Re: tomcat and ssl

[Bill Stewart]

On Tue, Apr 28, 2020 at 10:42 PM Naga Ramesh wrote:

> Can you check the below link..
>
> https://mkyong.com/webservices/jax-ws/suncertpathbuilderexception-unable-to-find-valid-certification-path-to-requested-target/

I think you intended to reply to the mailing list (users at tomcat dot
apache dot org) rather than to me directly.

Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat and ssl

[Bill Stewart]

On Mon, Apr 27, 2020 at 3:31 PM calder  wrote:
>
> On Mon, Apr 27, 2020 at 11:22 AM Beard, Shawn M. wrote:
>
> > I have an app running in tomcat 9 that makes an ssl call to an external
> > webservice.
> >
> > It fails with these errors in the logs:
> >
> > ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
> > sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> > valid certification path to requested target
>
> When we've seen that in our logs, it's because self-signed certs are being
> used.

This error can also occur on a Windows domain when the TLS certificate
is issued by a corporate (internal) certificate authority (i.e., Java
doesn't trust the issuer).

On a Windows machine, you can tell Java to trust the certificates in
the Windows certificate store by using this command line parameter:

-Djavax.net.ssl.trustStoreType=WINDOWS-ROOT

Bill

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: tomcat and ssl

[calder]

On Mon, Apr 27, 2020, 16:30 calder  wrote:

>
>
> On Mon, Apr 27, 2020 at 11:22 AM Beard, Shawn M.
>  wrote:
>
>> I have an app running in tomcat 9 that makes an ssl call to an external
>> webservice.
>>
>>
>>
>> It fails with these errors in the logs:
>>
>> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
>> valid certification path to requested target
>>
>
> When we've seen that in our logs, it's because self-signed certs are
> being used.
>

Sorry I didn't include the other possible issue that we see with this error
message

It can also be related to using the rwong version of the unlimited
encryption JAR files

Re: tomcat and ssl

[calder]

On Mon, Apr 27, 2020 at 11:22 AM Beard, Shawn M.
 wrote:

> I have an app running in tomcat 9 that makes an ssl call to an external
> webservice.
>
>
>
> It fails with these errors in the logs:
>
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find
> valid certification path to requested target
>

When we've seen that in our logs, it's because self-signed certs are being
used.

RE: tomcat and ssl [EXTERNAL]

[jonmcalexander]

Best Practice would be to set these properties within your application and not 
on the JVM Command line. You are setting these at way too high a level in most 
cases. Just my .02 worth.


Dream * Excel * Explore * Inspire
Jon McAlexander
Asst Vice President

Middleware Product Engineering
Enterprise CIO | Platform Services | Middleware | Infrastructure Solutions

8080 Cobblestone Rd | Urbandale, IA 50322
MAC: F4469-010
Tel 515-988-2508 | Cell 515-988-2508

jonmcalexan...@wellsfargo.com


This message may contain confidential and/or privileged information. If you are 
not the addressee or authorized to receive this for the addressee, you must not 
use, copy, disclose, or take any action based on this message or any 
information herein. If you have received this message in error, please advise 
the sender immediately by reply e-mail and delete this message. Thank you for 
your cooperation.

-Original Message-
From: Beard, Shawn M.  
Sent: Monday, April 27, 2020 11:47 AM
To: Tomcat Users List 
Subject: RE: tomcat and ssl [EXTERNAL]

Adding this to the JVM options worked:
-Djavax.net.ssl.trustStore=/usr/apache/tomcat/ssl/TomcatTrustStore.p12 
-Djavax.net.ssl.trustStorePassword=



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: Mark Thomas 
Sent: Monday, April 27, 2020 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat and ssl [EXTERNAL]

** CAUTION: External message


On 27/04/2020 17:29, Beard, Shawn M. wrote:
> This is a 3rd party app so can't do that. We need to configure tomcat to have 
> apps use a trust store just like any other java container.

That isn't the way Java SE, Java EE (now Jakarta EE), JSSE, and web 
applications work.

Tomcat has ZERO role in out-going SSL connections. Any container that claims 
otherwise is doing nothing more than setting the relevant system properties.

It sounds like setting a trust store via system properties is your only option 
(although personally I'd be raising a bug against that 3rd-party app as relying 
on system properties for configuration can be fragile).

Mark


>
>
>
> Shawn Beard
> Sr. Systems Engineer
> BTS
> +1-515-564-2528
>
> -Original Message-
> From: Mark Thomas 
> Sent: Monday, April 27, 2020 11:26 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat and ssl [EXTERNAL]
>
> ** CAUTION: External message
>
>
> On 27/04/2020 17:21, Beard, Shawn M. wrote:
>> I have an app running in tomcat 9 that makes an ssl call to an 
>> external webservice.
>>
>>
>>
>> It fails with these errors in the logs:
>>
>> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to 
>> find valid certification path to requested target
>>
>>
>>
>> I have this in the connectors in the server.xml.
>>
>>   keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>keystorePass=""
>>
>>truststorePass="XXX"
>>
>>
>>
>>
>>
>> I have the root authority certs importated as trusted certs in this
>> p12 file.
>>
>>
>>
>> Any ideas?
>
> Outgoing SSL calls are nothing to do with Tomcat. Configuration in server.xml 
> will have zero impact on them. You need to code the out going call exactly 
> the same way as you would in a stand-alone Java program. My recommendation is 
> you configure the connection programmatically rather than via system 
> properties although the system properties approach should work.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


--

RE: tomcat and ssl [EXTERNAL]

[Beard, Shawn M.]

Adding this to the JVM options worked:
-Djavax.net.ssl.trustStore=/usr/apache/tomcat/ssl/TomcatTrustStore.p12 
-Djavax.net.ssl.trustStorePassword=



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: Mark Thomas 
Sent: Monday, April 27, 2020 11:34 AM
To: users@tomcat.apache.org
Subject: Re: tomcat and ssl [EXTERNAL]

** CAUTION: External message


On 27/04/2020 17:29, Beard, Shawn M. wrote:
> This is a 3rd party app so can't do that. We need to configure tomcat to have 
> apps use a trust store just like any other java container.

That isn't the way Java SE, Java EE (now Jakarta EE), JSSE, and web 
applications work.

Tomcat has ZERO role in out-going SSL connections. Any container that claims 
otherwise is doing nothing more than setting the relevant system properties.

It sounds like setting a trust store via system properties is your only option 
(although personally I'd be raising a bug against that 3rd-party app as relying 
on system properties for configuration can be fragile).

Mark


>
>
>
> Shawn Beard
> Sr. Systems Engineer
> BTS
> +1-515-564-2528
>
> -Original Message-
> From: Mark Thomas 
> Sent: Monday, April 27, 2020 11:26 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat and ssl [EXTERNAL]
>
> ** CAUTION: External message
>
>
> On 27/04/2020 17:21, Beard, Shawn M. wrote:
>> I have an app running in tomcat 9 that makes an ssl call to an
>> external webservice.
>>
>>
>>
>> It fails with these errors in the logs:
>>
>> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>>
>>
>> I have this in the connectors in the server.xml.
>>
>>   keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>keystorePass=""
>>
>>truststorePass="XXX"
>>
>>
>>
>>
>>
>> I have the root authority certs importated as trusted certs in this
>> p12 file.
>>
>>
>>
>> Any ideas?
>
> Outgoing SSL calls are nothing to do with Tomcat. Configuration in server.xml 
> will have zero impact on them. You need to code the out going call exactly 
> the same way as you would in a stand-alone Java program. My recommendation is 
> you configure the connection programmatically rather than via system 
> properties although the system properties approach should work.
>
> Mark
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: tomcat and ssl [EXTERNAL]

[Beard, Shawn M.]

