Re: Rép. : SSL question
If you want use javax.net.ssl you must have tomcat in a version upper or egal to 5. [EMAIL PROTECTED] 04/10/2005 18:28:59 Hi, thanks! I've got my own TrustManager/HostnameVerifier and it works when I use Apache's SecureWebServer and SecureXmlRpcClient. I'm not using javax.net.ssl, but instead com.sun.net.ssl - couldn't make it work with javax.net.ssl. Is the code below necessary for the servlet as well? Thought Tomcat has got all the information about trusted certificates in its keystore. --- Antony GUILLOTEAU [EMAIL PROTECTED] wrote: Many articles talk about how access https using java client throws HttpsURLConnection. You must use : - your own TrustManager (implements javax.net.ssl.X509TrustManager) - your own KeyManager (implements javax.net.ssl.X509KeyManager) - your own HostnameVerifer(implements javax.net.ssl.HostnameVerifer) and use this following code : TrustManager[] objTrustManager = new TrustManager[] {new MyX509TrustManager()}; KeyManager[] objKeyManager = new KeyManager[] {new MyX509KeyManager()}; SSLContext sc = SSLContext.getInstance(SSL); sc.init(objKeyManager, objTrustManager, new SecureRandom()); SSLSocketFactory objSocketFactory = sc.getSocketFactory(); HttpsURLConnection.setDefaultSSLSocketFactory(objSocketFactory); HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifer()); ... URL objUrl = new URL(...) HttpsURLConnection objHttpsURLConnection = (javax.net.ssl.HttpsURLConnection) objUrl.openConnection(); I hope it's help you. [EMAIL PROTECTED] 04/10/2005 17:54:30 Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL question
Hi Not exactly sure what you mean. Could you send me a snippet of your web.xml? That would be very nice. Thanks! Greetings from Vienna --- Yassine ELassad [EMAIL PROTECTED] wrote: hi i'm not sure if this will help you but i have hade a quite similar issue : i have passed a full URL a param Vlaue in my web.xml something like http://localhost:8080/MyServlet both http and :8080 are specifying a differnt port number than the ssl port so if you are performing such a call you better change it into /MyServlet/ and the servlet conatainer handels everythings else for you i hope this helps Greeting from Cologne YEL directBOX Reply --- From: RaueberHotzenplotz ([EMAIL PROTECTED]) To: tomcat-user@jakarta.apache.org Date: 04.10.2005 17:55:03 Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Verpassen Sie keine eBay-Auktion und bieten Sie bequem und schnell über das Telefon mit http://www.telefonbieten.de Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag eMail, FAX, SMS, VoiceMail mit http://www.directbox.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL question
Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL question
hi i'm not sure if this will help you but i have hade a quite similar issue : i have passed a full URL a param Vlaue in my web.xml something like http://localhost:8080/MyServlet both http and :8080 are specifying a differnt port number than the ssl port so if you are performing such a call you better change it into /MyServlet/ and the servlet conatainer handels everythings else for you i hope this helps Greeting from Cologne YEL directBOX Reply --- From: RaueberHotzenplotz ([EMAIL PROTECTED]) To: tomcat-user@jakarta.apache.org Date: 04.10.2005 17:55:03 Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Verpassen Sie keine eBay-Auktion und bieten Sie bequem und schnell über das Telefon mit http://www.telefonbieten.de Ihre eMails auf dem Handy lesen - ohne Zeitverlust - 24h/Tag eMail, FAX, SMS, VoiceMail mit http://www.directbox.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Rép. : SSL question
Many articles talk about how access https using java client throws HttpsURLConnection. You must use : - your own TrustManager (implements javax.net.ssl.X509TrustManager) - your own KeyManager (implements javax.net.ssl.X509KeyManager) - your own HostnameVerifer(implements javax.net.ssl.HostnameVerifer) and use this following code : TrustManager[] objTrustManager = new TrustManager[] {new MyX509TrustManager()}; KeyManager[] objKeyManager = new KeyManager[] {new MyX509KeyManager()}; SSLContext sc = SSLContext.getInstance(SSL); sc.init(objKeyManager, objTrustManager, new SecureRandom()); SSLSocketFactory objSocketFactory = sc.getSocketFactory(); HttpsURLConnection.setDefaultSSLSocketFactory(objSocketFactory); HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifer()); ... URL objUrl = new URL(...) HttpsURLConnection objHttpsURLConnection = (javax.net.ssl.HttpsURLConnection) objUrl.openConnection(); I hope it's help you. [EMAIL PROTECTED] 04/10/2005 17:54:30 Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Rép. : SSL question
Hi, thanks! I've got my own TrustManager/HostnameVerifier and it works when I use Apache's SecureWebServer and SecureXmlRpcClient. I'm not using javax.net.ssl, but instead com.sun.net.ssl - couldn't make it work with javax.net.ssl. Is the code below necessary for the servlet as well? Thought Tomcat has got all the information about trusted certificates in its keystore. --- Antony GUILLOTEAU [EMAIL PROTECTED] wrote: Many articles talk about how access https using java client throws HttpsURLConnection. You must use : - your own TrustManager (implements javax.net.ssl.X509TrustManager) - your own KeyManager (implements javax.net.ssl.X509KeyManager) - your own HostnameVerifer(implements javax.net.ssl.HostnameVerifer) and use this following code : TrustManager[] objTrustManager = new TrustManager[] {new MyX509TrustManager()}; KeyManager[] objKeyManager = new KeyManager[] {new MyX509KeyManager()}; SSLContext sc = SSLContext.getInstance(SSL); sc.init(objKeyManager, objTrustManager, new SecureRandom()); SSLSocketFactory objSocketFactory = sc.getSocketFactory(); HttpsURLConnection.setDefaultSSLSocketFactory(objSocketFactory); HttpsURLConnection.setDefaultHostnameVerifier(new MyHostnameVerifer()); ... URL objUrl = new URL(...) HttpsURLConnection objHttpsURLConnection = (javax.net.ssl.HttpsURLConnection) objUrl.openConnection(); I hope it's help you. [EMAIL PROTECTED] 04/10/2005 17:54:30 Hi I've got a servlet which works fine when using http. But when I want to access it through https I get a certificate unknown exception. Why does https://localhost:8443 work in a browser but accessing my servlet (with java client) not? Do I need to make my servlet SSL aware? Using another secure webserver works with my client. Hope someone can help. Thanks! ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ___ To help you stay safe and secure online, we've developed the all new Yahoo! Security Centre. http://uk.security.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Question
I have a quick question about SSL. If I am already running SSL on a server with a certificate imported into a .keystore file and I create a new certificate will it automatically overwrite the .keystore file by creating a new one or does it just add the info into the existing .keystore file. Thanks.
