...@christopherschultz.net
> >:
>
> >
> > >
> > > Thank you for the reply.  How would I go about specifying the alias
> > > of the certificate?
> >
> > You may have to re-import it, but I've had bad experiences with Java
> > keystores so ALWAYS keep a backup in case you host something.
> >
> > The first item in your keystore certainly looks like a certificate to
> > me. It's the *second* item that is a private key.
> >
> > What if you add these attributes to your connector:
> >
> > keyAlias="root"
> >
> > ?
> >
> > If that doesn't work, try using a tool like Portecle to try to adjust
> > some things (like the "aliases"). It's much better and safer than
> > using keytool IMO. Remember ALWAYS KEEP A BACKUP!
> >
> >
> Chris,
>
> in a keystore, the entry with the certificate created using the private key
> from that keystore is a single entry identified as PrivateKey. If you have
> a single certificate created from a private key in that keystore you will
> have only one entry, not two and it will be labeled as private key.
>
> In fact, it can be checked using the -v option to print details about each
> entry. This should be enough to identify without ambiguity which entry is
> what. This is what I recommend to do in order to understand what really is
> in the keystore. I doubt the alias root with the first entry in the
> keystore is actually the certificate needed here.
>
> Sean,
>
> print the details and you will have the alias and Common Name clearly
> identified on the output in a verbose format. Use the -v option to the
> keytool command for this. No need to post everything here if you are
> unsure.
>
> -
> Daniel Savard
>



Hello Daniel and all

Here is the output.. the full output

http://pastebin.com/AQckw6ig

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Daniel Savard

2016-07-01 16:08 GMT-04:00 Christopher Schultz :

>
> >
> > Thank you for the reply.  How would I go about specifying the alias
> > of the certificate?
>
> You may have to re-import it, but I've had bad experiences with Java
> keystores so ALWAYS keep a backup in case you host something.
>
> The first item in your keystore certainly looks like a certificate to
> me. It's the *second* item that is a private key.
>
> What if you add these attributes to your connector:
>
> keyAlias="root"
>
> ?
>
> If that doesn't work, try using a tool like Portecle to try to adjust
> some things (like the "aliases"). It's much better and safer than
> using keytool IMO. Remember ALWAYS KEEP A BACKUP!
>
>
Chris,

in a keystore, the entry with the certificate created using the private key
from that keystore is a single entry identified as PrivateKey. If you have
a single certificate created from a private key in that keystore you will
have only one entry, not two and it will be labeled as private key.

In fact, it can be checked using the -v option to print details about each
entry. This should be enough to identify without ambiguity which entry is
what. This is what I recommend to do in order to understand what really is
in the keystore. I doubt the alias root with the first entry in the
keystore is actually the certificate needed here.

Sean,

print the details and you will have the alias and Common Name clearly
identified on the output in a verbose format. Use the -v option to the
keytool command for this. No need to post everything here if you are unsure.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 7/1/16 11:11 AM, Sean Son wrote:
> On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard
>  wrote:
> 
>> 2016-06-29 9:08 GMT-04:00 Sean Son
>> :
>> 
>>> Hello Daniel
>>> 
>>> Thank you for the information. Here is the output of the
>>> keytool command:
>>> 
>>> Keystore type: JKS Keystore provider: SUN
>>> 
>>> Your keystore contains 2 entries
>>> 
>>> root, Jun 16, 2016, trustedCertEntry, Certificate fingerprint
>>> (SHA1): 
>>> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8 
>>> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016,
>>> PrivateKeyEntry, Certificate fingerprint (SHA1): 
>>> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>>> 
>>> 
>>> Is it possible that the error that I am seeing, is related to
>>> the fact that I am using a wildcard certificate?
>>> 
>> 
>> So, the first entry in the keystore isn't your certificate. As I
>> told you before, if you do not specify explicitely the alias of
>> the certificate so send, the first entry in the keystore is sent.
>> In this case, root.
>> 
>> The attribute to tell the connector which certificate to send, is
>> keyAlias, however it seems your certificate has no alias in the
>> keystore.
>> 
>> - Daniel Savard
>> 
> 
> 
> Thank you for the reply.  How would I go about specifying the alias
> of the certificate?

You may have to re-import it, but I've had bad experiences with Java
keystores so ALWAYS keep a backup in case you host something.

The first item in your keystore certainly looks like a certificate to
me. It's the *second* item that is a private key.

What if you add these attributes to your connector:

keyAlias="root"

?

If that doesn't work, try using a tool like Portecle to try to adjust
some things (like the "aliases"). It's much better and safer than
using keytool IMO. Remember ALWAYS KEEP A BACKUP!

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJXds3aAAoJEBzwKT+lPKRYioQQAIJXjzniDRnW2U9+W0d/x7M5
/6nBHRw42COjvmHMUC5fY0lQR0rESHYC3yDhkmuutpeYNJyLO/TWLYZUGnEHf7US
7S+2IcYM19AEbDnp8qvE4pMOshJwf7eRic7lBr1OfJ50CKjdzvv2EiSFwO8tdY+6
eYODI+ZBvC7/lUFZ/H9cGlxx2kQHcuzWoE2+9I5DRxzIPP04nN8sfKXHoEiPH97j
d4dQMBpbNC87P6HlcGxpoxcoCfYPpHLMae5PXdSLHnyvU6YKGCUkm5bRE4ieC9F1
ZjFIH+rJZW61wJw64PXOvMm9k6zFL2R5CIsEg3OdZa6Injh951nH3H5GEF7xvJHy
Z1heq6NmuwzHkYT0/vI4S141tscEziNqsTw2kMyV9+QFEHp1u3zin62gIoDXFaHf
jG33c1cWfl4zkWhzWeZcmEN/n6Z+N0x/RZpRugoRy0heero8VF5lgKnjn/7kHuLm
BCZgA5KrsNSYcnQCeDPqTVeKoUXmF0e92xsCAKRjYjBsSUo8Uc0rlu2GaJhYYQma
rIMKli4f5KVAd3vzj4DE8EdmLxNDfgHvftGVMbTViCMlhwwZqI8NA6wGhA+JCVeH
H29sXNh5D5txBfwz10UvEC9iGFRBWZ1jZfrSdEbb4Ra8acrrC+Er6bwgjB8MMAnX
QpMck2thv/QiUCIr7gIb
=LOtb
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-07-01 Thread Sean Son

On Fri, Jul 1, 2016 at 2:57 AM, Daniel Savard 
wrote:

> 2016-06-29 9:08 GMT-04:00 Sean Son :
>
> > Hello Daniel
> >
> > Thank you for the information. Here is the output of the keytool command:
> >
> > Keystore type: JKS
> > Keystore provider: SUN
> >
> > Your keystore contains 2 entries
> >
> > root, Jun 16, 2016, trustedCertEntry,
> > Certificate fingerprint (SHA1):
> > 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> > {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> > Certificate fingerprint (SHA1):
> > 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
> >
> >
> > Is it possible that the error that I am seeing, is related to the fact
> > that I am using a wildcard certificate?
> >
>
> So, the first entry in the keystore isn't your certificate. As I told you
> before, if you do not specify explicitely the alias of the certificate so
> send, the first entry in the keystore is sent. In this case, root.
>
> The attribute to tell the connector which certificate to send, is keyAlias,
> however it seems your certificate has no alias in the keystore.
>
> -
> Daniel Savard
>


Thank you for the reply.  How would I go about specifying the alias of the
certificate?

Re: Need help setting up SSL on Tomcat 8

2016-06-30 Thread Daniel Savard

2016-06-29 9:08 GMT-04:00 Sean Son :

> Hello Daniel
>
> Thank you for the information. Here is the output of the keytool command:
>
> Keystore type: JKS
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> root, Jun 16, 2016, trustedCertEntry,
> Certificate fingerprint (SHA1):
> 27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
> {b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
> Certificate fingerprint (SHA1):
> 6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA
>
>
> Is it possible that the error that I am seeing, is related to the fact
> that I am using a wildcard certificate?
>

So, the first entry in the keystore isn't your certificate. As I told you
before, if you do not specify explicitely the alias of the certificate so
send, the first entry in the keystore is sent. In this case, root.

The attribute to tell the connector which certificate to send, is keyAlias,
however it seems your certificate has no alias in the keystore.

-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

2016-06-30 Thread Philip Hachey




On 16-06-29 09:08 AM, Sean Son wrote:

Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks

I'm not familiar with this configuration.  My keystore -list generates this:
***
Keystore type: JKS
Keystore provider: SUN

Your keystore contains 1 entry

tomcat, 11-Apr-2016, PrivateKeyEntry,
Certificate fingerprint (SHA1): ...
***

That's what you should have too if you're simply following the quick 
start rules here 
[https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html].  Point your 
browser to "https://localhost:8443/";


I also get a browser warning when using this keystore, but it's 
net::ERR_CERT_AUTHORITY_INVALID which I would expect because I haven't 
registered with a root authority (i.e. it's a self-signed certificate).  
I would start with that.  If you then need to use an authority-signed 
certificate, I personally don't have any immediate knowledge when it 
comes to Tomcat, but I imagine it should be only slightly more complex.




-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Need help setting up SSL on Tomcat 8

2016-06-29 Thread Sean Son

Hello Daniel

Thank you for the information. Here is the output of the keytool command:

Keystore type: JKS
Keystore provider: SUN

Your keystore contains 2 entries

root, Jun 16, 2016, trustedCertEntry,
Certificate fingerprint (SHA1):
27:AC:93:69:FA:F2:52:07:BB:26:27:CE:FA:CC:BE:4E:F9:C3:19:B8
{b81d8607-57e9-4c35-a058-cd46099e7797}, Jun 16, 2016, PrivateKeyEntry,
Certificate fingerprint (SHA1):
6C:67:52:63:6B:EF:A2:3D:CD:A7:CB:64:99:99:4F:9C:3E:85:B9:AA


Is it possible that the error that I am seeing, is related to the fact that
I am using a wildcard certificate?


Thanks



On Tue, Jun 28, 2016 at 5:09 PM, Daniel Savard 
wrote:

> 2016-06-28 16:24 GMT-04:00 Sean Son :
> 
>
> >
> > as for the output to the keytool command:
> >
> > Isnt the output to that command, confidential information?
> >
> >
> No, there isn't anything confidential from the output of a simple -list. It
> doesn't display the private key or anything like that. It will  just show
> the list of certificates in your keystore.
>
> The first entry in the keystore will be the one sent back by the Tomcat
> server since you didn't specify any alias. So, I assume this is the
> intended behavior.
>
> Since you do not specify any trust store, the default trust store shipped
> with your version of Java will be used. If the clients trying to connect
> are not having certificats signed by one of these, it will fails. It may
> not be a problem in your case since you do not provide any details on the
> clients' certificates.
>
> Regards,
> -
> Daniel Savard
>

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Daniel Savard

2016-06-28 16:24 GMT-04:00 Sean Son :


>
> as for the output to the keytool command:
>
> Isnt the output to that command, confidential information?
>
>
No, there isn't anything confidential from the output of a simple -list. It
doesn't display the private key or anything like that. It will  just show
the list of certificates in your keystore.

The first entry in the keystore will be the one sent back by the Tomcat
server since you didn't specify any alias. So, I assume this is the
intended behavior.

Since you do not specify any trust store, the default trust store shipped
with your version of Java will be used. If the clients trying to connect
are not having certificats signed by one of these, it will fails. It may
not be a problem in your case since you do not provide any details on the
clients' certificates.

Regards,
-
Daniel Savard

Re: Need help setting up SSL on Tomcat 8

Here is the complete  configuration

 








as for the output to the keytool command:

Isnt the output to that command, confidential information?