Adding this to JVM options worked

-Djavax.net.ssl.trustStore=/usr/apache/tomcat/ssl/TomcatTrustStore.p12 
-Djavax.net.ssl.trustStorePassword=XXX



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: js84 
Sent: Monday, April 27, 2020 11:33 AM
To: Tomcat Users List 
Subject: AW: tomcat and ssl [EXTERNAL]

** CAUTION: External message


Hello!

> I have an app running in tomcat 9 that makes an ssl call to an external 
> webservice.

> It fails with these errors in the logs:
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:  
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target

> I have this in the connectors in the server.xml.
>  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   keystorePass=""
>   truststorePass="XXX"

> I have the root authority certs importated as trusted certs in this p12 file.

> Any ideas?

Outgoing SSL requests are normally using /lib/security/cacerts as 
truststore: Check if root (intermediate) certificate exists for targeted 
endpoint.

BR,
Johann


Von: Beard, Shawn M.
Gesendet: Montag, 27. April 2020 18:22
An: users@tomcat.apache.org
Betreff: tomcat and ssl

I have an app running in tomcat 9 that makes an ssl call to an external 
webservice.

It fails with these errors in the logs:
ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I have this in the connectors in the server.xml.
  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   keystorePass=""
   truststorePass="XXX"


I have the root authority certs importated as trusted certs in this p12 file.

Any ideas?

Shawn Beard • Sr. Systems Engineer
Middleware Engineering



 3840 109th Street Urbandale, IA 50322
 Phone: +1-515-564-2528
 Email: sbe...@wrberkley.com
 Website: berkleytechnologyservices.com

Technology Leadership Unleashing Business Potential

CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: tomcat and ssl [EXTERNAL]

[Mark Thomas]

On 27/04/2020 17:29, Beard, Shawn M. wrote:
> This is a 3rd party app so can't do that. We need to configure tomcat to have 
> apps use a trust store just like any other java container.

That isn't the way Java SE, Java EE (now Jakarta EE), JSSE, and web
applications work.

Tomcat has ZERO role in out-going SSL connections. Any container that
claims otherwise is doing nothing more than setting the relevant system
properties.

It sounds like setting a trust store via system properties is your only
option (although personally I'd be raising a bug against that 3rd-party
app as relying on system properties for configuration can be fragile).

Mark


> 
> 
> 
> Shawn Beard
> Sr. Systems Engineer
> BTS
> +1-515-564-2528
> 
> -Original Message-
> From: Mark Thomas 
> Sent: Monday, April 27, 2020 11:26 AM
> To: users@tomcat.apache.org
> Subject: Re: tomcat and ssl [EXTERNAL]
> 
> ** CAUTION: External message
> 
> 
> On 27/04/2020 17:21, Beard, Shawn M. wrote:
>> I have an app running in tomcat 9 that makes an ssl call to an
>> external webservice.
>>
>>
>>
>> It fails with these errors in the logs:
>>
>> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
>> sun.security.provider.certpath.SunCertPathBuilderException: unable to
>> find valid certification path to requested target
>>
>>
>>
>> I have this in the connectors in the server.xml.
>>
>>   keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>>
>>keystorePass=""
>>
>>truststorePass="XXX"
>>
>>
>>
>>
>>
>> I have the root authority certs importated as trusted certs in this
>> p12 file.
>>
>>
>>
>> Any ideas?
> 
> Outgoing SSL calls are nothing to do with Tomcat. Configuration in server.xml 
> will have zero impact on them. You need to code the out going call exactly 
> the same way as you would in a stand-alone Java program. My recommendation is 
> you configure the connection programmatically rather than via system 
> properties although the system properties approach should work.
> 
> Mark
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 
> CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
> private, privileged and confidential information belonging to the sender. The 
> information therein is solely for the use of the addressee. If your receipt 
> of this transmission has occurred as the result of an error, please 
> immediately notify us so we can arrange for the return of the documents. In 
> such circumstances, you are advised that you may not disclose, copy, 
> distribute or take any other action in reliance on the information 
> transmitted.
> 
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

AW: tomcat and ssl

[js84]

Hello!

> I have an app running in tomcat 9 that makes an ssl call to an external 
> webservice.

> It fails with these errors in the logs:
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:  
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target

> I have this in the connectors in the server.xml. 
>  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   keystorePass=""
>   truststorePass="XXX"

> I have the root authority certs importated as trusted certs in this p12 file. 

> Any ideas?

Outgoing SSL requests are normally using /lib/security/cacerts as 
truststore: Check if root (intermediate) certificate exists for targeted 
endpoint. 

BR,
Johann


Von: Beard, Shawn M.
Gesendet: Montag, 27. April 2020 18:22
An: users@tomcat.apache.org
Betreff: tomcat and ssl

I have an app running in tomcat 9 that makes an ssl call to an external 
webservice.

It fails with these errors in the logs:
ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I have this in the connectors in the server.xml. 
  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   keystorePass=""
   truststorePass="XXX"


I have the root authority certs importated as trusted certs in this p12 file. 

Any ideas?
 
Shawn Beard • Sr. Systems Engineer
Middleware Engineering

 3840 109th Street Urbandale, IA 50322
 Phone: +1-515-564-2528
 Email: sbe...@wrberkley.com
 Website: berkleytechnologyservices.com
Technology Leadership Unleashing Business Potential
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted. 

AW: tomcat and ssl

[js84]

Hello!

> I have an app running in tomcat 9 that makes an ssl call to an external 
> webservice.

> It fails with these errors in the logs:
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:  
> sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
> valid certification path to requested target

> I have this in the connectors in the server.xml. 
>  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>   keystorePass=""
>   truststorePass="XXX"

> I have the root authority certs importated as trusted certs in this p12 file. 

> Any ideas?

Outgoing SSL requests are normally using /lib/security/cacerts as 
truststore: Check if root (intermediate) certificate exists for targeted 
endpoint. 

BR,
Johann


Von: Beard, Shawn M.
Gesendet: Montag, 27. April 2020 18:22
An: users@tomcat.apache.org
Betreff: tomcat and ssl

I have an app running in tomcat 9 that makes an ssl call to an external 
webservice.

It fails with these errors in the logs:
ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I have this in the connectors in the server.xml. 
  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   keystorePass=""
   truststorePass="XXX"


I have the root authority certs importated as trusted certs in this p12 file. 

Any ideas?
 
Shawn Beard • Sr. Systems Engineer
Middleware Engineering

 3840 109th Street Urbandale, IA 50322
 Phone: +1-515-564-2528
 Email: sbe...@wrberkley.com
 Website: berkleytechnologyservices.com
Technology Leadership Unleashing Business Potential
CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted. 

RE: tomcat and ssl [EXTERNAL]

[Beard, Shawn M.]

This is a 3rd party app so can't do that. We need to configure tomcat to have 
apps use a trust store just like any other java container.



Shawn Beard
Sr. Systems Engineer
BTS
+1-515-564-2528

-Original Message-
From: Mark Thomas 
Sent: Monday, April 27, 2020 11:26 AM
To: users@tomcat.apache.org
Subject: Re: tomcat and ssl [EXTERNAL]

** CAUTION: External message


On 27/04/2020 17:21, Beard, Shawn M. wrote:
> I have an app running in tomcat 9 that makes an ssl call to an
> external webservice.
>
>
>
> It fails with these errors in the logs:
>
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
>
>
> I have this in the connectors in the server.xml.
>
>   keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>
>truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
>
>keystorePass=""
>
>truststorePass="XXX"
>
>
>
>
>
> I have the root authority certs importated as trusted certs in this
> p12 file.
>
>
>
> Any ideas?