Re: SSL Question
Is this for a new web site or one that has been up and running for some time ? Christopher W. Hosler Network Administrator Ingham County MIS Department Email [EMAIL PROTECTED] As water reflects the face So a mans heart reflects the man [EMAIL PROTECTED] 3/1/2005 10:44:36 AM I have a quick question about SSL. If I am already running SSL on a server with a certificate imported into a .keystore file and I create a new certificate will it automatically overwrite the .keystore file by creating a new one or does it just add the info into the existing .keystore file. Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL Question
On Tue, 1 Mar 2005 09:44:36 -0600, Reis, Tom [EMAIL PROTECTED] wrote: I have a quick question about SSL. If I am already running SSL on a server with a certificate imported into a .keystore file and I create a new certificate will it automatically overwrite the .keystore file by creating a new one or does it just add the info into the existing .keystore file. Thanks. It should just add to it, it is the alias for the certificate that is unique in the keystore and you can have many aliases in the one .keystore like for example when you have to establish a chain of trust by importing each certificate in the chain up to the root. Regards, -- Jason Bainbridge http://kde.org - [EMAIL PROTECTED] Personal Site - http://jasonbainbridge.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL Question.
Hi all, New to SSL, not tomcat. :-) ENV. Tomcat 5.0 JDK 1.4.2_04-b05 Win XP I followed everything on http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html I did the following. 1. keytool -genkey -keyalg RSA -keystore chap8.keystore -storepass changeit 2. keytool -certreq -keyalg RSA -file breaker.csr -keystore keystore 3. I copied the content of the .csr and added it to the form on https://www.thawte.com/cgi/server/try.exe 4. It generated the content for a .cer file. 5. keytool -keystore keystore -keyalg RSA -import -trustcacerts -file breaker.cer 6. I changed the server.xml by commenting out the Connector port=8080 .../ uncommented Connector port=8443/ . 7. I added keystoreFile=conf/keystore, keystorePass=changit, keystoreType=jks and clientAuth=true to the Connector port=8443 / 8. I downloaded and installed the Test Root Certificates from Thawte and installed them on Mozilla FireFox. 9. Start Tomcat and hit the https://breaker:8443/myApp/etc... and I get the following error: [ERROR] sun.security.validator.ValidatorException: No trusted certificate found: unable to load file https://breaker:8443/myApp/services/print.wsdl FATAL!!! Error connecting to Services FATAL [http-8443-Processor24] (RequestControllerServlet.java:165) - Error Binding to the Service 10. If I put JAVA_OPTS=-Djavax.net.ssl.trustStore=C:/Tomcat5.0/conf/keystore -Djavax.net.ssl.keyStorePassword=changeit in the Catalina.bat, I get a dialog stating 'Could not establish an encrypted connection because your certificate was reject by breaker. Error Code: -12271. 11. If I change clientAuth=want, it works but I don't see the dialog prompting me about the certificate. What am I doing wrong? Is this correct behavior? Thanks. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL question
Hi We have two web application under webapps folder, WebApp1 and webApp2. There is separate context entry for each of them. Each of them connects to its own App Server through Java RMI. The difference is WebApp1 connects to its APP server over SSL(i.e secure rmi call) and the other one non SSL(i.e normal rmi call). We have html link from web page of WebApp1 to WebApp2 login page. We use the same cookie name in both the application, which allows one time login to any of the two application and the other one logs in automatically when we go there. For ssl communication we have used jssl and related packages. Now, if we use WebApp2 alone there is no issue working with it. However if I login to WebApp1 and then click the link to go to WebApp2 it gives the following error. Cause of the error as you can see below is 'jssl.impl.PrematureEOFException: EOF reading record' java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: jssl.impl.PrematureEOFException: EOF reading record java.rmi.ConnectIOException: error during JRMP connection establishment; nested exception is: jssl.impl.PrematureEOFException: EOF reading record at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:274) at sun.rmi.transport.tcp.TCPChannel.newConnection(TCPChannel.java:171) . at sun.rmi.server.UnicastRef.newCall(UnicastRef.java:313) at sun.rmi.registry.RegistryImpl_Stub.lookup(Unknown Source) at org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:480) at org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995) at org.apache.ajp.tomcat4.Ajp13Processor.process(Ajp13Processor.java:457) at org.apache.ajp.tomcat4.Ajp13Processor.run(Ajp13Processor.java:576) at java.lang.Thread.run(Thread.java:534) Caused by: jssl.impl.PrematureEOFException: EOF reading record at jssl.internal.RecordInput.readSSLCiphertext(RecordInput.java:188) at jssl.internal.RecordInput.readSSLCompressed(RecordInput.java:128) at jssl.internal.RecordInput.receive(RecordInput.java:110) at jssl.internal.SSLClientProtocol.stateReceive(SSLClientProtocol.java:349) at jssl.internal.SSLClientProtocol.stateMachine(SSLClientProtocol.java:319) at jssl.internal.SSLClientProtocol.stateStep(SSLClientProtocol.java:143) at jssl.internal.SSLClientProtocol.authenticate(SSLClientProtocol.java:131) at jssl.internal.SSLProtocol.verifyStatus(SSLProtocol.java:181) at jssl.internal.SSLProtocol.getOutputStream(SSLProtocol.java:110) at jssl.JSSL.getOutputStream(JSSL.java:193) at jssl.JSSLSocket.getOutputStream(JSSLSocket.java:226) at sun.rmi.transport.tcp.TCPConnection.getOutputStream(TCPConnection.java:66) at sun.rmi.transport.tcp.TCPChannel.createConnection(TCPChannel.java:189) The same web application is working on JRUN over IIS. Now that we are migrating the web part to to tomcat, we have this issue. Where am I going wrong? Please advise Thanks and Regards Ishwara -- This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and destroy this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
round trip SSL question
What we want to do is have round trip, SSL encryption when our clients use our webapps AND not have the port number as part of the URL. There are 3 scenarios: 1) Our client is using IIS to serve their current webapps some of these apps could be employing SSL. How do we insure that JSPs and Servlets that are redirected to Tomcat are talking with IIS securely encrypted? I understand that typical redirection from IIS to tomcat is always decrypted, cleartext. 2) Our client is using IIS to serve their current webapps none of their apps employ ssl. Can (and should) we setup IIS and Tomcat so that SSL requests go directly to Tomcat (Tomcat talks to client directly when SSL request issued) and standard HTTP requests goto IIS? 3) Our client does NOT want to use IIS how do you setup tomcat to be a secure webapp server? (this is not as big a problem as numbers 1 and 2) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