Thanks

On Tue, Jun 28, 2016 at 4:06 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Sean,
>
> On 6/28/16 2:31 PM, Sean Son wrote:
> > Hey Philip
> >
> > So i was able to get the page to connect with SSL but I noticed
> > that when I clicked on the little icon that looks like a lock next
> > to https:// in the address bar, I saw this certificate error:
> > Certificate Error There are issues with the site's certificate
> > chain (net::ERR_CERT_COMMON_NAME_INVALID).
>
> This usually means that the URL you are using contains a hostname that
> doesn't match the TLS certificate's "common name".
>
> > Does that mean that SSL has been implemented incorrectly?
> >
> > Also I am trying to get an incoming connection through port 80 to
> > tomcat, to automatically redirect to port 8443 (or 443 which ever
> > you think is easiest to implement)  without having to use a reverse
> > proxy in front of it.  In my server.xml I have the following:
> >
> >  > connectionTimeout="2" redirectPort="8443" />   Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJXcti2AAoJEBzwKT+lPKRYYNAP/jimgUxO8gp1W0rOEhqeTszc
> yKjAhGQ6yjBE14mvDK+x2zO7+zw01fzqm3IbsyUeEHdSjo0YPQQl0/h15tnhatgA
> WuMYz78HyXVtB02FPc/gg82LXwI5GowpKRgd3phQ6f1UKOxpcIPZdOG2MvsbLgFG
> m8UX1qxhq34xkQBCkLv+sWd6sgAdGX3P6x/+qxCav3gr+8os5KHFofms6BUReIro
> hTRQ6XXIbB3VvOGC6uK/IXLcKtvf1v7Bv5NUsL4mWd9AFkwLl+VlSjdK055ubftp
> 6CKj5RUmJkJ06Y0Hy1dK4v9mjcMvM0VwsPcwU9E/GOKMMj0Q56EFVKQkroeLjdXj
> bYMPc8FNAG6eYUdlrSx5lfcDqhO/EmiUZXLJykBbPFmcke8jED1b31WdboMaJAce
> YuuYVUgia4+sP2w/u0bXdQB5ie6gYHecYwdhiIB/mYY74jVz6BeQ26x7EjS7w/WT
> 4eI5XbPX6JPtJe0e3WpRIe2Fk/pLQOdcHMbG+g0X69cbRtRcf7PT/feGbJzoC/qJ
> rUiE7okK98P9KawCV4lueV1b7whFAhJs6apGvIOs/1w296eZ60sM373ugF6ygc1b
> gQybFF/NgnwLrKk0A63retwLeSj2ImB0pl3NvJ9yxJZOy+OP4GalV6BJ5+yF5yz2
> UESskxe5+W3VYH8s1Ekt
> =6brz
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Sean,

On 6/28/16 2:31 PM, Sean Son wrote:
> Hey Philip
> 
> So i was able to get the page to connect with SSL but I noticed
> that when I clicked on the little icon that looks like a lock next
> to https:// in the address bar, I saw this certificate error: 
> Certificate Error There are issues with the site's certificate
> chain (net::ERR_CERT_COMMON_NAME_INVALID).

This usually means that the URL you are using contains a hostname that
doesn't match the TLS certificate's "common name".

> Does that mean that SSL has been implemented incorrectly?
> 
> Also I am trying to get an incoming connection through port 80 to
> tomcat, to automatically redirect to port 8443 (or 443 which ever
> you think is easiest to implement)  without having to use a reverse
> proxy in front of it.  In my server.xml I have the following:
> 
>  connectionTimeout="2" redirectPort="8443" />

Re: Need help setting up SSL on Tomcat 8

Hey Philip

So i was able to get the page to connect with SSL but I noticed that when I
clicked on the little icon that looks like a lock next to https:// in the
address bar, I saw this certificate error:
Certificate Error
There are issues with the site's certificate chain
(net::ERR_CERT_COMMON_NAME_INVALID).

Does that mean that SSL has been implemented incorrectly?

Also I am trying to get an incoming connection through port 80 to tomcat,
to automatically redirect to port 8443 (or 443 which ever you think is
easiest to implement)  without having to use a reverse proxy in front of
it.  In my server.xml I have the following:



> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>
>>
>

Re: Need help setting up SSL on Tomcat 8

Thank you for your reply Philip

yes I have and it still failed.. I can try again and let you know what
errors I am running into.

Thanks!

On Tue, Jun 28, 2016 at 2:15 PM, Philip Hachey  wrote:

> Have you tried following the steps found here?:
> https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Re: Need help setting up SSL on Tomcat 8

2016-06-28 Thread Philip Hachey

Have you tried following the steps found here?: 
https://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Need help setting up SSL on Tomcat 8

Hello all

I am stuck trying to set up SSL on Tomcat 8. I have tried all sorts of
advice and still I cannot get it to work.

I attempted to use the method describe on this website:

https://sysengineers.wordpress.com/2011/03/16/tomcat-automatic-redirect-https/

but I started to see the following errors in my catalina.2016-06.26.log
file:

WARNING [main] org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLCertificateFile' to
'/home/user/apache-tomcat-8.0.35/ssl/certificate.crt' did not find a
matching property.
28-Jun-2016 10:44:20.495 WARNING [main]
org.apache.catalina.startup.SetAllPropertiesRule.begin
[SetAllPropertiesRule]{Server/Service/Connector} Setting property
'SSLCertificateKeyFile' to
'/home/user/apache-tomcat-8.0.35/ssl/certificate.key' did not find a
matching property.

So what I did was install openssl-devel and apr-devel and now those errors
have disappeared, but when I try to browse to the web application or the IP
of the server, I get the following error in the browser:

took too long to respond.

Try:

   - Reloading the page
   - Checking the connection
   - Checking the proxy and the firewall

I have no idea what I am doing wrong. I set up my Connector in server.xml
exactly the same way as the example in that website that I linked. Any
suggestions will greatly be appreciated!

Thanks!

Sean

Re: SSL on Tomcat 6

2015-06-12 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adriano,

On 6/11/15 3:54 PM, Adriano Matos Meier wrote:
> Exactly!
> 
> When I run "keytool -list ...", the PrivateKeyEntry now has the 
> fingerprint for SSL certificate.
> 
> I belived that I had lost private key, and I would have to do it
> all again (keystore/CSR/intermed/SSL).
> 
> I still import the SSL certificate with alias tomcat, and it
> appears in keytool as a trustedCertEntry, with same fingerprint of
> the PrivateKeyEntry.
> 
> Very crazy, but it works!

Yes.

You can, if you want to, remove the "extra" certificate:

$ keytool -delete -alias server [...]

- -chris

> Em Qui, 2015-06-11 às 15:37 -0400, Christopher Schultz escreveu:
>> Adriano,
>> 
>> On 6/11/15 2:31 PM, Adriano Matos Meier wrote:
>>> I had success when I re-import SSL certificate using same name 
>>> alias of PrivateKeyEntry and name alias used when I generate
>>> CSR (repository).
>> 
>> That was going to be my second suggestion.
>> 
>> This is one more reason why I hate working with Java keystores:
>> you have to import the signed certificate /on top of/ a 
>> previously-generated certificate?
>> 
>> I don't understand why keytool always wants to create a
>> self-signed certificate when you request a CSR. I just want a
>> CSR, independent of the key and keystore. :(
>> 
>> -chris
>> 
>>> Em Qui, 2015-06-11 às 09:59 -0400, Christopher Schultz
>>> escreveu:
 Adriano,
 
 On 6/11/15 9:45 AM, Adriano Matos Meier wrote:
>>> I tried to add keyAlias="server" in my server.xml, but
>>> I received this error:
>> 
>> What does "keytool -list" show for that keystore?
> 
> It returns 3 entries:
> 
> 1 PrivateKeyEntry (Private Key) - alias repository 1 
> trustedCertEntry (Intermediate certificate) - alias
> intermed 1 trustedCertEntry (SSL certificate) - alias
> server
 
 The "keyAlias" attribute is for a key, not a cert.
 
 You want:
 
 
 
 I could have sworn that you could also specify the "alias"
 of the certificate, but it looks like maybe not. You may have
 to remove the certificate called "server" and instead
 re-import the certificate using the alias "tomcat".
 
 Try just using keyAlias="repository" first.
 
 -chris
 
> Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz 
> escreveu:
>>> 
>>> LifecycleException:  service.getName(): "Catalina"; 
>>> Protocol handler start failed: java.io.IOException:
>>> Alias name server does not identify a key entry
>>> 
>>> The alias of SSL certificate needs to be same of CSR?
>>> 
>>> What I did wrong?
>>> 
>>> Can anybody help me?
>>> 
>>> I appreciate any help!
>> 
>> 
>> -chris
> 
> --
- --
>>
> 
- -
> 
> 
 
> 
>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail:
> users-h...@tomcat.apache.org
> 
 ---
- --


>>
 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail:
 users-h...@tomcat.apache.org
 
>>> 
>>> 
- -
>>>
>>>
>>
>>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVetb0AAoJEBzwKT+lPKRYY34P/iM+FGsAA9tSbwDNSGdI7Bxy
MZzMIfBKQ82/+oWok0yCjIzLqJgkkCYiH8R462pJR471D2cPzAgGA0ZfrDHsxPaq
tppmpIql27VtT/tDWcYj9Y3TEdrzDT5aZeY07Iijfd5z+PcqJjIkA333oGF0mtD8
BAPme56UmfwfbyCdPspVodcjISY7JncqQx8uRLHAhGMKrusJ9j5wlzmlYB8eSwXp
mpRFEGk6fufTwbjmiRBv3zKe3RvKzQYdRhG5XOwM5Jn7MN+47Yat8B3MEgWQX0wW
QtrBgMfI1L0J1vz7FA7KsgZNQaxY7EAtPdLsJxsp/TWmNk+wQVu4dkKOymCHONnl
QGYwqGlPZTvBCgteMU1x2/+inYD3UqgMxGwbO1pSdl7rUCtg+rwPakb4J7SfHYNs
Q6b2aTPiwyPN+GwrrUkxUi24LXIOpiRQyG/++6FEMTrCujzsA24xFoGghw6Cd6Gg
+y1kPuovEAflVDTib43zo7siTBzIOyVyLA5jSnD50TrJ6uwSYQtU8f1735U2+tt0
YlYSg4ye+JyHpCzaDeWztr40YjYBNBMgfxCmylNsvLpY43OlKj3xTd2VecjkonLC
AFql0iFH78TMnuKfl2yMS4bTm43HcLe0B0IgGWskGGZUp5i5POUcFwqpUTu3r9Xf
RwuxjK0lJFdU7X5PglnC
=QREu
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat 6

Exactly!

When I run "keytool -list ...", the PrivateKeyEntry now has the
fingerprint for SSL certificate.

I belived that I had lost private key, and I would have to do it all
again (keystore/CSR/intermed/SSL).

I still import the SSL certificate with alias tomcat, and it appears in
keytool as a trustedCertEntry, with same fingerprint of the
PrivateKeyEntry.

Very crazy, but it works!

:)

Em Qui, 2015-06-11 às 15:37 -0400, Christopher Schultz escreveu:
> Adriano,
> 
> On 6/11/15 2:31 PM, Adriano Matos Meier wrote:
> > I had success when I re-import SSL certificate using same name
> > alias of PrivateKeyEntry and name alias used when I generate CSR
> > (repository).
> 
> That was going to be my second suggestion.
> 
> This is one more reason why I hate working with Java keystores: you
> have to import the signed certificate /on top of/ a
> previously-generated certificate?
> 
> I don't understand why keytool always wants to create a self-signed
> certificate when you request a CSR. I just want a CSR, independent of
> the key and keystore. :(
> 
> -chris
> 
> > Em Qui, 2015-06-11 às 09:59 -0400, Christopher Schultz escreveu:
> >> Adriano,
> >> 
> >> On 6/11/15 9:45 AM, Adriano Matos Meier wrote:
> > I tried to add keyAlias="server" in my server.xml, but I 
> > received this error:
>  
>  What does "keytool -list" show for that keystore?
> >>> 
> >>> It returns 3 entries:
> >>> 
> >>> 1 PrivateKeyEntry (Private Key) - alias repository 1 
> >>> trustedCertEntry (Intermediate certificate) - alias intermed 1 
> >>> trustedCertEntry (SSL certificate) - alias server
> >> 
> >> The "keyAlias" attribute is for a key, not a cert.
> >> 
> >> You want:
> >> 
> >> 
> >> 
> >> I could have sworn that you could also specify the "alias" of
> >> the certificate, but it looks like maybe not. You may have to
> >> remove the certificate called "server" and instead re-import the
> >> certificate using the alias "tomcat".
> >> 
> >> Try just using keyAlias="repository" first.
> >> 
> >> -chris
> >> 
> >>> Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz
> >>> escreveu:
> > 
> > LifecycleException:  service.getName(): "Catalina";
> > Protocol handler start failed: java.io.IOException: Alias
> > name server does not identify a key entry
> > 
> > The alias of SSL certificate needs to be same of CSR?
> > 
> > What I did wrong?
> > 
> > Can anybody help me?
> > 
> > I appreciate any help!
>  
>  
>  -chris
> >>> 
> >>> 
> -
> >>>
> >>>
> >>
> >>> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >>> For additional commands, e-mail: users-h...@tomcat.apache.org
> >>> 
> >> -
> >>
> >> 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> >> For additional commands, e-mail: users-h...@tomcat.apache.org
> >> 
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat 6

2015-06-11 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adriano,

On 6/11/15 2:31 PM, Adriano Matos Meier wrote:
> I had success when I re-import SSL certificate using same name
> alias of PrivateKeyEntry and name alias used when I generate CSR
> (repository).