Outgoing SSL calls are nothing to do with Tomcat. Configuration in server.xml 
will have zero impact on them. You need to code the out going call exactly the 
same way as you would in a stand-alone Java program. My recommendation is you 
configure the connection programmatically rather than via system properties 
although the system properties approach should work.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

Re: tomcat and ssl

[Mark Thomas]

On 27/04/2020 17:21, Beard, Shawn M. wrote:
> I have an app running in tomcat 9 that makes an ssl call to an external
> webservice.
> 
>  
> 
> It fails with these errors in the logs:
> 
> ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
> 
>  
> 
> I have this in the connectors in the server.xml.
> 
>   keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
> 
>    truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
> 
>    keystorePass=""
> 
>    truststorePass="XXX"
> 
>  
> 
>  
> 
> I have the root authority certs importated as trusted certs in this p12
> file.
> 
>  
> 
> Any ideas?

Outgoing SSL calls are nothing to do with Tomcat. Configuration in
server.xml will have zero impact on them. You need to code the out going
call exactly the same way as you would in a stand-alone Java program. My
recommendation is you configure the connection programmatically rather
than via system properties although the system properties approach
should work.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat and ssl

[Beard, Shawn M.]

I have an app running in tomcat 9 that makes an ssl call to an external 
webservice.

It fails with these errors in the logs:
ERROR javax.net.ssl.SSLHandshakeException: PKIX path building failed: 
sun.security.provider.certpath.SunCertPathBuilderException: unable to find 
valid certification path to requested target

I have this in the connectors in the server.xml.
  keystoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   truststoreFile="/usr/apache/tomcat/ssl/TomcatTrustStore.p12"
   keystorePass=""
   truststorePass="XXX"


I have the root authority certs importated as trusted certs in this p12 file.

Any ideas?


Shawn Beard • Sr. Systems Engineer
Middleware Engineering

[cid:image2958d0.PNG@871604a2.4590bc83]


 3840 109th Street Urbandale, IA 50322
 Phone: +1-515-564-2528
 Email: sbe...@wrberkley.com
 Website: 
berkleytechnologyservices.com

Technology Leadership Unleashing Business Potential



CONFIDENTIALITY NOTICE: This e-mail and the transmitted documents contain 
private, privileged and confidential information belonging to the sender. The 
information therein is solely for the use of the addressee. If your receipt of 
this transmission has occurred as the result of an error, please immediately 
notify us so we can arrange for the return of the documents. In such 
circumstances, you are advised that you may not disclose, copy, distribute or 
take any other action in reliance on the information transmitted.

RE: Tomcat and SSL

[jvr]

Yes, this helps me.
Thank You.

-Original Message-
From: peter.crowth...@googlemail.com [mailto:peter.crowth...@googlemail.com]
On Behalf Of Peter Crowther
Sent: jueves, 03 de marzo de 2011 0:48
To: Tomcat Users List
Subject: Re: Tomcat and SSL

On 2 March 2011 15:56, jvr  wrote:

> My question:
>
> If I'm not using JK Connector is mandatory configure tomcat as 
> stand-alone server?
>
> or, although I'm not using JK Connector I could consider Apache like 
> the primary web server?
>
> If you are not *somehow* forwarding requests from your primary web 
> server
to Tomcat, then you should configure Tomcat as a stand-alone server, yes.
*Somehow* for Apache httpd could be using JK or using Apache httpd as a
reverse proxy.  Either way, you'll need to change part of Apache httpd's
configuration so that it forwards the requests to Tomcat that you want to
receive in Tomcat.

Two processes cannot share the same TCP port on the same IP address.  So
assuming your machine only has one IP address: if you already have Apache
httpd on port 8443, then you cannot also configure Tomcat as a stand-alone
server on port 8443.  You could get Apache httpd to accept all requests on
8443 and forward some to Tomcat (Apache httpd would then be the primary web
server), or you could move Apache httpd to a different port and configure
Tomcat as a stand-alone server on 8443, or you could configure Tomcat as a
stand-alone server on a different port.

Does that help, or have I answered the wrong question? :-)

- Peter


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat and SSL

[Peter Crowther]

On 2 March 2011 15:56, jvr  wrote:

> My question:
>
> If I'm not using JK Connector is mandatory configure tomcat as stand-alone
> server?
>
> or, although I'm not using JK Connector I could consider Apache like the
> primary web server?
>
> If you are not *somehow* forwarding requests from your primary web server
to Tomcat, then you should configure Tomcat as a stand-alone server, yes.
*Somehow* for Apache httpd could be using JK or using Apache httpd as a
reverse proxy.  Either way, you'll need to change part of Apache httpd's
configuration so that it forwards the requests to Tomcat that you want to
receive in Tomcat.

Two processes cannot share the same TCP port on the same IP address.  So
assuming your machine only has one IP address: if you already have Apache
httpd on port 8443, then you cannot also configure Tomcat as a stand-alone
server on port 8443.  You could get Apache httpd to accept all requests on
8443 and forward some to Tomcat (Apache httpd would then be the primary web
server), or you could move Apache httpd to a different port and configure
Tomcat as a stand-alone server on 8443, or you could configure Tomcat as a
stand-alone server on a different port.

Does that help, or have I answered the wrong question? :-)

- Peter

RE: Tomcat and SSL

[jvr]

Sorry,

But maybe I'm not doing the correct question.

On SSL Configuration HOW-TO of Tomcat documentation:

SSL and Tomcat
It is important to note that configuring Tomcat to take advantage of secure
sockets is usually only necessary when running it as a stand-alone web
server. When running Tomcat primarily as a Servlet/JSP container behind
another web server, such as Apache or Microsoft IIS, it is usually necessary
to configure the primary web server to handle the SSL connections from
users. Typically, this server will negotiate all SSL-related functionality,
then pass on any requests destined for the Tomcat container only after
decrypting those requests. Likewise, Tomcat will return cleartext responses,
that will be encrypted before being returned to the user's browser. In this
environment, Tomcat knows that communications between the primary web server
and the client are taking place over a secure connection (because your
application needs to be able to ask about this), but it does not participate
in the encryption or decryption itself.

I have apache and openssl preinstalled, and have installed tomcat manually
via command line without JK connector I have to access tomcat servlets/jsp
files accross the port configured in the server.xml

If I use tomcat as a stand-alone web server.  I could use:

Tomcat can use two different implementations of SSL:

* the JSSE implementation provided as part of the Java runtime (since
1.4)
* the APR implementation, which uses the OpenSSL engine by default.

My question:

If I'm not using JK Connector is mandatory configure tomcat as stand-alone
server?

or, although I'm not using JK Connector I could consider Apache like the
primary web server?

Thank You.
Regards.


-Original Message-
From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] 
Sent: miércoles, 02 de marzo de 2011 15:06
To: Tomcat Users List
Subject: RE: Tomcat and SSL

> From: jvr [mailto:jvr...@gmail.com]
> Subject: RE: Tomcat and SSL

> Then I don't have to configure tomcat with SSL Configuration HOW-TO as 
> stand-alone web server

If you're intending to have Tomcat service SSL requests, then you do have to
configure it to for such.  Note that the configuration is different if
you're using the APR (native)  for SSL.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you received
this in error, please contact the sender and delete the e-mail and its
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat and SSL

[Caldarale, Charles R]

> From: jvr [mailto:jvr...@gmail.com] 
> Subject: RE: Tomcat and SSL

> Then I don't have to configure tomcat with SSL 
> Configuration HOW-TO as stand-alone web server

If you're intending to have Tomcat service SSL requests, then you do have to 
configure it to for such.  Note that the configuration is different if you're 
using the APR (native)  for SSL.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Tomcat and SSL

[jvr]

I make a correction for code written previously:
...
URL urlServlet = new
URL("https://www.domain.net:8443/applservlet/greeting";);
connection = urlServlet.openConnection();
...

Then I don't have to configure tomcat with SSL Configuration HOW-TO as
stand-alone web server, although I don't use jk connector.
Only correct the 8443 port issue, isn't it?

