Tomcat 5.5 problems enabling SSL on Windows service version
I have Tomcat 5.5 installed as both a Windows service version and as the standard deployment version (non Windows service - starts up with startup.bat). I purchased and installed an SSL certificate from Verisign. I modified the server.xml to enable the SSL connector. I have two different versions of server.xml: one uses ports 8080 and 8443 for http and https, the other version uses 80 and 443. On the Tomcat machine, I tried to connect to the https: version of my webapps. I can connect to my webapps on the standard (non-service) version of Tomcat with either server.xml and either set of ports, so I know that 80, 443, 8080, and 8443 are all good. On the service version of Tomcat, the non-SSL (http:) ports 80 and 8080 are good, but I can not connect to either 443 or 8443 via https. I've tried copying the entire \conf folder from the non-service version to the service version of Tomcat, and still no connection. The browser simply times out waiting for the connection. Nothing is showing up in the log files at all, so it looks like Tomcat is not seeing these connections at all. Platform: Windows Server 2003 Tomcat 5.5.20 (service version) / Tomcat 5.5.16 (non-service version) jdk1.5.0_08 I'm including my 2 server.xml files, but these can't be the problem, since both of them work on the non-service version, and neither of them work on the Windows service version. Any clues as to where else I should look? Many thanks, David == server.xml (intended for non-service version of Tomcat) ?xml version=1.0 encoding=UTF-8? Server port=8105 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener/ Listener className= org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className= org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ GlobalNamingResources Environment name=isProduction type=java.lang.Boolean value=FALSE/ Environment name=productionMode type=java.lang.String value=TEST/ Resource auth=Container description=User database that can be updated and saved factory= org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ Resource auth=Container driverClassName= com.ibm.as400.access.AS400JDBCDriver maxActive=30 maxIdle=2 maxWait=5000 name=jdbc/ password= type=javax.sql.DataSource url=jdbc:as400://abc.def.com username=/ Resource auth=Container driverClassName= com.ibm.as400.access.AS400JDBCDriver maxActive=30 maxIdle=2 maxWait=5000 name=jdbc/xxx password=xx type=javax.sql.DataSource url=jdbc:as400://ghi.jkl.com username=xx/ Resource auth=Container driverClassName= com.ibm.as400.access.AS400JDBCDriver maxActive=30 maxIdle=2 maxWait=5000 name=jdbc/ password=xxx type=javax.sql.DataSource url=jdbc:as400://mno.pqr.com username=JPxxxGMR/ /GlobalNamingResources Service name=Catalina Connector port=8080 redirectPort=8443 minSpareThreads=25 connectionTimeout=2 maxThreads=150 maxSpareThreads=75 maxHttpHeaderSize=8192 /Connector Connector port=8009 redirectPort=8443 protocol=AJP/1.3 /Connector Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=C:\Program Files\Java\jdk1.5.0_06\bin\.keystore / Engine defaultHost=localhost name=Catalina Realm className=org.apache.catalina.realm.UserDatabaseRealm/ Host appBase=webapps name=localhost autoDeploy=true liveDeploy=true unpackWARs=true Context path= reloadable=true /Context /Host /Engine /Service /Server server.xml (intended for Windows service version) ?xml version=1.0 encoding=UTF-8? Server port=8105 shutdown=SHUTDOWN Listener className=org.apache.catalina.core.AprLifecycleListener/ Listener className= org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ Listener className= org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ GlobalNamingResources Environment name=isProduction type=java.lang.Boolean value=FALSE/ Environment name=productionMode type=java.lang.String value=TEST/ Resource auth=Container description=User database that can be updated and saved factory= org.apache.catalina.users.MemoryUserDatabaseFactory name=UserDatabase pathname=conf/tomcat-users.xml type=org.apache.catalina.UserDatabase/ Resource auth=Container driverClassName=
Re: Tomcat 5.5 problems enabling SSL on Windows service version
David Uctaa wrote: I have Tomcat 5.5 installed as both a Windows service version and as the standard deployment version (non Windows service - starts up with startup.bat). I purchased and installed an SSL certificate from Verisign. I modified the server.xml to enable the SSL connector. I have two different versions of server.xml: one uses ports 8080 and 8443 for http and https, the other version uses 80 and 443. On the Tomcat machine, I tried to connect to the https: version of my webapps. I can connect to my webapps on the standard (non-service) version of Tomcat with either server.xml and either set of ports, so I know that 80, 443, 8080, and 8443 are all good. On the service version of Tomcat, the non-SSL (http:) ports 80 and 8080 are good, but I can not connect to either 443 or 8443 via https. I've tried copying the entire \conf folder from the non-service version to the service version of Tomcat, and still no connection. The browser simply times out waiting for the connection. Nothing is showing up in the log files at all, so it looks like Tomcat is not seeing these connections at all. WAG: check if the account the Tomcat service runs under (propably SYSTEM) has sufficient rights to access the .keystore file. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