That was going to be my second suggestion.

This is one more reason why I hate working with Java keystores: you
have to import the signed certificate /on top of/ a
previously-generated certificate?

I don't understand why keytool always wants to create a self-signed
certificate when you request a CSR. I just want a CSR, independent of
the key and keystore. :(

- -chris

> Em Qui, 2015-06-11 às 09:59 -0400, Christopher Schultz escreveu:
>> Adriano,
>> 
>> On 6/11/15 9:45 AM, Adriano Matos Meier wrote:
> I tried to add keyAlias="server" in my server.xml, but I 
> received this error:
 
 What does "keytool -list" show for that keystore?
>>> 
>>> It returns 3 entries:
>>> 
>>> 1 PrivateKeyEntry (Private Key) - alias repository 1 
>>> trustedCertEntry (Intermediate certificate) - alias intermed 1 
>>> trustedCertEntry (SSL certificate) - alias server
>> 
>> The "keyAlias" attribute is for a key, not a cert.
>> 
>> You want:
>> 
>> 
>> 
>> I could have sworn that you could also specify the "alias" of
>> the certificate, but it looks like maybe not. You may have to
>> remove the certificate called "server" and instead re-import the
>> certificate using the alias "tomcat".
>> 
>> Try just using keyAlias="repository" first.
>> 
>> -chris
>> 
>>> Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz
>>> escreveu:
> 
> LifecycleException:  service.getName(): "Catalina";
> Protocol handler start failed: java.io.IOException: Alias
> name server does not identify a key entry
> 
> The alias of SSL certificate needs to be same of CSR?
> 
> What I did wrong?
> 
> Can anybody help me?
> 
> I appreciate any help!
 
 
 -chris
>>> 
>>> 
- -
>>>
>>>
>>
>>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>> 
>> -
>>
>> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>> For additional commands, e-mail: users-h...@tomcat.apache.org
>> 
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVeeNeAAoJEBzwKT+lPKRY5nYP/idIWYmMpJxrfaytTDzevpNG
RfwSydEn9DPEBgDUT/B1sCg8nt8qAZm2DK1IyOyBQKWXqSvddaxLevKtCLODw0p6
WBUXLwkRm5rV4pv8RM5Bjx3uw97WTmwU8ZhoDSsm6JG7OvmNvsIPpdvFfflAga2v
jsWVZilhju4TEMZAdyghgHf9nGX8gK/SYhS5216hqFKNcWZqyj2Kb5llAkfNoD0U
0BC4HmPrZaZaztHrWg9HDfr6l64uaBt0gF05FQVbwzx2b023nAxR2H6KHRsI3bfb
rVZBetC4B4Y85JKb06W7y8oyz811M25cQMWSk5OqKnGOml384RpPgeeiDVsYg2Wh
eOfankIQcV8mwEtAuMVZBUTYZ88qpj1GD1zONbrNrtaKGPnASglvyd7/cMGgnF4d
RzNw+wfgFjSapkNmYzLU376Td0tJKIvqdIpmnRkkUL6lHgodVgOyNtHtIlhRZuHz
6W1uZkzuc4C5wDdFu8kBg1F/WkQJ6DpX9M4x4hw0+D9BOLQfKKHfQUts1llCmzGY
tZwQIbFXZ4pJo0oz8gS4R3oW6HU8hUjgbymbF+P7LoWgs2XAfIFEs42lwyvOIU1i
fXO+tWZ6JKE13cIS50ibQDtp2iwp61M4evpItXTcmp2v281jZrIC4m5wk5xwRJDY
zm9Y/OCBKzssYxp5rj7b
=GJWa
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat 6

Chris.

I had success when I re-import SSL certificate using same name alias of
PrivateKeyEntry and name alias used when I generate CSR (repository).

It's ok now!

Thank you very much!!!

Adriano


Em Qui, 2015-06-11 às 09:59 -0400, Christopher Schultz escreveu:
> Adriano,
> 
> On 6/11/15 9:45 AM, Adriano Matos Meier wrote:
> >>> I tried to add keyAlias="server" in my server.xml, but I
> >>> received this error:
> >> 
> >> What does "keytool -list" show for that keystore?
> > 
> > It returns 3 entries:
> > 
> > 1 PrivateKeyEntry (Private Key) - alias repository 1
> > trustedCertEntry (Intermediate certificate) - alias intermed 1
> > trustedCertEntry (SSL certificate) - alias server
> 
> The "keyAlias" attribute is for a key, not a cert.
> 
> You want:
> 
>keyAlias="repository"
>   ...
>   />
> 
> I could have sworn that you could also specify the "alias" of the
> certificate, but it looks like maybe not. You may have to remove the
> certificate called "server" and instead re-import the certificate
> using the alias "tomcat".
> 
> Try just using keyAlias="repository" first.
> 
> -chris
> 
> > Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz escreveu:
> >>> 
> >>> LifecycleException:  service.getName(): "Catalina";  Protocol 
> >>> handler start failed: java.io.IOException: Alias name server
> >>> does not identify a key entry
> >>> 
> >>> The alias of SSL certificate needs to be same of CSR?
> >>> 
> >>> What I did wrong?
> >>> 
> >>> Can anybody help me?
> >>> 
> >>> I appreciate any help!
> >> 
> >> 
> >> -chris
> > 
> > -
> >
> > 
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> > 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>

Re: SSL on Tomcat 6

2015-06-11 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adriano,

On 6/11/15 9:45 AM, Adriano Matos Meier wrote:
>>> I tried to add keyAlias="server" in my server.xml, but I
>>> received this error:
>> 
>> What does "keytool -list" show for that keystore?
> 
> It returns 3 entries:
> 
> 1 PrivateKeyEntry (Private Key) - alias repository 1
> trustedCertEntry (Intermediate certificate) - alias intermed 1
> trustedCertEntry (SSL certificate) - alias server

The "keyAlias" attribute is for a key, not a cert.

You want:



I could have sworn that you could also specify the "alias" of the
certificate, but it looks like maybe not. You may have to remove the
certificate called "server" and instead re-import the certificate
using the alias "tomcat".

Try just using keyAlias="repository" first.

- -chris

> Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz escreveu:
>>> 
>>> LifecycleException:  service.getName(): "Catalina";  Protocol 
>>> handler start failed: java.io.IOException: Alias name server
>>> does not identify a key entry
>>> 
>>> The alias of SSL certificate needs to be same of CSR?
>>> 
>>> What I did wrong?
>>> 
>>> Can anybody help me?
>>> 
>>> I appreciate any help!
>> 
>> 
>> -chris
> 
> -
>
> 
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVeZRaAAoJEBzwKT+lPKRYUTIQAIz2qjyseuF/oQo00kychbw5
VRvxwfTWiUXSMCTV0vERM2bF5XqBSgMXkZro0yNCsEoqht+HNkNUBr5csxBhH8Oy
NRMzMOdOCZ39SFX654yX4w6VJoNq+okJ6gb7TNzB2/0HSl9XRhvttELy66MFNeJS
5wxzb9YuVM2sNpflmuKbHpP6XRvdlKGFKDQg/8RA0uxvkwqJ5+8V5k4xvr/libL3
FfF6dn8ZnxuzRmU5bpHReJN9zSzOFcHTeIgUlTKbeeTS8HzLzw7w8GVj53wutu62
twSgmBniXh4LTdC9WfS0brmNHRlugItPD06gyyXRN+5l0BZaF5x8BxhZ7wu+Yb/J
Dh6gRAF1iy1z6+bi8ElDWPvgiHvqmPCaz0SBce5z+TbpnNieVzB96KxQ7htQYQot
CqqWMaglgzNC2lQ+u3xI0lgBOz7N6mGBHYsxMbcTgfR47vTRpMtopHxpHD216ac7
d8+aX784OSaP+wb3oN98S3/rMS32Pek65XUVMH6/ApDRXnt6+AarlQ6mBGdBxyjl
/oocj7x79w0PjcDWxidMLNnb58UXzUKAcdkaNl/Ofa1PrmCdzxWjIdCvjKFLuttx
1AbmANE1w/EJ5f62mz/jFt+yldAlaiq1aUv2nx8pa4NkbPaZlLgAU5Vf6isDLw9R
raF+oKmraZD+mRMLToKm
=C7jN
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat 6

Hi Chris.

It returns 3 entries:

1 PrivateKeyEntry (Private Key) - alias repository
1 trustedCertEntry (Intermediate certificate) - alias intermed
1 trustedCertEntry (SSL certificate) - alias server

Thanks for your attention!

Adriano



Em Qui, 2015-06-11 às 09:35 -0400, Christopher Schultz escreveu:
> Adriano,
> 
> On 6/11/15 7:18 AM, Adriano Matos Meier wrote:
> > I need update the SSL certificate in Tomcat 6.x.
> > 
> > First I did:
> > 
> > 1) Generate keystore keytool -genkeypair -alias repository -keyalg
> > RSA -keysize 2048 -sigalg SHA256withRSA -keystore
> > /usr/local/tomcat6/keystore/keystore2015.jks
> > 
> > 2) Generate CSR keytool -certreq -alias repository -keyalg RSA
> > -keysize 2048 -sigalg SHA256withRSA -keystore
> > /usr/local/tomcat6/keystore/keystore2015.jks -file
> > /usr/local/tomcat6/keystore/request.csr
> > 
> > after:
> > 
> > 3) Install intermediate certificate keytool -import -alias
> > intermed -keystore /usr/local/tomcat6/keystore/keystore2015.jks
> > -trustcacerts -file intermed.crt
> > 
> > 4) Install SSL certificate keytool -import -alias server -keystore
> > /usr/local/tomcat6/keystore/keystore2015.jks -trustcacerts -file
> > www.domain.com.crt
> > 
> > I restarted Tomcat and he listen on 8443 normally, but verifying
> > the fingerprint, it is using the "PrivateKeyEntry" for SSL, not
> > the "trustedCertEntry".
> > 
> > I tried to add keyAlias="server" in my server.xml, but I received
> > this error:
> > 
> > LifecycleException:  service.getName(): "Catalina";  Protocol
> > handler start failed: java.io.IOException: Alias name server does
> > not identify a key entry
> > 
> > The alias of SSL certificate needs to be same of CSR?
> > 
> > What I did wrong?
> > 
> > Can anybody help me?
> > 
> > I appreciate any help!
> 
> What does "keytool -list" show for that keystore?
> 
> -chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on Tomcat 6

2015-06-11 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Adriano,

On 6/11/15 7:18 AM, Adriano Matos Meier wrote:
> I need update the SSL certificate in Tomcat 6.x.
> 
> First I did:
> 
> 1) Generate keystore keytool -genkeypair -alias repository -keyalg
> RSA -keysize 2048 -sigalg SHA256withRSA -keystore
> /usr/local/tomcat6/keystore/keystore2015.jks
> 
> 2) Generate CSR keytool -certreq -alias repository -keyalg RSA
> -keysize 2048 -sigalg SHA256withRSA -keystore
> /usr/local/tomcat6/keystore/keystore2015.jks -file
> /usr/local/tomcat6/keystore/request.csr
> 
> after:
> 
> 3) Install intermediate certificate keytool -import -alias
> intermed -keystore /usr/local/tomcat6/keystore/keystore2015.jks
> -trustcacerts -file intermed.crt
> 
> 4) Install SSL certificate keytool -import -alias server -keystore
> /usr/local/tomcat6/keystore/keystore2015.jks -trustcacerts -file
> www.domain.com.crt
> 
> I restarted Tomcat and he listen on 8443 normally, but verifying
> the fingerprint, it is using the "PrivateKeyEntry" for SSL, not
> the "trustedCertEntry".
> 
> I tried to add keyAlias="server" in my server.xml, but I received
> this error:
> 
> LifecycleException:  service.getName(): "Catalina";  Protocol
> handler start failed: java.io.IOException: Alias name server does
> not identify a key entry
> 
> The alias of SSL certificate needs to be same of CSR?
> 
> What I did wrong?
> 
> Can anybody help me?
> 
> I appreciate any help!

What does "keytool -list" show for that keystore?