ssl question
How do I setup tomcat to communicate with IIS using ssl/https??? Is there any documentation??? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: ssl question
http://nagoya.apache.org/wiki/apachewiki.cgi?Tomcat/Links via .. http://jakarta.apache.org/tomcat/faq/ -Tim John MccLain wrote: How do I setup tomcat to communicate with IIS using ssl/https??? Is there any documentation??? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: ssl question
1. Install Tomcat 2. Install IIS 3. install isapi_redirector.dll in IIS server 4. configure IIS as per documentation in website for isapi_redirector.dll 5. configure certificate in IIS Your application should work now with Tomcat - IIS with ssl setup.. -Original Message- From: John MccLain [mailto:[EMAIL PROTECTED] Sent: Wednesday, February 25, 2004 11:57 AM To: Tomcat user list Subject: ssl question How do I setup tomcat to communicate with IIS using ssl/https??? Is there any documentation??? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat SSL question (Emergency)
Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) - Root Cause - java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:422) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at
RE: Tomcat SSL question (Emergency)
Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324
RE: Tomcat SSL question (Emergency)
Dave, Thank you for the quick response. I already put keystorePass attribute in factory node (shown below). Should I add keypass attribute in the node as well? Tomcat version that I currently running is 4.0.3 and Factory (server.xml) node which has explained at SSL Configuration HOW-TO (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html) on Apache website does not have keypass attribute on it? Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ I am a bit confusing that I applied and received the server certificate from Verisign (i.e. verisign.cer) and it should be the public key and .keystore file (i.e. .keystore) that we generated using keytool will be the private key. Should I put public key on keystoreFile or private key on it? Also when you are using keytool to generate the .keystore file, you will be asked to provide the keystore password and tomcat password. Which password should I use for the keystorePass attribute? Thank you, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 2:57 AM To: [EMAIL PROTECTED] Subject: RE: Tomcat SSL question (Emergency) Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39
Re: Tomcat - SSL Question .. Certificate problem
Mufaddal wrote: Hi, I have followed the instructions at: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html to enable SSL. Problem: when i try to access the jsp page using : https://locahost:8443/login.jsp ... a dialogue pops up saying: Unable to establish a secure connection to 'localhost'. There is a problem with the security ceritificate from that site. (The identity of certificate issuer is unknown). The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page ? Stop Continue When i hit continue i can still access my jsp pae and everything works fine. The only problem is that SSL is not being used since the connection could not be established as warned by the dialogue box that popped up. The certificate i had generate was using keytool just like its explained on the howto webpage. I am using internet explorer 5.2 on Mac OS X. Can anybody please shed some light on where i am going wrong. ? Your problem is that you're using IE ! IE (on Macs, at least) will not accept a certificate unless it has been signed by an already-known certificate authority (eg Verisign). The quick solution is to switch to Netscape 7, which allows you to decide whether to accept the certificate or not. BTW Safari is as brain-dead as IE in this respect. HTH Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat - SSL Question .. Certificate problem
Yes, After posting my question i did find out that Microsoft is bad at doing what it says its doing. Even thought the dialogue pops up saying that an SSL connection could not be established it still does send the data encrypted and does connect thru SSL. Also Safari you can enable the debug menu and select do lax security check. Once you do that it works with a self signed certificate. IE on Mac does not give us an option to add a self signed certificate .. and this is wierd since its windows counterpart has this capability. thanks. On Friday, February 7, 2003, at 01:58 PM, Martin Jacobson wrote: Mufaddal wrote: Hi, I have followed the instructions at: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html to enable SSL. Problem: when i try to access the jsp page using : https://locahost:8443/login.jsp ... a dialogue pops up saying: Unable to establish a secure connection to 'localhost'. There is a problem with the security ceritificate from that site. (The identity of certificate issuer is unknown). The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page ? Stop Continue When i hit continue i can still access my jsp pae and everything works fine. The only problem is that SSL is not being used since the connection could not be established as warned by the dialogue box that popped up. The certificate i had generate was using keytool just like its explained on the howto webpage. I am using internet explorer 5.2 on Mac OS X. Can anybody please shed some light on where i am going wrong. ? Your problem is that you're using IE ! IE (on Macs, at least) will not accept a certificate unless it has been signed by an already-known certificate authority (eg Verisign). The quick solution is to switch to Netscape 7, which allows you to decide whether to accept the certificate or not. BTW Safari is as brain-dead as IE in this respect. HTH Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat - SSL Question .. Certificate problem
Hi, I have followed the instructions at: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html to enable SSL. Problem: when i try to access the jsp page using : https://locahost:8443/login.jsp ... a dialogue pops up saying: Unable to establish a secure connection to 'localhost'. There is a problem with the security ceritificate from that site. (The identity of certificate issuer is unknown). The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page ? Stop Continue When i hit continue i can still access my jsp pae and everything works fine. The only problem is that SSL is not being used since the connection could not be established as warned by the dialogue box that popped up. The certificate i had generate was using keytool just like its explained on the howto webpage. I am using internet explorer 5.2 on Mac OS X. Can anybody please shed some light on where i am going wrong. ? Thanks, Mufaddal. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
another SSL question!