According to Windows, the Group or User Names assigned to .keystore are: Administrators Power Users SYSTEM TERMINAL SERVER USER Users Tomcat's logon properties are: Log on as: Local System Account (Allow service to interact with desktop is *not* checked) Should I change this to log on as me? If so, will I have to re-boot the server, or will simply re-starting the service be sufficient? Many thanks, David On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: David Uctaa wrote: I have Tomcat 5.5 installed as both a Windows service version and as the standard deployment version (non Windows service - starts up with startup.bat). I purchased and installed an SSL certificate from Verisign. I modified the server.xml to enable the SSL connector. I have two different versions of server.xml: one uses ports 8080 and 8443 for http and https, the other version uses 80 and 443. On the Tomcat machine, I tried to connect to the https: version of my webapps. I can connect to my webapps on the standard (non-service) version of Tomcat with either server.xml and either set of ports, so I know that 80, 443, 8080, and 8443 are all good. On the service version of Tomcat, the non-SSL (http:) ports 80 and 8080 are good, but I can not connect to either 443 or 8443 via https. I've tried copying the entire \conf folder from the non-service version to the service version of Tomcat, and still no connection. The browser simply times out waiting for the connection. Nothing is showing up in the log files at all, so it looks like Tomcat is not seeing these connections at all. WAG: check if the account the Tomcat service runs under (propably SYSTEM) has sufficient rights to access the .keystore file. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
I tried changing the service to log on with my credentials, and still no go. However, if there were a problems such as you described, then shouldn't there be an exception thrown somewhere that I should be able to find? The SSL service started up without a problem: Nov 15, 2006 9:44:38 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 and after the browser timeouts, nothing shows up in any of the logs indicating that there was a problem with the keystore file... On 11/15/06, David Uctaa [EMAIL PROTECTED] wrote: According to Windows, the Group or User Names assigned to .keystore are: Administrators Power Users SYSTEM TERMINAL SERVER USER Users Tomcat's logon properties are: Log on as: Local System Account (Allow service to interact with desktop is *not* checked) Should I change this to log on as me? If so, will I have to re-boot the server, or will simply re-starting the service be sufficient? Many thanks, David On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: David Uctaa wrote: I have Tomcat 5.5 installed as both a Windows service version and as the standard deployment version (non Windows service - starts up with startup.bat). I purchased and installed an SSL certificate from Verisign. I modified the server.xml to enable the SSL connector. I have two different versions of server.xml: one uses ports 8080 and 8443 for http and https, the other version uses 80 and 443. On the Tomcat machine, I tried to connect to the https: version of my webapps. I can connect to my webapps on the standard (non-service) version of Tomcat with either server.xml and either set of ports, so I know that 80, 443, 8080, and 8443 are all good. On the service version of Tomcat, the non-SSL (http:) ports 80 and 8080 are good, but I can not connect to either 443 or 8443 via https. I've tried copying the entire \conf folder from the non-service version to the service version of Tomcat, and still no connection. The browser simply times out waiting for the connection. Nothing is showing up in the log files at all, so it looks like Tomcat is not seeing these connections at all. WAG: check if the account the Tomcat service runs under (propably SYSTEM) has sufficient rights to access the .keystore file. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
David Uctaa wrote: According to Windows, the Group or User Names assigned to .keystore are: Administrators Power Users SYSTEM TERMINAL SERVER USER Users Tomcat's logon properties are: Log on as: Local System Account (Allow service to interact with desktop is *not* checked) LOCAL SYSTEM is a different account than SYSTEM. And the former doesn't seem to have any access rights on the .keystore file. Assinig sufficient permissions for LOCAL SYSTEM on the .keystore file might help. Should I change this to log on as me? If so, will I have to re-boot the server, or will simply re-starting the service be sufficient? No, at least not when the service is running live. But changing the account just temporarily might be helpful diagnose-wise. If everything works when the service is running under your account, this would be a strong indication that it really is a permission problem. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
It doesn't work when logged on as me. I changed the service to log on with my credentials, and I still have the same thing happening. On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: David Uctaa wrote: According to Windows, the Group or User Names assigned to .keystore are: Administrators Power Users SYSTEM TERMINAL SERVER USER Users Tomcat's logon properties are: Log on as: Local System Account (Allow service to interact with desktop is *not* checked) LOCAL SYSTEM is a different account than SYSTEM. And the former doesn't seem to have any access rights on the .keystore file. Assinig sufficient permissions for LOCAL SYSTEM on the .keystore file might help. Should I change this to log on as me? If so, will I have to re-boot the server, or will simply re-starting the service be sufficient? No, at least not when the service is running live. But changing the account just temporarily might be helpful diagnose-wise. If everything works when the service is running under your account, this would be a strong indication that it really is a permission problem. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