- -chris
-BEGIN PGP SIGNATURE-
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJVeY6pAAoJEBzwKT+lPKRYELIP/1Ay04R6MQ+ERvM6p/IekeQh
iQNIo22Ll+Z34ZxePv4nK/6iPJnwFTSNxSx2fs2V2nG4sJbhqZbjX2r0qRN8BRsv
M3Iq3aY0cxbuKpiVlVX5Xkai3E5vPS1U4ye2LDgM/jpOC94MXnTQ7WCktrXjnAnH
9zYe1bcDdUkXV/AoJIfQZQ/XGu4pLLAtGn4YGRoOfeJClzIG7BHgPcMZkoY3wGLM
8CtsZMDvRTwMxMuG65qk4/x5uMVZzLjLCcAc2YflqVHSeZ+/iP9Dee5AcsSvC2FU
e3v14JkEJgfx1pZ5S9Y9eQGsJSPc3mi/ecAQuueNtcJBfJG+j4bulpOlE35oJni0
IKKVPem8lBITMtK73LGyjwWvC9yVM4vnjGDTc4BDSOuQ67Yl81Mi4ED/EuwuO7X2
Pjron12Fkpjw+gDEgO2lDyyX0sABiHRbPkYpBxJx9M1OrndXfidqNpwP3tmQQVxF
HnQd4wlR9o8tYmAdArU0bbt1DuYcA7gtt2D6r0wDFI3ne5ob98hv0ngXuIw5/o3U
z5JRq0zCFtM4fGogezR1LaAP6OyrYTJv8w/o5lf2WvPMBFG7yjesUoxxbFArRviS
TwdTxFTDCBFSuktvjEVRGvLIMqHyUi3e6ZYB9GqY/GFdlPw4SnRXdjk/FH8ZBnW6
RrAMfuUwgS7RZkVrWcD4
=Yj+F
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

SSL on Tomcat 6

Hi.

I need update the SSL certificate in Tomcat 6.x.

First I did:

1) Generate keystore
keytool -genkeypair -alias repository -keyalg RSA -keysize 2048 -sigalg
SHA256withRSA -keystore /usr/local/tomcat6/keystore/keystore2015.jks

2) Generate CSR
keytool -certreq -alias repository -keyalg RSA -keysize 2048 -sigalg
SHA256withRSA -keystore /usr/local/tomcat6/keystore/keystore2015.jks
-file /usr/local/tomcat6/keystore/request.csr

after:

3) Install intermediate certificate
keytool -import -alias intermed
-keystore /usr/local/tomcat6/keystore/keystore2015.jks -trustcacerts
-file intermed.crt

4) Install SSL certificate
keytool -import -alias server
-keystore /usr/local/tomcat6/keystore/keystore2015.jks -trustcacerts
-file www.domain.com.crt

I restarted Tomcat and he listen on 8443 normally, but verifying the
fingerprint, it is using the "PrivateKeyEntry" for SSL, not the
"trustedCertEntry".

I tried to add keyAlias="server" in my server.xml, but I received this
error:

LifecycleException:  service.getName(): "Catalina";  Protocol handler
start failed: java.io.IOException: Alias name server does not identify a
key entry

The alias of SSL certificate needs to be same of CSR?

What I did wrong?

Can anybody help me?

I appreciate any help!

Adriano

Re: ssl on tomcat

2013-12-05 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Randeep,

On 12/4/13, 1:30 PM, Randeep wrote:
> Chris, Yes. I have so many http links as  some of our old submitted
> apps used non secured http links. as the apps are in use we cannot
> change it. I cannot use any redirect rules to convert all the http
> to https because of that.
> 
> We use struts for framework. And normal jsp pages. I'm not a
> developer so cant say much about it.
> 
> This is in my server.xml  className="org.apache.catalina.core.AprLifecycleListener" 
> SSLEngine="on" />  connectionTimeout="2" redirectPort="8443" />  port="8009" protocol="AJP/1.3" redirectPort="8443" />
> 
> 
> [root@server conf.d]# cat mod_jk.conf # Where to find
> workers.properties JkWorkersFile
> /etc/httpd/conf.d/workers.properties # Where to put jk logs 
> JkLogFile /var/log/httpd/mod_jk.log # Set the jk log level
> [debug/error/info] JkLogLevel info # Select the log format 
> JkLogStampFormat "[%a %b %d %H:%M:%S %Y] " # JkOptions indicate to
> send SSL KEY SIZE, JkOptions +ForwardKeySize +ForwardURICompat
> -ForwardDirectories # JkRequestLogFormat set the request format 
> JkRequestLogFormat "%w %V %T" # Send servlet for context /examples
> to worker named worker1 #JkMount /examples worker1 # Send JSPs for
> context /examples/* to worker named worker1 JkMount /* worker1 
> JkShmFile  /etc/httpd/logs/jk-runtime-status
> 
> [root@server conf.d]# cat /etc/httpd/conf.d/workers.properties 
> #workers.tomcat_home=/usr/tomcat/apache-tomcat-6.0.26 
> #workers.tomcat_home=/usr/share/tomcat5 
> workers.tomcat_home=/usr/share/apache-tomcat-6.0.37/ 
> workers.java_home=/usr/java/default ps=/ worker.list=worker1 
> worker.default.port=8009 worker.default.host=localhost 
> worker.default.type=ajp13 #worker.default.lbfactor=1
> 
> Let me know if there is anything else i need to provide

Yes. What do your links look like in your pages?

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSoMX5AAoJEBzwKT+lPKRY+bMP/1bsOUTESydTjx0uP7SxYzeZ
FES9UkmjtcqV3UNarMwRg9QfdUpQMZQjDoQ1Gqa+wBITgpI87j5QTJApiwOPLK/9
dH6QAd79vDWP+HctlfdYyLnBEzEvKnFTHSsVibP9bHBz+YPXZOXVyatPf7Rn5ZjP
wG5Jp60AP1sQ4bM7zSlG9oxPT2V534LkS9/r3804rehg9Y3e4bOH9wSx+ZMu85qf
nK596yEF8C9DY2A6Ngddb5pcqg2ZHM5JpE2GX30s+hcIg9+QIKTX3dXgVHXvVBmD
pEfrp53J8t1UQVgK5GVcIJUe7r2Tl/vsnTeU6vvHJiafSNd9qQiG5F1wHHdFwPe9
Ugr12vCX76RrLpANaCe9Dc5fq1nWLjzdH/2S1Pd5KXbFLRNZV1+dV2x+z6m1nDfR
RTwy5TwkiYBUuo4qPxl/D5rUQVt3Um4BzuQXPikd1hAiUXnT8AZhzovc+CuOx5UW
ssTXdSOJRk/Ubz6DMHtkcTnHiNUlmcP+zMH/udGHKNBbZU7JRGkp6mPYg3WuoXv5
kjxXIPelXiDGfIajioxUvBc7BxwGEfuDuym189WlhFrkVAlt2laU3zmGJQAIbtW8
650yRjFj3JAQtTQ+1tBHHhOXCSfLxAwA4Xf/Ah0+5voSSsSmkIVb4Da2e80/wWlZ
qTiIADVgqbfkZ9vkzY19
=gBPr
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ssl on tomcat

2013-12-05 Thread André Warnier

Please do not top-post.
It is annoying when someone is trying to figure out what you are talking about.

Randeep wrote:

Chris,
Yes. I have so many http links as some of our old submitted apps used non
secured http links. as the apps are in use we cannot change it. I cannot
use any redirect rules to convert all the http to https because of that.

Well then, basically, you are doomed.
The basic problem is that these old apps are very badly written, if they use absolute URLs
to point to things on the same site.

The only real good way to do this, is to modify these apps and pages, to use relative
links. Maybe you could do that with some automated script ?

s#http://myserver.com/(.*)$#/$1#g

Otherwise, you are going to be applying patches over patches over redirects over rewrites
all over the place, and there will always be something not working, and it will be a
maintenance nightmare.

What you have to think about it this :
- If *the browser* gets a html page containing a link that starts with "http://";, then
*the browser* is going to establish a HTTP (non-secure) connection with the server, and
send that request through this connection.
- If *the browser* gets a html page containing a link that starts with "https://";, then
*the browser* is going to establish a HTTPS (secure) connection with the server, and pass
that request through this connection.

There is nothing that the server can do, to magically change a HTTP to a HTTPS
connection.
(At best, the server could send back a "redirect" response).

So if your pages, server-side, originally contain links that start with "http://";, you
have to change those links, *inside of the pages*, before you send them to the browser.

Otherwise there is little that you can do on the server side.

You can theoretically achieve this, on the server side, with a filter which examines all
the outgoing pages and replaces the links in them before they go out to the browser, but
as you can imagine this is very inefficient, and prone to errors.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: ssl on tomcat

2013-12-04 Thread Randeep

Chris,
Yes. I have so many http links as  some of our old submitted apps used non
secured http links. as the apps are in use we cannot change it. I cannot
use any redirect rules to convert all the http to https because of that.

We use struts for framework. And normal jsp pages. I'm not a developer so
cant say much about it.

This is in my server.xml
 

   


[root@server conf.d]# cat mod_jk.conf
# Where to find workers.properties
JkWorkersFile /etc/httpd/conf.d/workers.properties
# Where to put jk logs
JkLogFile /var/log/httpd/mod_jk.log
# Set the jk log level [debug/error/info]
JkLogLevel info
# Select the log format
JkLogStampFormat "[%a %b %d %H:%M:%S %Y] "
# JkOptions indicate to send SSL KEY SIZE,
JkOptions +ForwardKeySize +ForwardURICompat -ForwardDirectories
# JkRequestLogFormat set the request format
JkRequestLogFormat "%w %V %T"
# Send servlet for context /examples to worker named worker1
#JkMount /examples worker1
# Send JSPs for context /examples/* to worker named worker1
JkMount /* worker1
JkShmFile  /etc/httpd/logs/jk-runtime-status

[root@server conf.d]# cat /etc/httpd/conf.d/workers.properties
#workers.tomcat_home=/usr/tomcat/apache-tomcat-6.0.26
#workers.tomcat_home=/usr/share/tomcat5
workers.tomcat_home=/usr/share/apache-tomcat-6.0.37/
workers.java_home=/usr/java/default
ps=/
worker.list=worker1
worker.default.port=8009
worker.default.host=localhost
worker.default.type=ajp13
#worker.default.lbfactor=1

Let me know if there is anything else i need to provide

Thanks.



On Wed, Dec 4, 2013 at 11:18 PM, Christopher Schultz <
ch...@christopherschultz.net> wrote:

> -BEGIN PGP SIGNED MESSAGE-
> Hash: SHA256
>
> Randeep,
>
> On 12/4/13, 12:22 PM, Randeep wrote:
> > I'm using apacche 2.2 as front end and apache tomcat 6.0.37 as
> > backend. I'm using mod_jk for connecting them.
> >
> > The problem is. I'm using ssl certificates. I'v configured ssl on
> > apache. when I connect the site with https. it works. but when I
> > click on an link it goes. I mean its not secure browsing anymore.
>
> Do you mean that links on your https:// pages are http:// (i.e.
> non-secure) links?
>
> What does the code look like that produced your pages (e.g. static
> file, JSP, or servlet)?
>
> > My requirement is as follows.
> >
> > If user connects as https all the links should work as https. If
> > the user connects as http all the links should work as http. is
> > such thing is possible?
>
> Absolutely. You just need to supply more information.
>
> Give us the following and we can help:
>
> 1.  configuration for all connectors. Remember to remove
> any sensitive information you may have in that configuration.
>
> 2. Explain how your webapp produces link URLs. An example would be great.
>
> - -chris
> -BEGIN PGP SIGNATURE-
> Version: GnuPG v1.4.15 (Darwin)
> Comment: GPGTools - http://gpgtools.org
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iQIcBAEBCAAGBQJSn2rmAAoJEBzwKT+lPKRYejMP+wcKlv7ap7c2D4gU/tO2jEru
> 7hRmaJO9wYHaM6WGCPA4tRzqEwBw3vrUBLIu7roGSqLiqecK/uDxa0IqEFi9uvEc
> N4ba9BA+khHftEw5xPaSmZjtsQ/al0eTpaej6s4FgTS7EOUxK1yvAz84aZZlA3aA
> ArAjz9VhNZZ49/KWjYEHSdL59bOvwn9uvnKUxTRIrrJoj1LKj26R85OPV6nnPDPT
> y7Vo8XsCSxnqPTTkOW4goNrIP4LjyuKES1HjtWIolbCOLYBSVUaaTr1NXZcB6eX/
> UKvb0uDTYxyLXgrGwJbE2XK/oZUsbr9lMIy65o3acrTyuBR4JBx4bL0HMTbpvZz9
> dOPmQPaxpJ0uIttfnlk1rshCO8mfMhWv6L1yzuPOZy42KObwYmvV1PA2jZy7V6wR
> 3bv6T5lrDAJmU5kl1U67jcGLYGxjFGu8jHtsp56eP3ACV6ZbliVOmDK52mvuzBJr
> TYal0brQZnIzrmUeP3By07y+rDJnHOwihNwRT+dOOUH1mwA4zXzTe6+rm41G7tbX
> 7hDG4YNqBuxahqqdBBXZQnsPRa511o+IVlWS82IO0r08Yfk2Ki459Guv4qCkMg+y
> QfWK/WeszLURnURaNUubkhWARUBkEds+ghh/wMAAVJ3wcbD74hjMhoah1y2vcOcQ
> q/4Ny9yxlarj99aJ1wSe
> =rdj7
> -END PGP SIGNATURE-
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


-- 
Randeep
Mob: +919447831699[kerala]
Mob: +919880050349[B'lore]
I blog here:
http://www.randeeppr.me/
Follow me Here:
http://twitter.com/Randeeppr
Poke me here!
http://www.facebook.com/Randeeppr
A little Linux Help
http://www.linuxhelp.in/
Work profile:
http://in.linkedin.com/in/randeeppr

Re: ssl on tomcat

2013-12-04 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Randeep,

On 12/4/13, 12:22 PM, Randeep wrote:
> I'm using apacche 2.2 as front end and apache tomcat 6.0.37 as
> backend. I'm using mod_jk for connecting them.
> 
> The problem is. I'm using ssl certificates. I'v configured ssl on
> apache. when I connect the site with https. it works. but when I
> click on an link it goes. I mean its not secure browsing anymore.