Does anyone knows any performance difference when SSL is implemented Via org.apache.coyote.tomcat4.CoyoteConnector using org.apache.coyote.tomcat4.CoyoteServerSocketFactory Versus implementing SSL by Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false protocol=TLS/ /Connector -- __ The NEW Netscape 7.0 browser is now available. Upgrade now! http://channels.netscape.com/ns/browsers/download.jsp Get your own FREE, personal Netscape Mail account today at http://webmail.netscape.com/ -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
SSL question - from an apache guy
I have an apache guru here trying to help me set up SSL on Tomcat. He has the following questions I was hoping someone could help us with: How do we define our certificate? How does tomcate know how to call the certificate? Does it use a keystore file or does use an atrribute (aka cert=), or a naming convention or soemthing? If its a naming convention (aka *.xxx) what is that convention? For instance in Apache you would write something like this: SSLCertificateFile /apache/conf/ssl.crt/.crt SSLCertificateKeyFile /apache/conf/ssl.key/.key What is the equivelent in Tomcat to setup SSL? Thanks! Neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question - from an apache guy
Tomcat SSL HOWTO: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html In general, you use the keytool utility. John -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 2:24 PM To: Tomcat Users List Subject: SSL question - from an apache guy I have an apache guru here trying to help me set up SSL on Tomcat. He has the following questions I was hoping someone could help us with: How do we define our certificate? How does tomcate know how to call the certificate? Does it use a keystore file or does use an atrribute (aka cert=), or a naming convention or soemthing? If its a naming convention (aka *.xxx) what is that convention? For instance in Apache you would write something like this: SSLCertificateFile /apache/conf/ssl.crt/.crt SSLCertificateKeyFile /apache/conf/ssl.key/.key What is the equivelent in Tomcat to setup SSL? Thanks! Neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question - from an apache guy
I was just reading through the documentation again myself looking for disconnects between what the manual says and what we're experiencing. It seems that the file being generated by keytool is of the format name.keystore and my friend is copying that over to .keystore. I'm thinking maybe this implies that we're not using the proper JKS format or something. Is this correct? Thanks. Neal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:31 AM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Tomcat SSL HOWTO: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html In general, you use the keytool utility. John -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 2:24 PM To: Tomcat Users List Subject: SSL question - from an apache guy I have an apache guru here trying to help me set up SSL on Tomcat. He has the following questions I was hoping someone could help us with: How do we define our certificate? How does tomcate know how to call the certificate? Does it use a keystore file or does use an atrribute (aka cert=), or a naming convention or soemthing? If its a naming convention (aka *.xxx) what is that convention? For instance in Apache you would write something like this: SSLCertificateFile /apache/conf/ssl.crt/.crt SSLCertificateKeyFile /apache/conf/ssl.key/.key What is the equivelent in Tomcat to setup SSL? Thanks! Neal -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question - from an apache guy
Sorry, a pointer to the HOWTO is all I'm good for, I don't use Tomcat stand-alone, so my SSL is done with Apache. When you say copying that over, what do you mean? Over to where? John -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 2:53 PM To: Tomcat Users List Subject: RE: SSL question - from an apache guy I was just reading through the documentation again myself looking for disconnects between what the manual says and what we're experiencing. It seems that the file being generated by keytool is of the format name.keystore and my friend is copying that over to .keystore. I'm thinking maybe this implies that we're not using the proper JKS format or something. Is this correct? Thanks. Neal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:31 AM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Tomcat SSL HOWTO: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html In general, you use the keytool utility. John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question - from an apache guy
Apparently the keystore file wasn't at the root of the user directory like the SLL instructions said it would be (it was also named keystore.name rather than .keystore unlike the direction said it would be). So, we renamed it name.keystore and moved it to the root user directory to be consistent with the instructions expected outcome. Obviously something different is going on here and I'm guessing that's the problem ... but I don't know why??? FYI - we're on Linux and using Tomcat 4.1.0. Thanks. Neal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:03 PM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Sorry, a pointer to the HOWTO is all I'm good for, I don't use Tomcat stand-alone, so my SSL is done with Apache. When you say copying that over, what do you mean? Over to where? John -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 2:53 PM To: Tomcat Users List Subject: RE: SSL question - from an apache guy I was just reading through the documentation again myself looking for disconnects between what the manual says and what we're experiencing. It seems that the file being generated by keytool is of the format name.keystore and my friend is copying that over to .keystore. I'm thinking maybe this implies that we're not using the proper JKS format or something. Is this correct? Thanks. Neal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:31 AM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Tomcat SSL HOWTO: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html In general, you use the keytool utility. John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question - from an apache guy
Actually, sorry ... just spoke with my friend ... apparently he told keytool to put the file in his present working directory. Then we just moved it to root. My bad ... -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 12:03 PM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Sorry, a pointer to the HOWTO is all I'm good for, I don't use Tomcat stand-alone, so my SSL is done with Apache. When you say copying that over, what do you mean? Over to where? John -Original Message- From: neal [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 2:53 PM To: Tomcat Users List Subject: RE: SSL question - from an apache guy I was just reading through the documentation again myself looking for disconnects between what the manual says and what we're experiencing. It seems that the file being generated by keytool is of the format name.keystore and my friend is copying that over to .keystore. I'm thinking maybe this implies that we're not using the proper JKS format or something. Is this correct? Thanks. Neal -Original Message- From: Turner, John [mailto:[EMAIL PROTECTED]] Sent: Friday, September 20, 2002 11:31 AM To: 'Tomcat Users List' Subject: RE: SSL question - from an apache guy Tomcat SSL HOWTO: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html In general, you use the keytool utility. John -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
ISAPI Redirector SSL Question
Can anyone offer some advice I am using - successfully - ISAPI redirector to serve JSP/servlet resources through IIS I would like some contexts to _require_ SSL (https) to be used, and leave others free to use http. I can see how to require _all_ contexts to use SSL by setting 'require secure channel' for the jakarta virtual directory under IIS. (And it works!) But is there anyway I can achieve the same thing at a _context_ level using workers.properties or uriworkermap.properties or the like? Or will I have to test isSecure() at every page in the context that I want the constraint applied to? An idea I had was to have more than one 'jakarta' virtual directory, one requiring SSL, the other not, but then I'm guessing the ISAPI filter uses the same Registry entry, so I couldn't specify a different extension_uri to get to it ?? Is this the right thinking?? Is there a way round this? Any other general advice - except don't use IIS (I have no choice for this project!) - would be welcome. Christopher -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: mod_jk problem SSL question...