Thank You.
Regards.

-Original Message-
From: Mark Thomas [mailto:ma...@apache.org] 
Sent: miércoles, 02 de marzo de 2011 12:08
To: Tomcat Users List
Subject: Re: Tomcat and SSL

On 02/03/2011 10:59, jvr wrote:
> If I go to
> http://www. domain.net:4848/applservlet/greeting
> with the browser I could see the servlet.
> 
> But If I go to
> https://www. domain.net:8443/applservlet/greeting
> I'm being redirected to PLESK.

Then there is an issue with your hosting environment. It may not support /
be configured for SSL. You need to contact your hosting provider in the
first instance.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat and SSL

[Mark Thomas]

On 02/03/2011 10:59, jvr wrote:
> If I go to
> http://www. domain.net:4848/applservlet/greeting
> with the browser I could see the servlet.
> 
> But If I go to 
> https://www. domain.net:8443/applservlet/greeting
> I'm being redirected to PLESK.

Then there is an issue with your hosting environment. It may not support
/ be configured for SSL. You need to contact your hosting provider in
the first instance.

Mark

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat and SSL

[jvr]

Hi,

 

It's my first time using tomcat

I'm trying to make, applet-servlet communication via SSL. I can do it via
http but, at the moment of trying via SSL, I'm receiving an IOException:

 

Couldn't open a URLConnection, error:
https://www.domain.net/applservlet/greeting

 

I'm connecting to the servlet with:

...

URL urlServlet = new URL("https://www.domain.net/applservlet/greeting";);

connection = urlServlet.openConnection();

...

 

But when I'm using:

...

URL urlServlet = new
URL("http://www.domain.net:4848/applservlet/greeting";);

connection = urlServlet.openConnection();

...

 

It works, the connector port at server.xml is set to:

 



 

If I go to

http://www. domain.net:4848/applservlet/greeting

with the browser I could see the servlet.

 

But If I go to 

https://www. domain.net:8443/applservlet/greeting

I'm being redirected to PLESK.

 

I'm not sure If I have configure tomcat with SSL Configuration HOW-TO
,because I'm using apache 2.2.x and openssl 0.9.8 and tomcat is not running
with apache with jk connector

I'm starting tomcat manually at this moment then, I'm not sure, to consider
tomcat as stand-alone web server.

 

Or maybe I have only to configure the server to grant access to tomcat to
8443 port.

 

Thank You.

Regards.

 

 

 



-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

tomcat and ssl

[daniel steel]

hi all,
 one of our customers went live recently with SSL enabled. they are having 
performance issues and on troubleshooting we found  stdout.log growing rapidly.
stdout log contains lot of hexa decimal charatcers and for each jsp call 
execution it seems to be dumping the handshake + encryption + decryption. etc...
Plaintext before ENCRYPTION:  len = 360

we are not able to figure which flag has turned on for data dump?

thank you
lucy...



  

Re: Tomcat and SSL Certifcates

[Bill Barker]

If you really did follow the links, then the easiest is to continue to use 
OpenSSL.  Assuming that you have already set up an OpenSSL CA, then just 
sign the CRS as normal, and send the resulting cert file back to the client. 
They will need to import it into their keystore file (which should be no 
problem, as long as it was the same one that generated the CSR) as well as 
importing your CA cert into their keystore.  After that, your client should 
start trusting you again ;).

"John Gardner" <[EMAIL PROTECTED]> wrote in message 
news:[EMAIL PROTECTED]
> For one of our projects, we have created our own CA for Tomcat using the 
> methods laid out here;
>
> http://users.skynet.be/pascalbotte/art/ca.htm
> http://marc.info/?l=tomcat-user&m=106293430225790&w=2
>
> Now, Tomcat is up and running and serving the site over HTTPS using our 
> certificates and browsers can connect securely.
>
> However, we have another client connecting, which is a SOAP app running on 
> another Tomcat server elsewhere.  They need to connect on HTTPS to our 
> Tomcat server for their encrypted SOAP traffic, but currently their 
> connection is failing as there SOAP client has no certificate in common.
>
> Once they send me their CSR, how do I sign it at my end so that I can then 
> send it back, ready for them to import it at their end?
>
> I know this is probably more of a Java keystore question than Tomcat 
> directly, but I appreciate any help on it.
>
> Thanks
>
> -
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>
> 




-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat and SSL Certifcates

[John Gardner]

For one of our projects, we have created our own CA for Tomcat using the 
methods laid out here;


http://users.skynet.be/pascalbotte/art/ca.htm
http://marc.info/?l=tomcat-user&m=106293430225790&w=2

Now, Tomcat is up and running and serving the site over HTTPS using our 
certificates and browsers can connect securely.


However, we have another client connecting, which is a SOAP app running 
on another Tomcat server elsewhere.  They need to connect on HTTPS to 
our Tomcat server for their encrypted SOAP traffic, but currently their 
connection is failing as there SOAP client has no certificate in common.


Once they send me their CSR, how do I sign it at my end so that I can 
then send it back, ready for them to import it at their end?


I know this is probably more of a Java keystore question than Tomcat 
directly, but I appreciate any help on it.


Thanks

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Franck UB]

Hi Klaus,


> coming back to my issue: How can I make sure that my certificate is 
> right for tomcat? Could I attach it at one of these eMails? Or are 
> attachments not allowed?  Could you test it?

I think this could be one solution. Today I am not in office. But you
can send your stuff to [EMAIL PROTECTED] and I take a look at it
on Tuesday. We are working with shibboleth and so certificates are one
of our job. So, I am interested in problems users have to create
certificates or to integrate them in their workspace.

-- Franck



> Would be great.
> 
> Thanks
> Klaus
> 
> 
> Klaus-F. Kaal schrieb:
> > Franck,
> >
> > I changed that and restartet Tomcat. No different reading in the logs
> >
> > Klaus
> >
> >
> >
> > Franck Borel schrieb:
> >>
> >>> Does that tell you more?
> >>>
> >> Not really. But I think you must augment the debug value to 99:
> >>
> >>  >>debug="99"
> >> />
> >>
> >> Better?
> >>
> >> -- Franck
> >>
> >> 
> >>
> >> -
> >> To unsubscribe, e-mail: [EMAIL PROTECTED]
> >> For additional commands, e-mail: [EMAIL PROTECTED]
> >
> >
> 
> 


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi Franck,

coming back to my issue: How can I make sure that my certificate is 
right for tomcat? Could I attach it at one of these eMails? Or are 
attachments not allowed?  Could you test it?


Would be great.

Thanks
Klaus


Klaus-F. Kaal schrieb:

Franck,

I changed that and restartet Tomcat. No different reading in the logs

Klaus



Franck Borel schrieb:



Does that tell you more?


Not really. But I think you must augment the debug value to 99:



Better?

-- Franck



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Franck,

I changed that and restartet Tomcat. No different reading in the logs

Klaus



Franck Borel schrieb:



Does that tell you more?


Not really. But I think you must augment the debug value to 99:



Better?

-- Franck



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Does that tell you more?


Not really. But I think you must augment the debug value to 99:



Better?

-- Franck

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi Franck,

yes, I am using Java 1.5 ONLY

I fitted in the catalina.sh the statement you suggested. In my opinion, 
it didn't change anything in the log.