Do you mean that links on your https:// pages are http:// (i.e.
non-secure) links?

What does the code look like that produced your pages (e.g. static
file, JSP, or servlet)?

> My requirement is as follows.
> 
> If user connects as https all the links should work as https. If
> the user connects as http all the links should work as http. is
> such thing is possible?

Absolutely. You just need to supply more information.

Give us the following and we can help:

1.  configuration for all connectors. Remember to remove
any sensitive information you may have in that configuration.

2. Explain how your webapp produces link URLs. An example would be great.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.15 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBCAAGBQJSn2rmAAoJEBzwKT+lPKRYejMP+wcKlv7ap7c2D4gU/tO2jEru
7hRmaJO9wYHaM6WGCPA4tRzqEwBw3vrUBLIu7roGSqLiqecK/uDxa0IqEFi9uvEc
N4ba9BA+khHftEw5xPaSmZjtsQ/al0eTpaej6s4FgTS7EOUxK1yvAz84aZZlA3aA
ArAjz9VhNZZ49/KWjYEHSdL59bOvwn9uvnKUxTRIrrJoj1LKj26R85OPV6nnPDPT
y7Vo8XsCSxnqPTTkOW4goNrIP4LjyuKES1HjtWIolbCOLYBSVUaaTr1NXZcB6eX/
UKvb0uDTYxyLXgrGwJbE2XK/oZUsbr9lMIy65o3acrTyuBR4JBx4bL0HMTbpvZz9
dOPmQPaxpJ0uIttfnlk1rshCO8mfMhWv6L1yzuPOZy42KObwYmvV1PA2jZy7V6wR
3bv6T5lrDAJmU5kl1U67jcGLYGxjFGu8jHtsp56eP3ACV6ZbliVOmDK52mvuzBJr
TYal0brQZnIzrmUeP3By07y+rDJnHOwihNwRT+dOOUH1mwA4zXzTe6+rm41G7tbX
7hDG4YNqBuxahqqdBBXZQnsPRa511o+IVlWS82IO0r08Yfk2Ki459Guv4qCkMg+y
QfWK/WeszLURnURaNUubkhWARUBkEds+ghh/wMAAVJ3wcbD74hjMhoah1y2vcOcQ
q/4Ny9yxlarj99aJ1wSe
=rdj7
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

ssl on tomcat

2013-12-04 Thread Randeep

hi,

I'm using apacche 2.2 as front end and apache tomcat 6.0.37 as backend. I'm
using mod_jk for connecting them.


The problem is. I'm using ssl certificates. I'v configured ssl on apache.
when I connect the site with https. it works. but when I click on an link
it goes. I mean its not secure browsing anymore.

My requirement is as follows.

If user connects as https all the links should work as https.
If the user connects as http all the links should work as http. is such
thing is possible?

-- 
Randeep
Mob: +919447831699[kerala]
Mob: +919880050349[B'lore]
I blog here:
http://www.randeeppr.me/
Follow me Here:
http://twitter.com/Randeeppr
Poke me here!
http://www.facebook.com/Randeeppr
A little Linux Help
http://www.linuxhelp.in/
Work profile:
http://in.linkedin.com/in/randeeppr

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-18 Thread Ognjen Blagojevic


Chris,

On 18.12.2012 20:44, Christopher Schultz wrote:

If you are using curl just to check the certificate or test HTTPS,
it is easier and faster to do that with your favorite web browser.


Better yet, use sslscan.


Nice tool, thank you for the tip.



You seem to be confused by the fact that curl and Java are using
different files and different formats for managing CA
certificates.


Nope, curl doesn't care: X509 certificates are exchanged in a standard
way.


Sure, TLS protocol defines certificate exchange regardles of the 
TLS/HTTPS client. I was actually reffering to files (and formats) in 
which curl and Java clients look for trusted certificates, as elaborated 
further:



Java is using its own .jks format, while curl uses PEM format.
Java stores system wide trusted CA certificates in file
"$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import
your self signed certificate in step #4), while curl reads them
from file "ca-bundle.crt" (where your certificate is not stored,
hence the error). I believe default location for file ca-bundle.crt
in Red Hat is /etc/pki/tls/certs.


OP tried to import certificate into Java system-wide truststore, while 
curl looks up at the OpenSSL CA bundle.


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-18 Thread Christopher Schultz

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Ognjen,

On 12/18/12 5:05 AM, Ognjen Blagojevic wrote:
> James,
> 
> On 18.12.2012 3:03, James Dekker wrote:
>> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start 
>> INFO: Starting ProtocolHandler ["http-bio-8443"] Dec 17, 2012
>> 5:43:08 PM org.apache.coyote.AbstractP INFO: Server startup in
>> 9611 ms
> 
> You successfully configured and stared Tomcat with self signed 
> certificate. So far, so good.
> 
> 
>> When I go to my bash shell and type this in:
>> 
>> curl -X GET https://localhost:8443
>> 
>> I get the following error output:
>> 
>> curl: (60) Peer certificate cannot be authenticated with known
>> CA certificates More details here:
>> http://curl.haxx.se/docs/sslcerts.html
> 
> If you are using curl just to check the certificate or test HTTPS,
> it is easier and faster to do that with your favorite web browser.

Better yet, use sslscan.

> If you need to use curl for some other reason (e.g. it is part of
> your business use case), then it makes sense to stick with curl.

+1

>> curl performs SSL certificate verification by default, using a
>> "bundle" of Certificate Authority (CA) public keys (CA certs). If
>> the default bundle file isn't adequate, you can specify an
>> alternate file using the --cacert option. If this HTTPS server
>> uses a certificate signed by a CA represented in the bundle, the
>> certificate verification probably failed due to a problem with
>> the certificate (it might be expired, or the name might not match
>> the domain name in the URL). If you'd like to turn off curl's
>> verification of the certificate, use the -k (or --insecure)
>> option.
>> 
>> Am I missing a step here?
> 
> You seem to be confused by the fact that curl and Java are using 
> different files and different formats for managing CA
> certificates.

Nope, curl doesn't care: X509 certificates are exchanged in a standard
way.

The problem is that curl doesn't trust the self-signed certificate
presented by the server -- which is absolutely the right behavior.

If you want curl to ignore the server's untrusted certificate, just
use -k or --insecure just like the error message told you to do.

> Java is using its own .jks format, while curl uses PEM format.
> Java stores system wide trusted CA certificates in file 
> "$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import
> your self signed certificate in step #4), while curl reads them
> from file "ca-bundle.crt" (where your certificate is not stored,
> hence the error). I believe default location for file ca-bundle.crt
> in Red Hat is /etc/pki/tls/certs.
> 
> So, in order to run curl, as suggested by the docs:
> 
> 1. Use curl -k option.

+1

> 2. Convert cert to PEM format and use curl -cacert option.

If you want to go through that effort. If this will be used in a
script in production, then you /absolutely should/ do this.

> 3. Convert cert to PEM format, and add it to system wide CA bundle 
> (ca-bundle.crt).

I wouldn't do #3, here. You don't want to modify the system-trusted
certificates for two reasons:

1) You'll forget why it works on this server but not on one that you
build in 18 months
2) You don't want to modify the system-trusted certificates

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with undefined - http://www.enigmail.net/

iEYEAREIAAYFAlDQx7EACgkQ9CaO5/Lv0PAidwCfTTmgmol4d04dy8J4BXg8SU3V
aB0AnR59bnVU35JIYofolYojiy02Gb49
=Nxeh
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-18 Thread Josh Gooding

I just did this.  I have the tomcat manager application running across
SSL.  Here's what I did

On Mon, Dec 17, 2012 at 9:03 PM, James Dekker wrote:

> James said... "STUFF":
>
> (1) cd $CATALINA_HOME/conf
>
> (2) Create a certificate and store it in a new key store.
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore .jks
>
>
./keytool 0genkey -alias [identifier] -keyalg RSA -keystore .keystore


> (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml,
> specifying your key store file and password.
>
> maxThreads="150" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
>keystoreFile="./conf/keystore.jks"
>keystorePass="mypassword"
> />
>

3 is good.  Note I used the .keystore file not .keystore.jks, but it should
be all the same.


>
> (4) Export the certificate from the key store.
>
> keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
>
> When I tried to (which would have been Step # 5) import the certificate
> into the trust store.
>
> keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore
> $JAVA_HOME/jre/lib/security/cacerts
>
>
try this:  $JAVA_JRE_HOME/bin/keytool -import -alias tomcat -file
~/tomcat.crt -keystore $JAVA_HOME/jre/lib/security/cacerts


> I get the following prompt for my password (after which I entered in
> "mypassword"):
>
> Enter keystore password:
>
> keytool error: java.io.IOException: Keystore was tampered with, or password
> was incorrect
>

If you are using java's default cacerts truststore the password is not the
.keystore password, it is "changeit" if you haven't tampered with it before.


>
> (I disregarded this step by the way because I found it on Google but not on
> the official Tomcat7-SSL-Howto documentation - please let me know if its
> necessary).
>

restart tomcat at this point and it should work with curl -k option.  I
usually test the manager app by passing in the /list parameter and testing
both SSL and un/pwd all in one.


>
> Tomcat's server output:
>
> INFO: Initializing ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
> Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
> INFO: Server startup in 9611 ms
>
> When I go to my bash shell and type this in:
>
> curl -X GET https://localhost:8443
>
> I get the following error output:
>
> curl: (60) Peer certificate cannot be authenticated with known CA
> certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Am I missing a step here?
>
>
- Josh

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-18 Thread Ognjen Blagojevic


James,

On 18.12.2012 3:03, James Dekker wrote:

 Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
 INFO: Starting ProtocolHandler ["http-bio-8443"]
 Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
 INFO: Server startup in 9611 ms


You successfully configured and stared Tomcat with self signed 
certificate. So far, so good.




When I go to my bash shell and type this in:

 curl -X GET https://localhost:8443

I get the following error output:

curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html


If you are using curl just to check the certificate or test HTTPS, it is 
easier and faster to do that with your favorite web browser.


If you need to use curl for some other reason (e.g. it is part of your 
business use case), then it makes sense to stick with curl.




curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Am I missing a step here?


You seem to be confused by the fact that curl and Java are using 
different files and different formats for managing CA certificates.


Java is using its own .jks format, while curl uses PEM format. Java 
stores system wide trusted CA certificates in file 
"$JAVA_HOME/jre/lib/security/cacerts" (where you tried to import your 
self signed certificate in step #4), while curl reads them from file 
"ca-bundle.crt" (where your certificate is not stored, hence the error). 
I believe default location for file ca-bundle.crt in Red Hat is 
/etc/pki/tls/certs.


So, in order to run curl, as suggested by the docs:

1. Use curl -k option.
2. Convert cert to PEM format and use curl -cacert option.
3. Convert cert to PEM format, and add it to system wide CA bundle 
(ca-bundle.crt).


-Ognjen

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-17 Thread James Dekker

wn CA
>> certificates
>> More details here: http://curl.haxx.se/docs/sslcerts.html
>> 
>> curl performs SSL certificate verification by default, using a "bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>> 
>> Am I missing a step here?
>> 
>> I just want to enable SSL on Tomcat 7 and test it using curl.
>> 
>> Would appreciate it if someone could point me in the right direction.
>> 
>> If you wish to see this posting with better syntax coloring or my full
>> server.xml, please check out these identical (but with more detail) forum
>> posts:
>> 
>> 
>> http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl
>> 
>> http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux
>> 
>> Happy programming,
>> 
>> James
>> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-17 Thread Han Ming Low

I'm not sure about the curl part but I think there is a couple of things
you would want to change.