I followed the how from the link in this and finaly got tomcat and apache working. One question now though, after compiling apache and such, how do I now enable ssl and https on this server. Can I add it after? Or do I have to recompile? Thanks all. Mark From: Eddie Bush [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: mod_jk problem Date: Tue, 09 Jul 2002 21:47:20 -0500 Steve, I'd _love_ to help you - I would. I'm running on Linux though - and with a much older version of Apache (1.3.23). So far as the config goes, I'm still quite shaky on it. If all you want to do is set up one server - or even multiple load-balanced servers, it's not that bad I don't think. You might take a look at http://www.ubeans.com/tomcat/. That's what I used as my guide. You can get the dll files (I'm guessing you're on Windows) from the binary distributions. It's not (IMHO) real easy to find the one you want. I'm not certain I have the one I want - but it works. There's also a proportedly useful walkthrough on jboss.org for setting up with the newer Apaches. If you look over that stuff and still have problems, post here again. I'll try and keep an eye on this thread. I know how frustrating this can be. Regards, Eddie Bush STEVE R BURRUS wrote: Hello, I am Steve Burrus and I am 1 of your fellow Tomcat Server users, and I was wondering if you would kindly email me the link to access the mod_jk.dll file which allows one to connect the Apache 2.* HTTP Server with the Tomcat 4.* Server. And, in your response to me, you might also throw in some info on how you use the directives in Apache's configuration file!! *** --- Eddie Bush [EMAIL PROTECTED] wrote: Considering the possibility you are setup like me (httpd config in /etc/httpd/conf - modules in /etc/httpd/modules), I suggest you change your LoadModule line to: LoadModule jk_module modules/mod_jk.so All the docs talk about libexec - but all of my other modules are loaded from modules/mod_* - and this is true for mod_jk too - works like a charm! HTH, Eddie COLLINEAU Franck FTRD/DMI/TAM wrote: Greetings, i try to start apache with mod_jk. I compiled mod_jk using the source-dist and copy mod_jk.so to APACHE/libexec. The lines in my httpd.conf are: LoadModule jk_module libexec/mod_jk.so AddModule mod_jk.c when i try to start apache i got this error: ./bin/apachectl start Syntax error on line 207 of /usr/local/apache/conf/httpd.conf: Can't locate API module structure `jk_module=B4 in file /usr/local/apache/libexec/mod_jk.so: /usr/local/apache/libexec/mod_jk.so: undefined symbol: jk_module ./bin/apachectl start: httpd could not be started Line 207 is the LoadModule Line above. thanks in advance Franck -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Sign up for SBC Yahoo! Dial - First Month Free http://sbc.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] _ Chat with friends online, try MSN Messenger: http://messenger.msn.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: mod_jk problem SSL question...