This now looks like this:

---
13.04.2006 14:00:14 org.apache.catalina.core.AprLifecycleListener 
lifecycleEvent
INFO: The Apache Tomcat Native library which allows optimal performance 
in production environments was not found on the java.library.path: /opt

/wt24/jdk1.5.0_06/jre/lib/i386/client:/opt/wt24/jdk1.5.0_06/jre/lib/i386:/opt/wt24/jdk1.5.0_06/jre/../lib/i386
13.04.2006 14:00:14 org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-80
13.04.2006 14:00:14 org.apache.coyote.http11.Http11BaseProtocol init
SCHWERWIEGEND: Error initializing endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
   at 
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

   at java.security.KeyStore.load(KeyStore.java:1150)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
   at 
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:138)
   at 
org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
   at 
org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
   at 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)

   at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
   at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
13.04.2006 14:00:14 org.apache.catalina.startup.Catalina load
SCHWERWIEGEND: Catalina.start
LifecycleException:  Protocol handler initialization failed: 
java.io.IOException: Keystore was tampered with, or password was incorrect
   at 
org.apache.catalina.connector.Connector.initialize(Connector.java:1018)
   at 
org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
   at 
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:791)

   at org.apache.catalina.startup.Catalina.load(Catalina.java:503)
   at org.apache.catalina.startup.Catalina.load(Catalina.java:523)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
13.04.2006 14:00:14 org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 2386 ms
13.04.2006 14:00:15 org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
13.04.2006 14:00:15 org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.16
13.04.2006 14:00:15 org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
13.04.2006 14:00:18 org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-80
13.04.2006 14:00:18 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
   at 
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

   at java.security.KeyStore.load(KeyStore.java:1150)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
   at 
org.apache.tomcat.util.ne

Re: RE Tomcat and SSL

[Franck Borel]

Another suggestion:
Be sure that you are using only one Java version and that this version 
is > 1.4.1 (there is a known bug with this version if you use it with JSSE).


Another idea is to use the -Djavax.net.debug=all flag. I never try this, 
but it should help you to get more information about what your JSSE is 
doing (which keystore and trusstore he try to use):
open the /opt/tomcat/bin/catalina.sh and add the follwing entry for 
example after the cygwin entry:

JAVA_OPTS="$JAVA_OPTS" -Djavax.net.debug=all

and restart Tomcat

-- Franck



Franck, I suspect that my way of creating the key could be the problem.

Do you have an idea where I could find a "dummy" key for just 
checking, my key is not the problem. It should be a key which is 
already working with tomcat.


Thanks
Klaus





Klaus-F. Kaal schrieb:

Yes, Franck, I am "root" when I run key-creation and tomcat...

Franck Borel schrieb:

Next suggestion:
Did you make the key as root? And do you start Tomcat as root?

-- Franck

Yes, in testphase, I do all pw's in low-cases...




Franck Borel schrieb:

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate 
that!



Thanks.
But... I am running out of ideas. Regarding the password: 
presently, I am using "changeit" for everything (just to get in 
running), but I still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? 
And what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA 
-keystore /opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 


 maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"

 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS"
 keystorePass="secret"
 debug="0"
 
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
 
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"

 truststorePass="password as used in key-creation"
 />
- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol 
start

SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck


 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]









--

Dipl.-Hyd. Franck Borel   Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED]   EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax  : +49-761 / 203-3987 79098 Freiburg   | 79016 Freiburg


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Franck, I suspect that my way of creating the key could be the problem.

Do you have an idea where I could find a "dummy" key for just checking, 
my key is not the problem. It should be a key which is already working 
with tomcat.


Thanks
Klaus





Klaus-F. Kaal schrieb:

Yes, Franck, I am "root" when I run key-creation and tomcat...

Franck Borel schrieb:

Next suggestion:
Did you make the key as root? And do you start Tomcat as root?

-- Franck

Yes, in testphase, I do all pw's in low-cases...




Franck Borel schrieb:

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!


Thanks.
But... I am running out of ideas. Regarding the password: 
presently, I am using "changeit" for everything (just to get in 
running), but I still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? And 
what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 


 maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"

 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS"
 keystorePass="secret"
 debug="0"
 
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
 
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"

 truststorePass="password as used in key-creation"
 />
- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck


 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Yes, Franck, I am "root" when I run key-creation and tomcat...

Franck Borel schrieb:

Next suggestion:
Did you make the key as root? And do you start Tomcat as root?

-- Franck

Yes, in testphase, I do all pw's in low-cases...




Franck Borel schrieb:

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!


Thanks.
But... I am running out of ideas. Regarding the password: 
presently, I am using "changeit" for everything (just to get in 
running), but I still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? And 
what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 


 maxThreads="150" minSpareThreads="25" 
maxSpareThreads="75"

 enableLookups="false" disableUploadTimeout="true"
 acceptCount="100" scheme="https" secure="true"
 clientAuth="false" sslProtocol="TLS"
 keystorePass="secret"
 debug="0"
 
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
 
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"

 truststorePass="password as used in key-creation"
 />
- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck


 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Next suggestion:
Did you make the key as root? And do you start Tomcat as root?

-- Franck

Yes, in testphase, I do all pw's in low-cases...




Franck Borel schrieb:

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!


Thanks.
But... I am running out of ideas. Regarding the password: presently, 
I am using "changeit" for everything (just to get in running), but I 
still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? And 
what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 


 
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
 
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"

 truststorePass="password as used in key-creation"
 />
- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

Dipl.-Hyd. Franck Borel   Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED]   EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax  : +49-761 / 203-3987 79098 Freiburg   | 79016 Freiburg


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Yes, in testphase, I do all pw's in low-cases...




Franck Borel schrieb:

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!


Thanks.
But... I am running out of ideas. Regarding the password: presently, 
I am using "changeit" for everything (just to get in running), but I 
still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? And 
what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 


 
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
 
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"

 truststorePass="password as used in key-creation"
 />
- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Hi Klaus,


Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!


Thanks.
But... I am running out of ideas. Regarding the password: presently, I 
am using "changeit" for everything (just to get in running), but I 
still have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.



Could you please have a look at it and tell me your judgement? And 
what I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 



- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was 
incorrect

Ok.
First suggestion: Passwords are case sensitve. Did you consider this?

-- Franck


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Good Morning Franck,

yesterday, you did a great job, trying to help me. I appreciate that!

But... I am running out of ideas. Regarding the password: presently, I 
am using "changeit" for everything (just to get in running), but I still 
have no success.

Yesterday, I sent anouther eMail explaining, what I am doing.

Could you please have a look at it and tell me your judgement? And what 
I could try additionally?

You would really help a man in trouble.

Thank you very much.
Klaus

This is what I do:



CREATE KEY:
-- 



../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
-- 



SERVER.XML looks like this:
-- 



- 



When I START TOMCAT, the log shows:
 


INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
  at 
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

  at java.security.KeyStore.load(KeyStore.java:1150)
  at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282) 

  at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222) 

  at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141) 

  at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

  at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) 

  at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) 

  at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 

  at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 

  at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
  at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
  at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
  at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

  at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

  at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


  at java.lang.reflect.Method.invoke(Method.java:585)
  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler 
start failed: java.io.IOException: Keystore was tampered with, or passwor

d was incorrect
  at 
org.apache.catalina.connector.Connector.start(Connector.java:1096)
  at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
  at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

  at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
  at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

  at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


  at java.lang.reflect.Method.invoke(Method.java:585)
  at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
INFO: Server startup in 4215 ms
 






Franck Borel schrieb:

Hi Klaus,
Hi Franck, still tomcat moans that the keystore was tampered or 
password was incorrect.


I am not sure about the password. With all quest

Re: RE Tomcat and SSL

[Franck Borel]

Hi Klaus,
Hi Franck, still tomcat moans that the keystore was tampered or 
password was incorrect.


I am not sure about the password. With all questions, I gave my own 
and allways the same. Was that correct?


Yes, use your own password. 'Changeit' is only an example which is 
principally used for tests.

Don't give up!

-- Franck

Klaus




Franck Borel schrieb:


Sorry to disturb you again, but all the entries in my server.xml do 
not seem to be the problem.


*At present, TOMCAT states, that my .keystore was tampered or my 
password was incorrect.*


But I did everything over and over again, and right!