1) when you use the genkey with -keystore .jks, you should expect a file
name ".jks" (without quotes) to be generated in the /conf directory if you
have CD in as in the step 1. So, the keystoreFile in step 3 should be
keystoreFile=".jks" instead.

If you have configure this correctly, then you should be able to use a
browser and access https://localhost:8443/
Make sure this is working first before proceeding.
If this is working, then any other problem should be with curl instead.

2) when you hit the "Keystore was tampered ..." error, it is because the
password is wrong.
Since you are trying to import the cert in the JVM default cacerts, then
the password should be "changeit" (without quotes)
However, I would think this is unlikely to be of any use because if you are
testing with curl, you need to specify to curl where is the trusted cert
found.
If you are using a java client, then you can define the location of trusted
keystore by specifying the property
-Djavax.net.ssl.trustStore=/path/to/jre/lib/security/cacerts

I believe the error you hit shows that your tomcat is correct but the
parameter defined for curl is not.

Hope this helps.




On Tue, Dec 18, 2012 at 10:03 AM, James Dekker wrote:

> Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux.
>
> I need help setting up SSL on my local tomcat instance.
>
> After looking at the instructions on the official tomcat 7 website:
>
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
>
> I followed the directions like this:
>
> (1) cd $CATALINA_HOME/conf
>
> (2) Create a certificate and store it in a new key store.
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore .jks
>
> (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml,
> specifying your key store file and password.
>
> maxThreads="150" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
>keystoreFile="./conf/keystore.jks"
>keystorePass="mypassword"
> />
>
> (4) Export the certificate from the key store.
>
> keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
>
> When I tried to (which would have been Step # 5) import the certificate
> into the trust store.
>
> keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore
> $JAVA_HOME/jre/lib/security/cacerts
>
> I get the following prompt for my password (after which I entered in
> "mypassword"):
>
> Enter keystore password:
>
> keytool error: java.io.IOException: Keystore was tampered with, or password
> was incorrect
>
> (I disregarded this step by the way because I found it on Google but not on
> the official Tomcat7-SSL-Howto documentation - please let me know if its
> necessary).
>
> Tomcat's server output:
>
> INFO: Initializing ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
> Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
> INFO: Server startup in 9611 ms
>
> When I go to my bash shell and type this in:
>
> curl -X GET https://localhost:8443
>
> I get the following error output:
>
> curl: (60) Peer certificate cannot be authenticated with known CA
> certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Am I missing a step here?
>

Re: How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-17 Thread Johanes Soetanto

On 18 December 2012 13:03, James Dekker  wrote:
> Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux.
>
> I need help setting up SSL on my local tomcat instance.
>
> After looking at the instructions on the official tomcat 7 website:
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
>
> I followed the directions like this:
>
> (1) cd $CATALINA_HOME/conf
>
> (2) Create a certificate and store it in a new key store.
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore .jks
>
> (3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml,
> specifying your key store file and password.
>
> maxThreads="150" scheme="https" secure="true"
>clientAuth="false" sslProtocol="TLS"
>keystoreFile="./conf/keystore.jks"
>keystorePass="mypassword"
> />
>
> (4) Export the certificate from the key store.
>
> keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks
>
> When I tried to (which would have been Step # 5) import the certificate
> into the trust store.
>
> keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore
> $JAVA_HOME/jre/lib/security/cacerts
>
> I get the following prompt for my password (after which I entered in
> "mypassword"):
>
> Enter keystore password:
>
> keytool error: java.io.IOException: Keystore was tampered with, or password
> was incorrect
>
> (I disregarded this step by the way because I found it on Google but not on
> the official Tomcat7-SSL-Howto documentation - please let me know if its
> necessary).
>
> Tomcat's server output:
>
> INFO: Initializing ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
> INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
> Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8080"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
> INFO: Starting ProtocolHandler ["http-bio-8443"]
> Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
> INFO: Server startup in 9611 ms
>
> When I go to my bash shell and type this in:
>
> curl -X GET https://localhost:8443
>
> I get the following error output:
>
> curl: (60) Peer certificate cannot be authenticated with known CA
> certificates
> More details here: http://curl.haxx.se/docs/sslcerts.html
>
> curl performs SSL certificate verification by default, using a "bundle"
> of Certificate Authority (CA) public keys (CA certs). If the default
> bundle file isn't adequate, you can specify an alternate file
> using the --cacert option.
> If this HTTPS server uses a certificate signed by a CA represented in
> the bundle, the certificate verification probably failed due to a
> problem with the certificate (it might be expired, or the name might
> not match the domain name in the URL).
> If you'd like to turn off curl's verification of the certificate, use
> the -k (or --insecure) option.
>
> Am I missing a step here?
>
> I just want to enable SSL on Tomcat 7 and test it using curl.

When I was investigating APR and SSL, i found the link
http://code.google.com/p/jianwikis/wiki/TomcatSSLWithAPR . There is
section almost at the end giving and example of using CURL. Maybe that
will help

Johanes
>
> Would appreciate it if someone could point me in the right direction.
>
> If you wish to see this posting with better syntax coloring or my full
> server.xml, please check out these identical (but with more detail) forum
> posts:
>
> http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl
>
> http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux
>
> Happy programming,
>
> James

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

How to Enable SSL on Tomcat 7 on Linux & Test using curl?

2012-12-17 Thread James Dekker

Am using JDK 1.6, tomcat 7.0.32, and Red Hat Linux.

I need help setting up SSL on my local tomcat instance.

After looking at the instructions on the official tomcat 7 website:

http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html]http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

I followed the directions like this:

(1) cd $CATALINA_HOME/conf

(2) Create a certificate and store it in a new key store.

keytool -genkey -alias tomcat -keyalg RSA -keystore .jks

(3) Uncomment the SSL connector configuration in Tomcat's conf/server.xml,
specifying your key store file and password.



(4) Export the certificate from the key store.

keytool -exportcert -alias tomcat -file tomcat.crt -keystore keystore.jks

When I tried to (which would have been Step # 5) import the certificate
into the trust store.

keytool -importcert -alias tomcat -file tomcat.crt -trustcacerts -keystore
$JAVA_HOME/jre/lib/security/cacerts

I get the following prompt for my password (after which I entered in
"mypassword"):

Enter keystore password:

keytool error: java.io.IOException: Keystore was tampered with, or password
was incorrect

(I disregarded this step by the way because I found it on Google but not on
the official Tomcat7-SSL-Howto documentation - please let me know if its
necessary).

Tomcat's server output:

INFO: Initializing ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:17:59 PM org.apache.coyote.AbstractProtocol init
INFO: Initializing ProtocolHandler ["ajp-bio-8009"]
Dec 17, 2012 5:43:08 PM org.apache.catalina.startup.Catalina start
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8080"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractProtocol start
INFO: Starting ProtocolHandler ["http-bio-8443"]
Dec 17, 2012 5:43:08 PM org.apache.coyote.AbstractP
INFO: Server startup in 9611 ms

When I go to my bash shell and type this in:

curl -X GET https://localhost:8443

I get the following error output:

curl: (60) Peer certificate cannot be authenticated with known CA
certificates
More details here: http://curl.haxx.se/docs/sslcerts.html

curl performs SSL certificate verification by default, using a "bundle"
of Certificate Authority (CA) public keys (CA certs). If the default
bundle file isn't adequate, you can specify an alternate file
using the --cacert option.
If this HTTPS server uses a certificate signed by a CA represented in
the bundle, the certificate verification probably failed due to a
problem with the certificate (it might be expired, or the name might
not match the domain name in the URL).
If you'd like to turn off curl's verification of the certificate, use
the -k (or --insecure) option.

Am I missing a step here?

I just want to enable SSL on Tomcat 7 and test it using curl.

Would appreciate it if someone could point me in the right direction.

If you wish to see this posting with better syntax coloring or my full
server.xml, please check out these identical (but with more detail) forum
posts:

http://stackoverflow.com/questions/13925146/how-to-enable-ssl-on-tomcat-7-on-linux-test-using-curl

http://www.coderanch.com/t/600556/Tomcat/Enable-SSL-Tomcat-Linux

Happy programming,

James

Re: Enabling SSL on Tomcat 6

2011-01-18 Thread Konstantin Kolinko

2011/1/18 Suneet Shah :
>  WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLEngine' to 'on' did not find a matching property.

There are two implementations of SSL available in Tomcat.  One is
implemented using Java cryptography API.  Another uses native
libraries.

Your connector is pure java (Nio), but your configuration settings are
for the APR (native) connector. Thus the warning messages in your log.
Read the docs more carefully - it is described there.

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html


Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Enabling SSL on Tomcat 6

2011-01-18 Thread amcereijo cereijo

Hi,

I have this configuration for my tomcat 6.0.30



Your changes about my configuration:

   - where I have keystoreFile="conf\tomcatserver.keystore" I think you must
   put "tomcatks" (I think this your keystore)
   - where I have keystorePass="tomcat" I think you must put password for
   "tomcatks"


Regards, Ángel.

2011/1/18 Suneet Shah 

> Hello,
>
> I am trying to enable SSL on Tomcat 6 without any luck. I am using a self
> signed cert. I have placed my entries in the server.xml file below.
>
> Any thoughts on what I am doing wrong? I also pasted below the steps that I
> used to generate the cert.
>
>maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>   enableLookups="false" disableUploadTimeout="true"
>   acceptCount="100" scheme="https" secure="true"
>   clientAuth="false" sslProtocol="TLS"
>   SSLEngine="on"
>   SSLCertificateFile="/ssl/server.csr"
>   SSLCertificateKeyFile="/ssl/server.key"
>   SSLPassword="password"
>/>
>
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLEngine' to 'on' did not find a matching property.
> Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLCertificateFile' to '/ssl/server.csr' did not find a matching property.
> Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLCertificateKeyFile' to '/ssl/server.key' did not find a matching
> property.
> Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule
> begin
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLPassword' to 'password' did not find a matching property.
>
> Steps to create a cert:
>
> #selfsigned cert using openssl
>
> openssl genrsa -des3 -out server.key 1024
>
> openssl req -new -key server.key -out server.csr
>
> cp server.key server.key.org
>
> openssl rsa -in server.key.org -out server.key
>
> openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore /ssl/tomcatks
>
> keytool -certreq -alias tomcat -file tomcat.csr -keystore /ssl/tomcatks
>
> echo 02 > serial.txt
>
> openssl x509 -CA server.crt -CAkey server.key -CAserial serial.txt -req -in
> tomcat.csr -out tomcat.cer -days 365
>
> keytool -import -alias serverCA -file server.crt -keystore /ssl/tomcatks
>
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>

Enabling SSL on Tomcat 6

2011-01-17 Thread Suneet Shah


Hello,

I am trying to enable SSL on Tomcat 6 without any luck. I am using a 
self signed cert. I have placed my entries in the server.xml file below.


Any thoughts on what I am doing wrong? I also pasted below the steps 
that I used to generate the cert.





WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
property 'SSLEngine' to 'on' did not find a matching property.
Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule 
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
property 'SSLCertificateFile' to '/ssl/server.csr' did not find a 
matching property.
Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule 
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
property 'SSLCertificateKeyFile' to '/ssl/server.key' did not find a 
matching property.
Jan 17, 2011 9:50:54 PM org.apache.catalina.startup.SetAllPropertiesRule 
begin
WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting 
property 'SSLPassword' to 'password' did not find a matching property.


Steps to create a cert:

#selfsigned cert using openssl

openssl genrsa -des3 -out server.key 1024

openssl req -new -key server.key -out server.csr

cp server.key server.key.org

openssl rsa -in server.key.org -out server.key

openssl x509 -req -days 365 -in server.csr -signkey server.key -out 
server.crt


keytool -genkey -alias tomcat -keyalg RSA -keystore /ssl/tomcatks

keytool -certreq -alias tomcat -file tomcat.csr -keystore /ssl/tomcatks

echo 02 > serial.txt

openssl x509 -CA server.crt -CAkey server.key -CAserial serial.txt -req 
-in tomcat.csr -out tomcat.cer -days 365


keytool -import -alias serverCA -file server.crt -keystore /ssl/tomcatks



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Configuring SSL on Tomcat 5.5.28

2010-03-08 Thread Caldarale, Charles R

> From: CBy [mailto:tom...@byrman.demon.nl]
> Subject: Re: Configuring SSL on Tomcat 5.5.28
> 
> On 8-3-2010 20:40, Jessica Krosschell wrote:
> > I was able to create one using the keytool utilities with a
> > keystore, but it has already expired (it's been 90 days).
> 
> Use -validity numberOfDays (default 90).
> 
> > I have looked on the Tomcat documentation and spent many hours 
> > googling

To further CBy's statement, use the keytool doc, not Google:
http://java.sun.com/javase/6/docs/technotes/tools/windows/keytool.html

 - Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.