To be honest, I skipped compiling Apache - it was there. I saw no need to fix what wasn't broke. However, assuming you compiled in support for dynamic modules, you should (I believe) be able to add that on without a great deal of problem. SSL is something I wouldn't want to have to install myself - every time I've looked at messing with that piece of things I just cringe. If possible, use something pre-existing. Also, there's a neat Apache Toolkit script out there that will, upon your requesting a certain configuration, go download what you don't have, compile it, and pre-configure it. I haven't used it. I just read about it in an article I found via O'Reilly's web site. Look for Apache Wrangler - and a reference to LAMP. The script will also snag MySQL + Perl + Python + PHP4 -- but it said you have a choice of what to get/install. I'd try to find that article if I were you. ModSSL is (If I remember correctly) one of the things it takes care of (download/install/pre-configure). HTH, Eddie Mark Hutchinson wrote: I followed the how from the link in this and finaly got tomcat and apache working. One question now though, after compiling apache and such, how do I now enable ssl and https on this server. Can I add it after? Or do I have to recompile? Thanks all. Mark -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL question
Hi all, I have a question about SSL - HTTPS. I have a system with apache + 2 Tomcat instances with load balancer. Now my web application is over HTTP. Next week we are going to buy a Verisign Certificate and I have to move the web application from HTTP to HTTPS. We have apache compiled for SSL: all the emails I have read till now are about Tomcat as web server with SSL support. Am I rigth? How can I do to configure apache with SSL support telling him that when he finds /sss/eee he has to call the web application /sss in Tomat (JkMount). That is: the client call http://myserver/sss/eee and I want to call in HTTPS my web application under Tomcat (https://myserver/sss/eee) whre SSL is managed by Apache. How can I do? Thanks for your help Laura -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL question
--- Laura [EMAIL PROTECTED] wrote: Hi all, I have a question about SSL - HTTPS. I have a system with apache + 2 Tomcat instances with load balancer. Now my web application is over HTTP. Next week we are going to buy a Verisign Certificate and I have to move the web application from HTTP to HTTPS. We have apache compiled for SSL: all the emails I have read till now are about Tomcat as web server with SSL support. Am I rigth? How can I do to configure apache with SSL support telling him that when he finds /sss/eee he has to call the web application /sss in Tomat (JkMount). That is: the client call http://myserver/sss/eee and I want to call in HTTPS my web application under Tomcat (https://myserver/sss/eee) whre SSL is managed by Apache. u have to reinstall the apache with openssl+mod_ssl if u want to know the installation faq www.ccl.net/cca/software/UNIX/apache/solaris-t3.2/README.shtml How can I do? Thanks for your help Laura -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: SSL question
Hi Laura, You may use Mod_Rewrite for that. (http://httpd.apache.org/docs/mod/mod_rewrite.html) The syntax is rather similar to RegExp. Regards, Sébastien Dui [EMAIL PROTECTED] -Message d'origine- De : Laura [mailto:[EMAIL PROTECTED]] Envoyé : lun. 10 juin 2002 13:06 À : Tomcat Users List Objet : SSL question Hi all, I have a question about SSL - HTTPS. I have a system with apache + 2 Tomcat instances with load balancer. Now my web application is over HTTP. Next week we are going to buy a Verisign Certificate and I have to move the web application from HTTP to HTTPS. We have apache compiled for SSL: all the emails I have read till now are about Tomcat as web server with SSL support. Am I rigth? How can I do to configure apache with SSL support telling him that when he finds /sss/eee he has to call the web application /sss in Tomat (JkMount). That is: the client call http://myserver/sss/eee and I want to call in HTTPS my web application under Tomcat (https://myserver/sss/eee) whre SSL is managed by Apache. How can I do? Thanks for your help Laura -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: SSL question
My tomcat version is 4.0.3 and not 3.x If I reinstall the apache with openssl+mod_ssl and configure Tomcat with SSL support (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html), if in httpd.conf I have JkMount /xx loadbalancer (I have a loadbalancer worker in workers.properties) if a client call https://myserver/xx/pippo is the request passed to Tomcat? How can I tell Apache to redirect http requests to https requests? Thanks Laura - Original Message - From: sonam singh [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Monday, June 10, 2002 1:32 PM Subject: Re: SSL question --- Laura [EMAIL PROTECTED] wrote: Hi all, I have a question about SSL - HTTPS. I have a system with apache + 2 Tomcat instances with load balancer. Now my web application is over HTTP. Next week we are going to buy a Verisign Certificate and I have to move the web application from HTTP to HTTPS. We have apache compiled for SSL: all the emails I have read till now are about Tomcat as web server with SSL support. Am I rigth? How can I do to configure apache with SSL support telling him that when he finds /sss/eee he has to call the web application /sss in Tomat (JkMount). That is: the client call http://myserver/sss/eee and I want to call in HTTPS my web application under Tomcat (https://myserver/sss/eee) whre SSL is managed by Apache. u have to reinstall the apache with openssl+mod_ssl if u want to know the installation faq www.ccl.net/cca/software/UNIX/apache/solaris-t3.2/README.shtml How can I do? Thanks for your help Laura -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
SSL question
I am using Tomcat 3.2 and IIS. I installed a server certificate to IIS using Windows Certificate Services. I want to configure Tomcat for SSL support using that certificate. Can this be done? The documentation about setting up SSL gives instructions using OpenSSL and keytool. I am not sure how to translate those instructions into the steps needed to use the certificate generated by Windows Certificate Services. Thanks, Keith
Standard SSL question
Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Standard SSL question
Forgot to mention using Tomcat 3.3 not 4.0 so there may be some differences. -Original Message- From: Steve Mactaggart [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 10:40 AM To: [EMAIL PROTECTED] Subject: Standard SSL question Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Standard SSL question
I have done something similar.. by checking the start of the String returned by request.getHeader(host) And do a response.semdRedirect to the secure version of the page. if(!request.getHeader(host).startsWith(https:)) response.sendRedirect(https://www.domain.com/securePage.jsp;); Or you can redirect to an error page.. and have it META REFRESH and link to the secure version. Hope that helps. Cj Steve Mactaggart wrote: Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Standard SSL question
actually you can just use request.isSecure(); it is built in to ServletRequest :) -Original Message- From: Corey A. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:55 PM To: Tomcat Users List Subject: Re: Standard SSL question I have done something similar.. by checking the start of the String returned by request.getHeader(host) And do a response.semdRedirect to the secure version of the page. if(!request.getHeader(host).startsWith(https:)) response.sendRedirect(https://www.domain.com/securePage.jsp;); Or you can redirect to an error page.. and have it META REFRESH and link to the secure version. Hope that helps. Cj Steve Mactaggart wrote: Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Standard SSL question