My trouble is that there are lots of descriptions of how to produce 
keys and certificates. One describes the signing of a key, the other 
descibes how to write a keystore. But all of them do not really fit 
together. Is there any step-by-step document for the full process?


I found a script which looks like:

-- 


openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key 
-days 365


To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt 
-alias wt24ca
-- 



Do I need the keystore, or can I go with the server.ke and server.crt?




Please help, I am working around and around ...

Klaus


Ok, Klaus. I think the problem is that Tomcat don't accept your 
openssl crt.  Tomcat operates only with JKS or PKCS12 (--> OpenSSL) 
format keystores and there are some limitations on the support for 
PKCS12. So, try this:


1) keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/bin/.keystore --> creates key
2) keytool -export -alias tomcat -file tomcat-server.crt -keystore 
/opt/tomcat/bin/.keystore --> creates certificate and signs it with 
your key
3) keytool -import -file tomcat-server.crt -keystore 
/opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your 
certificate


Now, edit your server.xml:



This should work.

-- Franck








Franck Borel schrieb:

Hi Klaus,

Hi Franck,

thank you for your hint. But I am not sure, which parameter is 
which file.


To make things clear, here my procedure:

 

> openssl req -x509 -newkey rsa:512 -keyout 
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095




> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore 
-file ./cert.pem -alias wt24ca
-- 



Setting up SSL is described in diffent documents so differenly, 
that it is hard to be sure of what to do. The above, I extraced 
from several descriptions.


Could cou please tell me, which file from the above is used in 
server.xml?


You made a mix with to different tools (openssl and Java Keytool). 
I don't now if this is working. Anyway, here is an example of the 
element Connector with your values:



Don't forget to edit your /webapps/web.xml:


   ...
   
  CONFIDENTIAL
   

-- Franck



 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

Dipl.-Hyd. Franck Borel   Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED]   EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax  : +49-761 / 203-3987 79098 Freiburg   | 79016 Freiburg


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Min Huang]

Awesome.  I had spent like 3 hours fiddling with Tomcat and SSL.
I followed the directions at 
http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html,

but it turns out if you include the className attribute, you'll
get an InvocationTargetException and Tomcat will fail to start =(

So make sure you leave that part out like Franck has to prevent
hair pulling.

Franck Borel wrote:



Hi,

I solved that problem. Now running in a new one:

I have changed the file server.xml and set port 8080 to 80.

I uncommented the SSL section and configured the port to 443. Now I 
expect Tomcat to run on port 80 (what is does), and that, when I call 
the same URL with "https", that it calls  the same page with that 
security.

But with https it states that it cannot open the page.

Your connector must look like this:

clientAuth="false" sslProtocol="TLS" keystoreFile="conf/.keystore" 
keystorePass="secret" truststoreFile="conf/cacerts"/>



-- Franck





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi,

thank you very much for all your effords, but it still does'nt work.

That is what I do:

CREATE KEY:
--

../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file 
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore 
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts


In this process, I use the same password for all
--

SERVER.XML looks like this:
--

-

When I START TOMCAT, the log shows:

INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
   at 
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)

   at java.security.KeyStore.load(KeyStore.java:1150)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
   at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
   at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
   at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
   at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
   at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

   at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler 
start failed: java.io.IOException: Keystore was tampered with, or passwor

d was incorrect
   at 
org.apache.catalina.connector.Connector.start(Connector.java:1096)
   at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
   at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

   at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
INFO: Server startup in 4215 ms


I need to find the reason for my problems.

Please help!

Thanks
Klaus






[EMAIL PROTECTED] schrieb:
"Klaus-F. Kaal" <[EMAIL PROTECTED]> wrote on 04/12/2006 11:11:16 
AM:


  
Hi Franck, still tomcat moans that the keystore was tampered or password 



  

was incorrect.

I am not sure about the password. With all questions, I gave my own and 
allways the same. Was that correct?


Klaus




Franck Borel schrieb:


...
  

Ok, Klaus. I think the problem is that Tomcat don't accept your 
openssl crt.  Tomcat operates only with JKS or PKCS12 (--> OpenSSL) 
format keystores and th

Re: RE Tomcat and SSL

[tschaeffer]

"Klaus-F. Kaal" <[EMAIL PROTECTED]> wrote on 04/12/2006 11:11:16 
AM:

> Hi Franck, still tomcat moans that the keystore was tampered or password 

> was incorrect.
> 
> I am not sure about the password. With all questions, I gave my own and 
> allways the same. Was that correct?
> 
> Klaus
> 
> 
> 
> 
> Franck Borel schrieb:
> >
...
> >>
> >>
> > Ok, Klaus. I think the problem is that Tomcat don't accept your 
> > openssl crt.  Tomcat operates only with JKS or PKCS12 (--> OpenSSL) 
> > format keystores and there are some limitations on the support for 
> > PKCS12. So, try this:
> >
> > 1) keytool -genkey -alias tomcat -keyalg RSA -keystore 
> > /opt/tomcat/bin/.keystore --> creates key
> > 2) keytool -export -alias tomcat -file tomcat-server.crt -keystore 
> > /opt/tomcat/bin/.keystore --> creates certificate and signs it with 
> > your key
> > 3) keytool -import -file tomcat-server.crt -keystore 
> > /opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your 
> > certificate
> >
> > Now, edit your server.xml:
> >
> >  >maxThreads="150"
> >minSpareThreads="25"
> >maxSpareThreads="75"
> >enableLookup="false"
> >acceptCount="100"
> >debug="0"
> >scheme="https"
> >secure="true"
> >clientAuth="false"
> >sslProtocol="TLS"
> >keystoreFile = "conf/.keystore"
> >keystorePass = "secret"
> >truststoreFile = "conf/cacerts"/>
> >
> > This should work.
> >
> > -- Franck
> >


Klaus,

I just solved a similar problem (I described it in a message in this 
forum:Tomcat on AIX, IBM's JVM.  Was Re: [OT] AIX filtering Explorer?). I 
did everything Franck suggested with no luck. I added the full path to the 
(key|trust)storeFile paramaters and it worked.  I'll experiment to find a 
precise cause of the problem.  I have symbolic links in my path to the 
tomcat distribution, which may cause a problem.


BTW I think Franck's instructions should have been either 

> > 1) keytool -genkey -alias tomcat -keyalg RSA -keystore 
> > /opt/tomcat/conf/.keystore --> creates key

or 

> >keystoreFile = "bin/.keystore"

and probably he meant the former.

Tim S

__
This email has been scanned by the MessageLabs Email Security System.
Our company accepts no liability for the content of this email, or for the 
consequences of any actions taken on the basis of the information
provided, unless that information is subsequently confirmed in writing.
Any views or opinions presented in this email are solely those of the 
author and do not necessarily represent those of the company.
WARNING: Computer viruses can be transmitted via email.
The recipient should check this email and any attachments for the 
presence of viruses. The company accepts no liability for any damage 
caused by any virus transmitted by this email.
11/29/2003 ACE Software, LLC

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi Franck, still tomcat moans that the keystore was tampered or password 
was incorrect.


I am not sure about the password. With all questions, I gave my own and 
allways the same. Was that correct?


Klaus




Franck Borel schrieb:


Sorry to disturb you again, but all the entries in my server.xml do 
not seem to be the problem.


*At present, TOMCAT states, that my .keystore was tampered or my 
password was incorrect.*


But I did everything over and over again, and right!

My trouble is that there are lots of descriptions of how to produce 
keys and certificates. One describes the signing of a key, the other 
descibes how to write a keystore. But all of them do not really fit 
together. Is there any step-by-step document for the full process?


I found a script which looks like:

-- 


openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key 
-days 365


To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt 
-alias wt24ca
-- 



Do I need the keystore, or can I go with the server.ke and server.crt?