__
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
__

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Configuring SSL on Tomcat 5.5.28

2010-03-08 Thread CBy


On 8-3-2010 20:40, Jessica Krosschell wrote:

Good afternoon,
I am implementing SSL on Tomcat 5.5.28 (on a Windows Server 2008 box) 
for the first time as part of a BusinessObjects implementation.  My 
client wants to use a self signed certificate and I was able to create 
one using the keytool utilities with a keystore, but it has already 
expired (it's been 90 days).  How can I create a self signed 
certificate that lasts longer?


Use -validity numberOfDays (default 90).

CBy

Do I need to use something like OpenSSL?  I have looked on the Tomcat 
documentation and spent many hours googling, but I'm not completely 
clear on the process.

I've included screenshots of my process to help describe what I'm doing.
Thanks,
Jessica

--
Jessica (Batista) Krosschell
Senior Engineer - BI Division
Guident
198 Van Buren Street
Suite 120
Herndon, VA 20170
Mobile: 703-597-1552
Email: jkrossch...@guident.com <mailto:jkrossch...@guident.com>
Website: www.guident.com <http://www.guident.com>



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL on TOMCAT with keytool

2008-09-20 Thread Matt Shields


We ran into a similar problem trying to get our purchased SSL certificate to
work. The previous reply had some info about getting the keytool to work,
but we have a tutorial that should help you get SSL working from start to
finish. Hope it helps!

http://blog.datajelly.com/company/blog/34-adding-ssl-to-tomcat.html
http://blog.datajelly.com/company/blog/34-adding-ssl-to-tomcat.html 


Alexey Eronko wrote:
> 
> I have pem cert,rsa_key and ca cert from my own CA. I don't understand
> what
> kind of cert do I need in keystore to make it works on tomcat.
> 

-- 
View this message in context: 
http://www.nabble.com/SSL-on-TOMCAT-with-keytool-tp19187386p19592073.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL on TOMCAT with keytool

2008-08-28 Thread Alexey Eronko

The point was that keytool can't import existing private key. If you need to
build keystore from existed cert + prv key you need to do this by external
java(or smt) program. Key and Cer must be in der format.



Example is here :



http://www.agentbob.info/agentbob/79-AB.html



Alex


2008/8/28 Alex Mestiashvili <[EMAIL PROTECTED]>

> Alexey Eronko wrote:
>
>> Hello Guys!
>>
>> Don't beat me because I found so much docs about ssl and keystore but I
>> can't get it working with together.
>>
>> I have pem cert,rsa_key and ca cert from my own CA. I don't understand
>> what
>> kind of cert do I need in keystore to make it works on tomcat.
>>
>>I tried
>>
>>  keytool -import -alias tomcat -trustcacerts –file myserver.pem -keystore
>> keystore.jks
>>
>>  And I Got error in tomcat :
>>
>> java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException:
>> No
>> available certificate or key corresponds to the SSL cipher suites which
>> are
>> enabled.
>>
>>at
>>
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)
>>
>>at
>> org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)
>>
>>at java.lang.Thread.run(Thread.java:619)
>>
>> Aug 27, 2008 5:56:28 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor
>> run
>>
>> SEVERE: Socket accept failed
>>
>>  I thought that I need to Impot rsa key also, I tried :
>>
>>  keytool -import -alias tomcat3 -keyalg RSA -file key -trustcacerts
>> -keystore .keystore
>>
>>  I got :
>>
>>  keytool error: java.lang.Exception: Input not an X.509 certificate
>>
>>  I've already lost 5 hours to solve this problem, could you please assist
>> me
>> .
>>
>>  Thanks a lot
>>
>>  Alex
>>
>>
>>
> AFAIK java uses DER format for keystore
>
> so , you have to convert .pem to .der
>
> openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER
>
> keytool -import -alias tomcat -keystore
> /usr/java/jdk1.6.0_04/jre/lib/security/cacerts -file cacert.der
>
> Alex
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
>

Re: SSL on TOMCAT with keytool

2008-08-27 Thread Alex Mestiashvili


Alexey Eronko wrote:

Hello Guys!

Don't beat me because I found so much docs about ssl and keystore but I
can't get it working with together.

I have pem cert,rsa_key and ca cert from my own CA. I don't understand what
kind of cert do I need in keystore to make it works on tomcat.

I tried

 keytool -import -alias tomcat -trustcacerts –file myserver.pem -keystore
keystore.jks

 And I Got error in tomcat :

java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.

at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)

at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)

at java.lang.Thread.run(Thread.java:619)

Aug 27, 2008 5:56:28 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

SEVERE: Socket accept failed

 I thought that I need to Impot rsa key also, I tried :

 keytool -import -alias tomcat3 -keyalg RSA -file key -trustcacerts
-keystore .keystore

 I got :

 keytool error: java.lang.Exception: Input not an X.509 certificate

 I've already lost 5 hours to solve this problem, could you please assist me
.

 Thanks a lot

 Alex

  

AFAIK java uses DER format for keystore

so , you have to convert .pem to .der

openssl x509 -in cacert.pem -inform PEM -out cacert.der -outform DER

keytool -import -alias tomcat -keystore 
/usr/java/jdk1.6.0_04/jre/lib/security/cacerts -file cacert.der


Alex

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

SSL on TOMCAT with keytool

2008-08-27 Thread Alexey Eronko

Hello Guys!

Don't beat me because I found so much docs about ssl and keystore but I
can't get it working with together.

I have pem cert,rsa_key and ca cert from my own CA. I don't understand what
kind of cert do I need in keystore to make it works on tomcat.

I tried

 keytool -import -alias tomcat -trustcacerts –file myserver.pem -keystore
keystore.jks

 And I Got error in tomcat :

java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.

at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)

at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)

at java.lang.Thread.run(Thread.java:619)

Aug 27, 2008 5:56:28 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

SEVERE: Socket accept failed

 I thought that I need to Impot rsa key also, I tried :

 keytool -import -alias tomcat3 -keyalg RSA -file key -trustcacerts
-keystore .keystore

 I got :

 keytool error: java.lang.Exception: Input not an X.509 certificate

 I've already lost 5 hours to solve this problem, could you please assist me
.

 Thanks a lot

 Alex

SSL on TOMCAT with keytool

2008-08-27 Thread Alexey Eronko

Hello Guys!

Don't beat me because I found so much docs about ssl and keystore but I
can't get it working with together.

I have pem cert,rsa_key and ca cert from my own CA. I don't understand what
kind of cert do I need in keystore to make it works on tomcat.

I tried

 keytool -import -alias tomcat -trustcacerts –file myserver.pem -keystore
keystore.jks

 And I Got error in tomcat :

java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
available certificate or key corresponds to the SSL cipher suites which are
enabled.

at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:150)

at
org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java:310)

at java.lang.Thread.run(Thread.java:619)

Aug 27, 2008 5:56:28 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run

SEVERE: Socket accept failed

 I thought that I need to Impot rsa key also, I tried :

 keytool -import -alias tomcat3 -keyalg RSA -file key -trustcacerts
-keystore .keystore

 I got :

 keytool error: java.lang.Exception: Input not an X.509 certificate

 I've already lost 5 hours to solve this problem, could you please assist me
.

 Thanks a lot

 Alex

RE: Re: Performing SSL on tomcat using the JAAS ream

2007-09-24 Thread Clinton J. Totten

Thanks Bill for the information but I'm a bit confused b/c the tomcat
documentation talks about how to configure the JAAS realm:
http://jakarta.apache.org/slide/howto-jaas.html.

-Original Message-
From: news [mailto:[EMAIL PROTECTED] On Behalf Of Bill Barker
Sent: Friday, September 21, 2007 9:51 PM
To: users@tomcat.apache.org
Subject: Re: Performing SSL on tomcat using the JAAS ream

The JAASRealm in Tomcat doesn't currently support CLIENT-CERT auth.

"Clinton J. Totten" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
I am getting a 401 error when trying to access my webapps deployed on
tomcat.  I configured the JAAS realm and connection properties according
to the tomcat documentation in the server.xml file.  In the web.xml file
the login-config auth method element is set to CLIENT-CERT with a realm
name of JAASRealm.  I placed the compiled classes for the login module,
principal and callback handlers under the tomcat/server/classes
directory and put the jaas config file in the conf directory.  Any help
would be appreciated.

Thanks!

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Performing SSL on tomcat using the JAAS ream

2007-09-21 Thread Bill Barker

The JAASRealm in Tomcat doesn't currently support CLIENT-CERT auth.

"Clinton J. Totten" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
I am getting a 401 error when trying to access my webapps deployed on
tomcat.  I configured the JAAS realm and connection properties according
to the tomcat documentation in the server.xml file.  In the web.xml file
the login-config auth method element is set to CLIENT-CERT with a realm
name of JAASRealm.  I placed the compiled classes for the login module,
principal and callback handlers under the tomcat/server/classes
directory and put the jaas config file in the conf directory.  Any help
would be appreciated.



Thanks!





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Performing SSL on tomcat using the JAAS ream

2007-09-21 Thread Clinton J. Totten

I am getting a 401 error when trying to access my webapps deployed on
tomcat.  I configured the JAAS realm and connection properties according
to the tomcat documentation in the server.xml file.  In the web.xml file
the login-config auth method element is set to CLIENT-CERT with a realm
name of JAASRealm.  I placed the compiled classes for the login module,
principal and callback handlers under the tomcat/server/classes
directory and put the jaas config file in the conf directory.  Any help
would be appreciated.

 

Thanks!

RE: Setting Up SSL on Tomcat

Problem solved.  The 8443 port needed to be opened in the firewall.

-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 8:23 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Here is the HTTPS Connector.



-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 7:19 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Here is a simpler version with just the 2 apps that I am interested in
deployed.

Created MBeanServer with ID:
1f436f5:11527c58a90:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 7:13:21 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 7:13:21 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:22 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:22 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3875 ms
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 7:13:24 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 07:13:27,610 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09-21 07:13:29,888 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,891 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,926 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:30,166 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - 
Sep 21, 2007 7:13:30 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive examples.war
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:33 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Sep 21, 2007 7:13:33 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/211  config=null
Sep 21, 2007 7:13:33 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Sep 21, 2007 7:13:33 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 10820 ms
2007-09-21 07:13:55,762 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed.  Removing now.>
2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

[EMAIL PROTECTED] logs]$

-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 6:59 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Created MBeanServer with ID:
1f436f5:11527b2e181:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 6:52:58 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 6:52:58 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 6:53:00 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 6:53:00 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 4057 ms
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 6:53:02 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 06:53:05,656 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09

RE: Setting Up SSL on Tomcat

Here is the HTTPS Connector.



-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 7:19 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Here is a simpler version with just the 2 apps that I am interested in
deployed.

Created MBeanServer with ID:
1f436f5:11527c58a90:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 7:13:21 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 7:13:21 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:22 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:22 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3875 ms
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 7:13:24 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 07:13:27,610 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09-21 07:13:29,888 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,891 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,926 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:30,166 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - 
Sep 21, 2007 7:13:30 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive examples.war
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:33 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Sep 21, 2007 7:13:33 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/211  config=null
Sep 21, 2007 7:13:33 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Sep 21, 2007 7:13:33 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 10820 ms
2007-09-21 07:13:55,762 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed.  Removing now.>
2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

[EMAIL PROTECTED] logs]$

-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 6:59 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Created MBeanServer with ID:
1f436f5:11527b2e181:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 6:52:58 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 6:52:58 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 6:53:00 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 6:53:00 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 4057 ms
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 6:53:02 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 06:53:05,656 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09-21 06:53:08,095 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,098 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,145 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:

RE: Setting Up SSL on Tomcat

Here is a simpler version with just the 2 apps that I am interested in
deployed.