man.. i really need to read ALL of the API docs... :) Cj Brian Adams wrote: actually you can just use request.isSecure(); it is built in to ServletRequest :) -Original Message- From: Corey A. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:55 PM To: Tomcat Users List Subject: Re: Standard SSL question I have done something similar.. by checking the start of the String returned by request.getHeader(host) And do a response.semdRedirect to the secure version of the page. if(!request.getHeader(host).startsWith(https:)) response.sendRedirect(https://www.domain.com/securePage.jsp;); Or you can redirect to an error page.. and have it META REFRESH and link to the secure version. Hope that helps. Cj Steve Mactaggart wrote: Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547
Re: Standard SSL question
When using form based login, how would you instruct tomcat to forward requests to the secure version of the login forms? - Original Message - From: Brian Adams [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 3:56 PM Subject: RE: Standard SSL question actually you can just use request.isSecure(); it is built in to ServletRequest :) -Original Message- From: Corey A. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:55 PM To: Tomcat Users List Subject: Re: Standard SSL question I have done something similar.. by checking the start of the String returned by request.getHeader(host) And do a response.semdRedirect to the secure version of the page. if(!request.getHeader(host).startsWith(https:)) response.sendRedirect(https://www.domain.com/securePage.jsp;); Or you can redirect to an error page.. and have it META REFRESH and link to the secure version. Hope that helps. Cj Steve Mactaggart wrote: Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Standard SSL question
I have the answer to that, loop through the params and generate a query string and redirect using that string. -Original Message- From: Cavan Morris [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 11:33 AM To: Tomcat Users List Subject: Re: Standard SSL question When using form based login, how would you instruct tomcat to forward requests to the secure version of the login forms? - Original Message - From: Brian Adams [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Wednesday, January 09, 2002 3:56 PM Subject: RE: Standard SSL question actually you can just use request.isSecure(); it is built in to ServletRequest :) -Original Message- From: Corey A. Johnson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 5:55 PM To: Tomcat Users List Subject: Re: Standard SSL question I have done something similar.. by checking the start of the String returned by request.getHeader(host) And do a response.semdRedirect to the secure version of the page. if(!request.getHeader(host).startsWith(https:)) response.sendRedirect(https://www.domain.com/securePage.jsp;); Or you can redirect to an error page.. and have it META REFRESH and link to the secure version. Hope that helps. Cj Steve Mactaggart wrote: Hello all, I need to make it that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Pages like login, CC submission etc.. need to be secure and I want to make sure that they are always accessed via SSL. Hope there's an answer.. Steve Mactaggart Senior Java Developer / Team Leader 303 Sport BH: 9620 7477 FAX 9620 7377 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- corey a. johnson cni 1.321.259.1984 1.800.264.5547 -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Standard SSL question
On Wed, 9 Jan 2002, Cavan Morris wrote: Date: Wed, 9 Jan 2002 16:33:04 -0800 From: Cavan Morris [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Standard SSL question When using form based login, how would you instruct tomcat to forward requests to the secure version of the login forms? On a 2.3 container (i.e. like Tomcat 4), you can do this with a security constraint that includes a transport-guarantee element: security-constraint web-resource-collection web-resource-nameSecure Portion Of The Site/web-resource-name url-pattern /* /url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint In the above scenario, I've declared a URL pattern for the entire web application -- you can limit it to just portions of the URI space if you have a public part and a protected part (and you can use more than one URL pattern if needed, as well). When you've configured things this way, and the user accesses one of the URLs protected by this security constraint via HTTP, Tomcat 4 automatically redirects the request to the HTTPS port for this host (which is set with the redirectPort attribute in server.xml). However, this thread raises a very important security issue that all application developers should be aware of. Read on for more details. IMPORTANT SECURITY ISSUE: You will note that there is no automatic way to go back to HTTP -- this is on purpose! Going back would risk the security of your application. Further, you should no longer accept non-HTTPS requests for the remainder of this logon. Why? Let's assume for a moment that you're using sessions (which is guaranteed to be true if you select form-based login). The session carries over for you across the redirect. BUT, the session ID was not encrypted before you switched to SSL, so it is susceptible to snoopers who could then use it to impersonate the logged-in user. The same thing is possible after the login is completed and you try to return to non-SSL communication -- once you do, the session id is in cleartext, and your user can be impersonated. Moral of the story -- once you switch to SSL for a particular login, NEVER go back to non-SSL communication again, and NEVER accept any more non-SSL requests for that login. Doing the login screen under SSL (to protect the password), but everything else under non-SSL, is ***not*** sufficient. Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Standard SSL question
Then is there a way to automatically do this?? Can I say to tomcat, when you recieve a HTTPS connection for a specific session, deny all HTTP connections?? -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 12:22 PM To: Tomcat Users List Subject: Re: Standard SSL question On Wed, 9 Jan 2002, Cavan Morris wrote: Date: Wed, 9 Jan 2002 16:33:04 -0800 From: Cavan Morris [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Standard SSL question When using form based login, how would you instruct tomcat to forward requests to the secure version of the login forms? On a 2.3 container (i.e. like Tomcat 4), you can do this with a security constraint that includes a transport-guarantee element: security-constraint web-resource-collection web-resource-nameSecure Portion Of The Site/web-resource-name url-pattern /* /url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint In the above scenario, I've declared a URL pattern for the entire web application -- you can limit it to just portions of the URI space if you have a public part and a protected part (and you can use more than one URL pattern if needed, as well). When you've configured things this way, and the user accesses one of the URLs protected by this security constraint via HTTP, Tomcat 4 automatically redirects the request to the HTTPS port for this host (which is set with the redirectPort attribute in server.xml). However, this thread raises a very important security issue that all application developers should be aware of. Read on for more details. IMPORTANT SECURITY ISSUE: You will note that there is no automatic way to go back to HTTP -- this is on purpose! Going back would risk the security of your application. Further, you should no longer accept non-HTTPS requests for the remainder of this logon. Why? Let's assume for a moment that you're using sessions (which is guaranteed to be true if you select form-based login). The session carries over for you across the redirect. BUT, the session ID was not encrypted before you switched to SSL, so it is susceptible to snoopers who could then use it to impersonate the logged-in user. The same thing is possible after the login is completed and you try to return to non-SSL communication -- once you do, the session id is in cleartext, and your user can be impersonated. Moral of the story -- once you switch to SSL for a particular login, NEVER go back to non-SSL communication again, and NEVER accept any more non-SSL requests for that login. Doing the login screen under SSL (to protect the password), but everything else under non-SSL, is ***not*** sufficient. Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Standard SSL question