Please help, I am working around and around ...

Klaus


Ok, Klaus. I think the problem is that Tomcat don't accept your 
openssl crt.  Tomcat operates only with JKS or PKCS12 (--> OpenSSL) 
format keystores and there are some limitations on the support for 
PKCS12. So, try this:


1) keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/bin/.keystore --> creates key
2) keytool -export -alias tomcat -file tomcat-server.crt -keystore 
/opt/tomcat/bin/.keystore --> creates certificate and signs it with 
your key
3) keytool -import -file tomcat-server.crt -keystore 
/opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your 
certificate


Now, edit your server.xml:



This should work.

-- Franck








Franck Borel schrieb:

Hi Klaus,

Hi Franck,

thank you for your hint. But I am not sure, which parameter is 
which file.


To make things clear, here my procedure:

 

> openssl req -x509 -newkey rsa:512 -keyout 
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095




> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore 
-file ./cert.pem -alias wt24ca

--

Setting up SSL is described in diffent documents so differenly, 
that it is hard to be sure of what to do. The above, I extraced 
from several descriptions.


Could cou please tell me, which file from the above is used in 
server.xml?


You made a mix with to different tools (openssl and Java Keytool). I 
don't now if this is working. Anyway, here is an example of the 
element Connector with your values:



Don't forget to edit your /webapps/web.xml:


   ...
   
  CONFIDENTIAL
   

-- Franck



 



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]








-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Sorry to disturb you again, but all the entries in my server.xml do 
not seem to be the problem.


*At present, TOMCAT states, that my .keystore was tampered or my 
password was incorrect.*


But I did everything over and over again, and right!

My trouble is that there are lots of descriptions of how to produce 
keys and certificates. One describes the signing of a key, the other 
descibes how to write a keystore. But all of them do not really fit 
together. Is there any step-by-step document for the full process?


I found a script which looks like:

-- 


openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key 
-days 365


To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt 
-alias wt24ca
-- 



Do I need the keystore, or can I go with the server.ke and server.crt?




Please help, I am working around and around ...

Klaus


Ok, Klaus. I think the problem is that Tomcat don't accept your openssl 
crt.  Tomcat operates only with JKS or PKCS12 (--> OpenSSL) format 
keystores and there are some limitations on the support for PKCS12. So, 
try this:


1) keytool -genkey -alias tomcat -keyalg RSA -keystore 
/opt/tomcat/bin/.keystore --> creates key
2) keytool -export -alias tomcat -file tomcat-server.crt -keystore 
/opt/tomcat/bin/.keystore --> creates certificate and signs it with your key
3) keytool -import -file tomcat-server.crt -keystore 
/opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your 
certificate


Now, edit your server.xml:



This should work.

-- Franck








Franck Borel schrieb:

Hi Klaus,

Hi Franck,

thank you for your hint. But I am not sure, which parameter is which 
file.


To make things clear, here my procedure:

 

> openssl req -x509 -newkey rsa:512 -keyout 
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095




> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore -file 
./cert.pem -alias wt24ca

--

Setting up SSL is described in diffent documents so differenly, that 
it is hard to be sure of what to do. The above, I extraced from 
several descriptions.


Could cou please tell me, which file from the above is used in 
server.xml?


You made a mix with to different tools (openssl and Java Keytool). I 
don't now if this is working. Anyway, here is an example of the 
element Connector with your values:



Don't forget to edit your /webapps/web.xml:


   ...
   
  CONFIDENTIAL
   

-- Franck





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






--

Dipl.-Hyd. Franck Borel   Universitaetsbibliothek Freiburg
EMail: [EMAIL PROTECTED]   EDV-Dezernat
Tel. : +49-761 / 203-3908 Werthmannplatz 2 | Postfach 1629
Fax  : +49-761 / 203-3987 79098 Freiburg   | 79016 Freiburg


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Sorry to disturb you again, but all the entries in my server.xml do not 
seem to be the problem.


*At present, TOMCAT states, that my .keystore was tampered or my 
password was incorrect.*


But I did everything over and over again, and right!

My trouble is that there are lots of descriptions of how to produce keys 
and certificates. One describes the signing of a key, the other descibes 
how to write a keystore. But all of them do not really fit together. Is 
there any step-by-step document for the full process?


I found a script which looks like:

--
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey server.key 
-days 365


To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt 
-alias wt24ca

--

Do I need the keystore, or can I go with the server.ke and server.crt?

Please help, I am working around and around ...

Klaus




Franck Borel schrieb:

Hi Klaus,

Hi Franck,

thank you for your hint. But I am not sure, which parameter is which 
file.


To make things clear, here my procedure:


> openssl req -x509 -newkey rsa:512 -keyout 
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095




> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore -file 
./cert.pem -alias wt24ca

--

Setting up SSL is described in diffent documents so differenly, that 
it is hard to be sure of what to do. The above, I extraced from 
several descriptions.


Could cou please tell me, which file from the above is used in 
server.xml?


You made a mix with to different tools (openssl and Java Keytool). I 
don't now if this is working. Anyway, here is an example of the 
element Connector with your values:



Don't forget to edit your /webapps/web.xml:


   ...
   
  CONFIDENTIAL
   

-- Franck





-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Hi Klaus,

Hi Franck,

thank you for your hint. But I am not sure, which parameter is which 
file.


To make things clear, here my procedure:


> openssl req -x509 -newkey rsa:512 -keyout ./demoCA/private/cakey.pem 
-out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095




> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore -file 
./cert.pem -alias wt24ca

--

Setting up SSL is described in diffent documents so differenly, that 
it is hard to be sure of what to do. The above, I extraced from 
several descriptions.


Could cou please tell me, which file from the above is used in 
server.xml?


You made a mix with to different tools (openssl and Java Keytool). I 
don't now if this is working. Anyway, here is an example of the element 
Connector with your values:



Don't forget to edit your /webapps/web.xml:


   ...
   
  CONFIDENTIAL
   

-- Franck



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi Franck,

thank you for your hint. But I am not sure, which parameter is which file.

To make things clear, here my procedure:


> openssl req -x509 -newkey rsa:512 -keyout ./demoCA/private/cakey.pem 
-out ./demoCA/cacert.pem -days 1095


> openssl genrsa -out ./key.pem 512 -days 1095

> openssl req -new -key ./key.pem -out ./req.pem -days 1095

> openssl ca -in ./req.pem -out ./cert.pem  -days 1095

> chown -R root:root ./cert
> chmod -R 700 ./cert

then I cleaned cet.pem by hand (take out text before "---BEGIN 
CERTIFICATE---"


The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore -file 
./cert.pem -alias wt24ca

--

Setting up SSL is described in diffent documents so differenly, that it 
is hard to be sure of what to do. The above, I extraced from several 
descriptions.


Could cou please tell me, which file from the above is used in server.xml?

Thanks a lot

Klaus





Franck Borel schrieb:



Hi,

I solved that problem. Now running in a new one:

I have changed the file server.xml and set port 8080 to 80.

I uncommented the SSL section and configured the port to 443. Now I 
expect Tomcat to run on port 80 (what is does), and that, when I call 
the same URL with "https", that it calls  the same page with that 
security.

But with https it states that it cannot open the page.

Your connector must look like this:

clientAuth="false" sslProtocol="TLS" keystoreFile="conf/.keystore" 
keystorePass="secret" truststoreFile="conf/cacerts"/>



-- Franck




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



--

*Klaus-F. Kaal*
Geschäftsführer

*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen

phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com 
mail [EMAIL PROTECTED] 



*Das hat es bisher noch nicht gegeben:*

*WebTresor24* 
*
Das Online Backup mit dem innovativen Sorglos - Konzept

Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*



*
*

Re: RE Tomcat and SSL

[Franck Borel]

Hi,

I solved that problem. Now running in a new one:

I have changed the file server.xml and set port 8080 to 80.