Created MBeanServer with ID:
1f436f5:11527c58a90:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 7:13:21 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 7:13:21 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:22 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:22 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 3875 ms
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 7:13:23 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 7:13:24 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 07:13:27,610 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09-21 07:13:29,888 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,891 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,925 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:29,926 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 07:13:30,166 INFO
[org.jasig.cas.web.flow.AuthenticationViaFormAction] - 
Sep 21, 2007 7:13:30 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive examples.war
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8080
Sep 21, 2007 7:13:32 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8443
Sep 21, 2007 7:13:33 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Sep 21, 2007 7:13:33 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/211  config=null
Sep 21, 2007 7:13:33 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Sep 21, 2007 7:13:33 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 10820 ms
2007-09-21 07:13:55,762 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed.  Removing now.>
2007-09-21 07:13:55,765 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

[EMAIL PROTECTED] logs]$

-Original Message-
From: Clifford Bryant [mailto:[EMAIL PROTECTED] 
Sent: Friday, September 21, 2007 6:59 AM
To: Tomcat Users List
Subject: RE: Setting Up SSL on Tomcat

Created MBeanServer with ID:
1f436f5:11527b2e181:-8000:rsdev01.edgewater.com:1
Sep 21, 2007 6:52:58 AM org.apache.catalina.core.AprLifecycleListener
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance
in production environments was not found on the java.library.path:
/usr/java/j2sdk1.4.2_15/jre/lib/i386/client:/usr/java/j2sdk1.4.2_15/jre/
lib/i386:/usr/java/j2sdk1.4.2_15/jre/../lib/i386
Sep 21, 2007 6:52:58 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Sep 21, 2007 6:53:00 AM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Sep 21, 2007 6:53:00 AM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 4057 ms
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.23
Sep 21, 2007 6:53:00 AM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Sep 21, 2007 6:53:02 AM org.apache.catalina.startup.HostConfig deployWAR
INFO: Deploying web application archive cas.war
2007-09-21 06:53:05,656 INFO
[org.jasig.cas.ticket.proxy.support.Cas20ProxyHandler] - 
2007-09-21 06:53:08,095 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,098 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,145 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,145 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,145 INFO
[org.jasig.cas.web.ServiceValidateController] - 
2007-09-21 06:53:08,321 INFO
[org.jasig.cas.web.flow.AuthenticationViaForm

RE: Setting Up SSL on Tomcat

 org.acegisecurity.userdetails.memory.UserMap
addUser
INFO: Adding user [EMAIL PROTECTED]: Username:
scott; Password: [PROTECTED]; Enabled: true; AccountNonExpired: true;
credentialsNonExpired: true; AccountNonLocked: true; Granted
Authorities: ROLE_USER]
Sep 21, 2007 6:53:13 AM
org.springframework.cache.ehcache.EhCacheManagerFactoryBean
afterPropertiesSet
INFO: Initializing EHCache CacheManager
Sep 21, 2007 6:53:14 AM
org.acegisecurity.securechannel.ChannelProcessingFilter
afterPropertiesSet
INFO: Validated configuration attributes
Sep 21, 2007 6:53:14 AM
org.acegisecurity.intercept.AbstractSecurityInterceptor
afterPropertiesSet
INFO: Validated configuration attributes
Sep 21, 2007 6:53:14 AM org.springframework.web.context.ContextLoader
initWebApplicationContext
INFO: Root WebApplicationContext: initialization completed in 3678 ms
09/21 06:53:18 INFO License Service: Flex 1.5 CF Edition enabled
09/21 06:53:18 INFO Starting Flex 1.5 CF Edition
09/21 06:53:18 INFO Macromedia Flex Build: 87315.134646
09/21 06:53:21 Information [main] - Starting logging...
09/21 06:53:21 Information [main] - Starting crypto...
09/21 06:53:22 Information [main] - Starting license...
09/21 06:53:22 Information [main] - Starting License server ...
09/21 06:53:22 Information [main] - Starting scheduler...
09/21 06:53:22 Information [main] - Starting WatchService...
09/21 06:53:22 Information [main] - Starting debugging...
09/21 06:53:22 Information [main] - Starting sql...
2007-09-21 06:53:25,849 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

2007-09-21 06:53:25,849 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -
<0 found to be removed.  Removing now.>
2007-09-21 06:53:25,850 INFO
[org.jasig.cas.ticket.registry.support.DefaultTicketRegistryCleaner] -

09/21 06:53:27 Information [main] - Pool Manager Started
09/21 06:53:28 Information [main] - Starting mail...
09/21 06:53:28 Information [main] - CORBA Configuration not enabled
09/21 06:53:28 Information [main] - Starting cron...
09/21 06:53:28 Information [main] - Starting registry...
09/21 06:53:28 Information [main] - Starting client...
09/21 06:53:28 Information [main] - The metrics service is disabled for
the J2EE edition
09/21 06:53:28 Information [main] - Starting xmlrpc...
09/21 06:53:29 Information [main] - Starting graphing...
09/21 06:53:29 Information [main] - Starting verity...
09/21 06:53:30 Information [main] - Starting archive...
09/21 06:53:30 Information [main] - Starting document...
09/21 06:53:30 Information [main] - Starting eventgateway...
09/21 06:53:30 Information [main] - Starting Event Backend Handlers
09/21 06:53:30 Information [main] - Initialized EventRequestDispatcher
with a Thread Pool size of 10
09/21 06:53:30 Information [main] - Initializing EventRequestHandler
09/21 06:53:30 Information [main] - Starting Event Gateways
09/21 06:53:30 Information [main] - ColdFusion started
Sep 21, 2007 6:53:33 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8080
Sep 21, 2007 6:53:34 AM org.apache.coyote.http11.Http11BaseProtocol
start
INFO: Starting Coyote HTTP/1.1 on http-8443
Sep 21, 2007 6:53:34 AM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Sep 21, 2007 6:53:34 AM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/158  config=null
Sep 21, 2007 6:53:34 AM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Sep 21, 2007 6:53:34 AM org.apache.catalina.startup.Catalina start
INFO: Server startup in 34805 ms

-Original Message-
From: Hassan Schroeder [mailto:[EMAIL PROTECTED] 
Sent: Thursday, September 20, 2007 11:36 PM
To: Tomcat Users List
Subject: Re: Setting Up SSL on Tomcat

On 9/20/07, Clifford Bryant <[EMAIL PROTECTED]> wrote:
> I am trying to set up Tomcat 5.5.23 on a Linux server to use SSL.  The
> SSL port (8443) is uncommented in the server.xml.  And, I set up a
> certificate.  I tried to navigate to the Tomcat startup page from
> another (Windows) machine.  I can get to the HTTP port (8080).  But, I
> get a "Server not found or DNS error" when I try to use the secure
port
> (8443).


And the startup log messages are ___?

-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



This e-mail and any files transmitted with it are confidential and are intended 
solely for the use of the individual or entity to whom they are addressed.  
This communication may contain information that is protected from disclosure by 
applicable law.  If you are not the intended recipient, or the employee or 
agent responsible for delivering this communication to the intended recipient, 
be ad

Re: Setting Up SSL on Tomcat

2007-09-20 Thread Hassan Schroeder

On 9/20/07, Clifford Bryant <[EMAIL PROTECTED]> wrote:
> I am trying to set up Tomcat 5.5.23 on a Linux server to use SSL.  The
> SSL port (8443) is uncommented in the server.xml.  And, I set up a
> certificate.  I tried to navigate to the Tomcat startup page from
> another (Windows) machine.  I can get to the HTTP port (8080).  But, I
> get a "Server not found or DNS error" when I try to use the secure port
> (8443).


And the startup log messages are ___?

-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Setting Up SSL on Tomcat

2007-09-20 Thread Clifford Bryant

I am trying to set up Tomcat 5.5.23 on a Linux server to use SSL.  The
SSL port (8443) is uncommented in the server.xml.  And, I set up a
certificate.  I tried to navigate to the Tomcat startup page from
another (Windows) machine.  I can get to the HTTP port (8080).  But, I
get a "Server not found or DNS error" when I try to use the secure port
(8443).  Any help would be greatly appreciated.  Tomcat is running under
its own account on the Linux server, and not as root.

 

Cliff Bryant



This e-mail and any files transmitted with it are confidential and are intended 
solely for the use of the individual or entity to whom they are addressed.  
This communication may contain information that is protected from disclosure by 
applicable law.  If you are not the intended recipient, or the employee or 
agent responsible for delivering this communication to the intended recipient, 
be advised that you have received this e-mail in error and any use, 
dissemination, forwarding, printing or copying of this e-mail is strictly 
prohibited.  If you believe that you have received this e-mail in error, please 
immediately notify Edgewater Technology by telephone at (781) 246-3343 and 
delete the communication from all e-mail files.

RE: Configure SSL on Tomcat.

> From: Cartman [mailto:[EMAIL PROTECTED] 
> Subject: Re: Configure SSL on Tomcat.
> 
> And. what  can I do ?

If you choose not to use APR, delete the .dll from the bin directory,
and configure SSL according to the doc I gave you before:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Configure SSL on Tomcat.

And. what  can I do ?

On 4/26/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote:

> From: Cartman [mailto:[EMAIL PROTECTED]
> Subject: Re: Configure SSL on Tomcat.
>
> I should install one by one or just tcnative-1.dll??

I'm the wrong person to ask, since I prefer to run pure Java rather than
mix native code into the pot.  Unless you're really pressed for
performance or capacity, you don't really need APR.

- Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

--
Gracias.
Atentamente,
Carlos Arturo Trujillo Silva
Ingeniero de Sistemas

RE: Configure SSL on Tomcat.

> From: Cartman [mailto:[EMAIL PROTECTED] 
> Subject: Re: Configure SSL on Tomcat.
> 
> I should install one by one or just tcnative-1.dll??

I'm the wrong person to ask, since I prefer to run pure Java rather than
mix native code into the pot.  Unless you're really pressed for
performance or capacity, you don't really need APR.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Configure SSL on Tomcat.




> My Apache Tomcat is 5.5.9
> My jdk is 1.5.05

Is that a Sun JDK?  If so, you're not being precise with the version
number; do you mean 1.5.0_5?



Sorry, jdk-1_5_0_05-windows-i586-p.exe



And my windows is 2003 server.
>
> how to I configure apr?

If APR is installed, you'll see a tcnative-1.dll in Tomcat's bin
directory.  If the .dll isn't there, you likely do not have APR.

Documentation for SSL without APR:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Documentation for SSL using APR:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS

Make sure you use doc for the appropriate Tomcat level, not for older or
newer ones.




ok, I've downloaded this file:

http://tomcat.heanet.ie/native/1.1.10/binaries/win32/tcnative-1.dll

But, I read this: http://tomcat.apache.org/tomcat-5.5-doc/apr.html

"...Windows binaries are provided for tcnative-1, which is a statically
compiled .dll which includes OpenSSL and APR. It can be downloaded
from hereas 32bit or AMD x86-64
binaries. In security conscious production
environments, it is recommended to use separate shared dlls for OpenSSL,
APR, and libtcnative-1, and update them as needed according to security
bulletins. Windows OpenSSL binaries are linked from the Official OpenSSL
website  (see related/binaries)"

I should install one by one or just tcnative-1.dll??

Thanks.





- Chuck



THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





--
Gracias.
Atentamente,
Carlos Arturo Trujillo Silva
Ingeniero de Sistemas

RE: Configure SSL on Tomcat.

> From: Cartman [mailto:[EMAIL PROTECTED] 
> Subject: Re: Configure SSL on Tomcat.
> 
> My Apache Tomcat is 5.5.9
> My jdk is 1.5.05

Is that a Sun JDK?  If so, you're not being precise with the version
number; do you mean 1.5.0_5?

> And my windows is 2003 server.
> 
> how to I configure apr?

If APR is installed, you'll see a tcnative-1.dll in Tomcat's bin
directory.  If the .dll isn't there, you likely do not have APR.

Documentation for SSL without APR:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html

Documentation for SSL using APR:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS

Make sure you use doc for the appropriate Tomcat level, not for older or
newer ones.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Configure SSL on Tomcat.

Hi, thanks for your answer, so...

My Apache Tomcat is 5.5.9
My jdk is 1.5.05
And my windows is 2003 server.

how to I configure apr?

On 4/26/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote:

> From: Cartman [mailto:[EMAIL PROTECTED]
> Subject: Configure SSL on Tomcat.
>
> I try to configure my apache tomcat server with
> ssl support, but  I can't.

What version of Tomcat are you using?  (The web sites you listed were
for everything from 3.0 through 5.0, so most of that is not applicable
to current versions of Tomcat.)

If it's 5.5 or later, do you have APR installed?  The SSL config is
completely different for that connector.

What JRE/JDK are you using?

You appear to be running on some flavor of Windows; which one?

- Chuck

THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

--
Gracias.
Atentamente,
Carlos Arturo Trujillo Silva
Ingeniero de Sistemas

RE: Configure SSL on Tomcat.

> From: Cartman [mailto:[EMAIL PROTECTED] 
> Subject: Configure SSL on Tomcat.
> 
> I try to configure my apache tomcat server with 
> ssl support, but  I can't.

What version of Tomcat are you using?  (The web sites you listed were
for everything from 3.0 through 5.0, so most of that is not applicable
to current versions of Tomcat.)

If it's 5.5 or later, do you have APR installed?  The SSL config is
completely different for that connector.

What JRE/JDK are you using?

You appear to be running on some flavor of Windows; which one?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Configure SSL on Tomcat.