Do you think it possible that this is a problem that upgrading the service version to 5.5.20 would help resolve? The service version is 5.5.16 and the non-service version is 5.5.20. That seems like a really far stretch to me. On 11/15/06, David Uctaa [EMAIL PROTECTED] wrote: It doesn't work when logged on as me. I changed the service to log on with my credentials, and I still have the same thing happening. On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: David Uctaa wrote: According to Windows, the Group or User Names assigned to .keystore are: Administrators Power Users SYSTEM TERMINAL SERVER USER Users Tomcat's logon properties are: Log on as: Local System Account (Allow service to interact with desktop is *not* checked) LOCAL SYSTEM is a different account than SYSTEM. And the former doesn't seem to have any access rights on the .keystore file. Assinig sufficient permissions for LOCAL SYSTEM on the .keystore file might help. Should I change this to log on as me? If so, will I have to re-boot the server, or will simply re-starting the service be sufficient? No, at least not when the service is running live. But changing the account just temporarily might be helpful diagnose-wise. If everything works when the service is running under your account, this would be a strong indication that it really is a permission problem. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
I'm reading the list. There's no need to CC me. I have even set the Reply-To pointing to the list. Please respect that. David Uctaa wrote: I tried changing the service to log on with my credentials, and still no go. However, if there were a problems such as you described, then shouldn't there be an exception thrown somewhere that I should be able to find? The SSL service started up without a problem: Nov 15, 2006 9:44:38 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 In this case the APR connector is used. It's SSL configuration is done in a very different way from how it's done whith the Base Connector - APR doesn't know nor care about the .keystore: http://tomcat.apache.org/tomcat-5.5-doc/apr.html There are two options: 1. Change the configuration the way APR needs it. 2. Make sure tcnative-1.dll isn't found by the service. Then the Base connector will be used. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.5 problems enabling SSL on Windows service version
From: David Uctaa [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 problems enabling SSL on Windows service version Do you think it possible that this is a problem that upgrading the service version to 5.5.20 would help resolve? Probably not. But - did you install the APR connector (tcnative-1.dll)? If so, the SSL config is different than for the standard connector. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
Markus, Thanks for the info on APR. I'll try configuring that properly, or if that fails, to let it fall back to the base connector. And apologies for the inappropriate CC. List newbie. On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: I'm reading the list. There's no need to CC me. I have even set the Reply-To pointing to the list. Please respect that. David Uctaa wrote: I tried changing the service to log on with my credentials, and still no go. However, if there were a problems such as you described, then shouldn't there be an exception thrown somewhere that I should be able to find? The SSL service started up without a problem: Nov 15, 2006 9:44:38 AM org.apache.coyote.http11.Http11AprProtocol start INFO: Starting Coyote HTTP/1.1 on http-443 In this case the APR connector is used. It's SSL configuration is done in a very different way from how it's done whith the Base Connector - APR doesn't know nor care about the .keystore: http://tomcat.apache.org/tomcat-5.5-doc/apr.html There are two options: 1. Change the configuration the way APR needs it. 2. Make sure tcnative-1.dll isn't found by the service. Then the Base connector will be used. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
Yup, it's the APR connector. I'm going to try changing the configuration to handle that properly, or if that fails, to let it fall back to the base connector. Thanks, David On 11/15/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: David Uctaa [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 problems enabling SSL on Windows service version Do you think it possible that this is a problem that upgrading the service version to 5.5.20 would help resolve? Probably not. But - did you install the APR connector (tcnative-1.dll)? If so, the SSL config is different than for the standard connector. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
:) Thanks for the assistance. I'm hip-deep in APR configuration info now. On 11/15/06, Markus Schönhaber [EMAIL PROTECTED] wrote: Markus Schönhaber wrote: LOCAL SYSTEM is a different account than SYSTEM. And the former doesn't Bullshit. This should be LOCAL SERVICE (or however it is called on an English Windows). This is indeed a different account than SYSTEM, but it is irrelevant in your case. Reading error on my part. Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 problems enabling SSL on Windows service version
David Uctaa wrote: :) Thanks for the assistance. I'm hip-deep in APR configuration info now. Have fun! ;-) Regards mks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]