I uncommented the SSL section and configured the port to 443. Now I 
expect Tomcat to run on port 80 (what is does), and that, when I call 
the same URL with "https", that it calls  the same page with that 
security.

But with https it states that it cannot open the page.

Your connector must look like this:

clientAuth="false" sslProtocol="TLS" keystoreFile="conf/.keystore" 
keystorePass="secret" truststoreFile="conf/cacerts"/>



-- Franck


-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: RE Tomcat and SSL

[Klaus-F. Kaal]

Hi,

I solved that problem. Now running in a new one:

I have changed the file server.xml and set port 8080 to 80.

I uncommented the SSL section and configured the port to 443. Now I 
expect Tomcat to run on port 80 (what is does), and that, when I call 
the same URL with "https", that it calls  the same page with that security.

But with https it states that it cannot open the page.
If I call the URL like this: http://myserver:443, it delivers an empty 
page with some squares drawn on it (non-printable chars).


Who can help me?

Thanks
Klaus







Klaus-F. Kaal schrieb:

Thanks, I now created a keystore for TOMCAT.

But still, when I start TOMCAT, I get the message:

--
SCHWERWIEGEND: Error starting endpoint
java.io.FileNotFoundException: /root/.keystore (No such file or 
directory)

at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:106)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) 

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222) 

at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141) 

at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88) 

at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) 

at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 

at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 

at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


at java.lang.reflect.Method.invoke(Method.java:585)
at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler 
start failed: java.io.FileNotFoundException: /root/.keystore (No such fil

e or directory)
at 
org.apache.catalina.connector.Connector.start(Connector.java:1096)
at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


at java.lang.reflect.Method.invoke(Method.java:585)
at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)

at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start

---

Do I need to name the keystore, or so?

Thanks
Klaus









- 8< 


maybe "changeit" !




 "Klaus-F. Kaal"
 <[EMAIL PROTECTED]
 
ogic.com>   A

   users@tomcat.apache.org
 12/04/2006 
11:54   cc


     
Objet

     Veuillez répondre Tomcat and SSL
 à
   "Tomcat Users
   List"
 <[EMAIL PROTECTED]
 che.org>






Hi,

I am trying to convice TOMCAT to work on SSL.
I use openSSL according to the descriptions on
page:
http://wiki.apache.org/tomcat/HowTo#head-dda58b28679259196562da84ad73d7b35b41c5c2 




No, I have a cetificate and try to generate a keystore.

My trouble: This steps asks for a password. All my passwords (from the
create-certificate process) do not work.

RE RE Tomcat and SSL

[Denis . COCHET]

You should insert you certificate in the cacerts keystore of your jdk.



   
 "Klaus-F. Kaal"   
 <[EMAIL PROTECTED] 
 ogic.com>   A
   Tomcat Users List   
 12/04/2006 12:07 
cc
   
 Veuillez répondre   Objet
 à         RE Tomcat and SSL 
   "Tomcat Users   
   List"   
 <[EMAIL PROTECTED] 
 che.org>  
   
   




Thanks, I now created a keystore for TOMCAT.

But still, when I start TOMCAT, I get the message:

--
SCHWERWIEGEND: Error starting endpoint
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
 at java.io.FileInputStream.open(Native Method)
 at java.io.FileInputStream.(FileInputStream.java:106)
 at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279)

 at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)

 at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)

 at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)

 at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)

 at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)

 at
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)

 at
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)

 at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
 at
org.apache.catalina.connector.Connector.start(Connector.java:1089)
 at
org.apache.catalina.core.StandardService.start(StandardService.java:459)
 at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler
start failed: java.io.FileNotFoundException: /root/.keystore (No such fil
e or directory)
 at
org.apache.catalina.connector.Connector.start(Connector.java:1096)
 at
org.apache.catalina.core.StandardService.start(StandardService.java:459)
 at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
 at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
 at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

 at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

 at java.lang.reflect.Method.invoke(Method.java:585)
 at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
 at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start

---

Do I need to name the keystore, or so?

Thanks
Klaus









- 8< 


maybe "changeit" !




  "Klaus-F. Kaal"
  <[EMAIL PROTECTED]
  ogic.com>   A
users@tomcat.apache.org
  12/04/2006 11:54   cc

   

RE Tomcat and SSL

[Klaus-F. Kaal]

Thanks, I now created a keystore for TOMCAT.

But still, when I start TOMCAT, I get the message:

--
SCHWERWIEGEND: Error starting endpoint
java.io.FileNotFoundException: /root/.keystore (No such file or directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.(FileInputStream.java:106)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException:  service.getName(): "Catalina";  Protocol handler 
start failed: java.io.FileNotFoundException: /root/.keystore (No such fil

e or directory)
at 
org.apache.catalina.connector.Connector.start(Connector.java:1096)
at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 12:02:36 org.apache.catalina.startup.Catalina start

---

Do I need to name the keystore, or so?

Thanks
Klaus









- 8< 


maybe "changeit" !




 "Klaus-F. Kaal"
 <[EMAIL PROTECTED]
 ogic.com>   A
   users@tomcat.apache.org
 12/04/2006 11:54   cc

 Objet
         Veuillez répondre Tomcat and SSL
 à
   "Tomcat Users
   List"
 <[EMAIL PROTECTED]
 che.org>






Hi,

I am trying to convice TOMCAT to work on SSL.
I use openSSL according to the descriptions on
page:
http://wiki.apache.org/tomcat/HowTo#head-dda58b28679259196562da84ad73d7b35b41c5c2


No, I have a cetificate and try to generate a keystore.

My trouble: This steps asks for a password. All my passwords (from the
create-certificate process) do not work.

Can anybody tell me what password is needed here?

Thanks
Klaus

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE Tomcat and SSL

[Denis . COCHET]

maybe "changeit" !



   
 "Klaus-F. Kaal"   
 <[EMAIL PROTECTED] 
 ogic.com>   A
   users@tomcat.apache.org 
 12/04/2006 11:54   cc
   
 Objet
 Veuillez répondre Tomcat and SSL
 à   
   "Tomcat Users   
   List"   
 <[EMAIL PROTECTED] 
 che.org>  
   
   




Hi,

I am trying to convice TOMCAT to work on SSL.
I use openSSL according to the descriptions on
page:
http://wiki.apache.org/tomcat/HowTo#head-dda58b28679259196562da84ad73d7b35b41c5c2


No, I have a cetificate and try to generate a keystore.

My trouble: This steps asks for a password. All my passwords (from the
create-certificate process) do not work.

Can anybody tell me what password is needed here?

Thanks
Klaus

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Tomcat and SSL

[Klaus-F. Kaal]

Hi,

I am trying to convice TOMCAT to work on SSL.
I use openSSL according to the descriptions on 
page:http://wiki.apache.org/tomcat/HowTo#head-dda58b28679259196562da84ad73d7b35b41c5c2


No, I have a cetificate and try to generate a keystore.

My trouble: This steps asks for a password. All my passwords (from the 
create-certificate process) do not work.


Can anybody tell me what password is needed here?

Thanks
Klaus

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: problem with tomcat and SSL

[Jack]

I have post the solution for this, its title: "solution for ssl on tomcat"
dated 2005.12.30

You should have found it if you spent a little bit effor to search the 
answer.




-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

problem with tomcat and SSL

[Iosev Perez Rivero]

Obtain configure the SSL protocol with tomcat,  BUT when I use this url: 
https://localhost:8443   in the browser, this is delay 
so much and the end no load the tomcat home page.

 

What I can do?

 

Iósev Pérez Rivero

Estudiante 4to. Año

Universidad de las Ciencias Informáticas