On Thu, 10 Jan 2002, Steve Mactaggart wrote: Date: Thu, 10 Jan 2002 14:34:58 +1100 From: Steve Mactaggart [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: RE: Standard SSL question Then is there a way to automatically do this?? Can I say to tomcat, when you recieve a HTTPS connection for a specific session, deny all HTTP connections?? Nothing automatic, but it's not hard. You will need to set some sort of variable in the user's session, and then check for request.isSecure() on every request from then on. A Filter would make this trivially simple. Craig -Original Message- From: Craig R. McClanahan [mailto:[EMAIL PROTECTED]] Sent: Thursday, January 10, 2002 12:22 PM To: Tomcat Users List Subject: Re: Standard SSL question On Wed, 9 Jan 2002, Cavan Morris wrote: Date: Wed, 9 Jan 2002 16:33:04 -0800 From: Cavan Morris [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Re: Standard SSL question When using form based login, how would you instruct tomcat to forward requests to the secure version of the login forms? On a 2.3 container (i.e. like Tomcat 4), you can do this with a security constraint that includes a transport-guarantee element: security-constraint web-resource-collection web-resource-nameSecure Portion Of The Site/web-resource-name url-pattern /* /url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint In the above scenario, I've declared a URL pattern for the entire web application -- you can limit it to just portions of the URI space if you have a public part and a protected part (and you can use more than one URL pattern if needed, as well). When you've configured things this way, and the user accesses one of the URLs protected by this security constraint via HTTP, Tomcat 4 automatically redirects the request to the HTTPS port for this host (which is set with the redirectPort attribute in server.xml). However, this thread raises a very important security issue that all application developers should be aware of. Read on for more details. IMPORTANT SECURITY ISSUE: You will note that there is no automatic way to go back to HTTP -- this is on purpose! Going back would risk the security of your application. Further, you should no longer accept non-HTTPS requests for the remainder of this logon. Why? Let's assume for a moment that you're using sessions (which is guaranteed to be true if you select form-based login). The session carries over for you across the redirect. BUT, the session ID was not encrypted before you switched to SSL, so it is susceptible to snoopers who could then use it to impersonate the logged-in user. The same thing is possible after the login is completed and you try to return to non-SSL communication -- once you do, the session id is in cleartext, and your user can be impersonated. Moral of the story -- once you switch to SSL for a particular login, NEVER go back to non-SSL communication again, and NEVER accept any more non-SSL requests for that login. Doing the login screen under SSL (to protect the password), but everything else under non-SSL, is ***not*** sufficient. Craig McClanahan -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
simple SSL question running Tomcat3.2 stand-alone
Should I be able to simply preface the URL with https: in order to access, say, the tomcat index.html using SSL? Put another way, http://mymachine/index.html works (I changed the port for http to 80 from 8080), but https://mymachine/index.html fails with Tomcat's error msg reading: Ctx( ): IOException in: R( /) Socket closed According to other docs I've read this should 'just work' . What am I missing here? Details of installation: I have installed tomcat 3.2 and followed the instructions provided by the docs for placing the SSL jar files in the right places etc. When I come to gen a key, though I am told that RSA is an unknown algorithm. Being outside the US, I assumed I was forbidden from using RSA so generated the key without specifying the keyalg. Starting tomcat is no problem and on startup it reports that it has a httpconnectionhandler on 443 (I changed the socket from 8443) as I read 443 is the default for the browsers Cheers, --Tom
Re: simple SSL question running Tomcat3.2 stand-alone
I might be wrong but I thought browsers only could handle RSA algorithms. If you use another algorithm it won't work. Tom Waite wrote: Should I be able to simply preface the URL with https: in order to access, say, the tomcat index.html using SSL? Put another way, http://mymachine/index.html works (I changed the port for http to 80 from 8080), but https://mymachine/index.html fails with Tomcat's error msg reading: Ctx( ): IOException in: R( /) Socket closed According to other docs I've read this should 'just work' . What am I missing here? Details of installation: I have installed tomcat 3.2 and followed the instructions provided by the docs for placing the SSL jar files in the right places etc. When I come to gen a key, though I am told that RSA is an unknown algorithm. Being outside the US, I assumed I was forbidden from using RSA so generated the key without specifying the keyalg. Starting tomcat is no problem and on startup it reports that it has a httpconnectionhandler on 443 (I changed the socket from 8443) as I read 443 is the default for the browsers Cheers, --Tom
RE: simple SSL question running Tomcat3.2 stand-alone
Quite Right! I did manage to get RSA key generated and all is happy. Thanks. -Original Message- From: Trevor Little [mailto:[EMAIL PROTECTED]] Sent: Friday, December 01, 2000 2:12 PM To: [EMAIL PROTECTED] Subject: Re: simple SSL question running Tomcat3.2 stand-alone I might be wrong but I thought browsers only could handle RSA algorithms. If you use another algorithm it won't work. Tom Waite wrote: Should I be able to simply preface the URL with https: in order to access, say, the tomcat index.html using SSL? Put another way, http://mymachine/index.html works (I changed the port for http to 80 from 8080), but https://mymachine/index.html fails with Tomcat's error msg reading: Ctx( ): IOException in: R( /) Socket closed According to other docs I've read this should 'just work' . What am I missing here? Details of installation: I have installed tomcat 3.2 and followed the instructions provided by the docs for placing the SSL jar files in the right places etc. When I come to gen a key, though I am told that RSA is an unknown algorithm. Being outside the US, I assumed I was forbidden from using RSA so generated the key without specifying the keyalg. Starting tomcat is no problem and on startup it reports that it has a httpconnectionhandler on 443 (I changed the socket from 8443) as I read 443 is the default for the browsers Cheers, --Tom