Re: Trying to understand How Tomcat uses Keystore for SSL
IT WORKS My next question is whether the Tomcat team would want this Java program that does the heavy lifting for letsencrypt, which I would be happy to clean up and make available as open source. The guts of the program comes from - http://acme4j.shredzone.org, which is under the Apache license. I've made a number of enhancements, e;g. a GUI front end; the ability to do the letsencrypt authorization without any user intervention; the ability to sit on an admin node retrieve and install the retrieved letsencrypt SSL certificates on a remote tomcat node. If the answer is yes, let me know the procedure to make it available as open sourcce. Don On Sun, Nov 26, 2017 at 4:54 PM, Don Flinn wrote: > Didn't read closely enough. The protocol that I used is no longer > applicable for Tomcat 9. > > Don > > On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn wrote: > >> Chris >> >> Thank you for your excellent reply and references. >> >> I've been doing a lot of reading on SSL, certificates, keys, algorithms, >> etc. Woo! However I still don't have it correct. >> >> I've retrieved certificates from letsencrypt and following your >> suggestions did the following. >> >> Created a pkcs12 store using the following command line. >> openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" >> -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout >> "pass:changeit" >> >> where the domain-chain.crt contains two certificates and ICDTrustRoot >> contains one as shown below - >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer >> -in domaincert1.crt (the first cert in domain-chain.crt) >> subject= /CN=info.finwoks.com >> issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >> >> PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer >> -in domaincert2.crt (the second cert in domain-chain.crt) >> subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> >> PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer >> -in ICDTrustRoot.crt >> subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 >> so I have the three certificates and the private key which is shared with >> letsencrypt called domain.key >> My server.xml contains: >> >sslImplementationName="org.apache.tomcat.util.net.openssl.O >> penSSLImplementation" >>port="8443" maxThreads="200" >>scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12" >>keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit" >> clientAuth="false" sslProtocol="TLS" >>/> >> >> However when I restart Tomcat is get the following error in the Tomcat >> error log and of course it fails in the handshake with the browser >> >> org.apache.catalina.core.StandardService.initInternal Failed to >> initialize connector [Connector[HTTP/1.1-8443]] >> org.apache.catalina.LifecycleException: Failed to initialize component >> [Connector[HTTP/1.1-8443]] >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) >> at org.apache.catalina.core.StandardService.initInternal(Standa >> rdService.java:549) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.core.StandardServer.initInternal(Standar >> dServer.java:873) >> at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:606) >> at org.apache.catalina.startup.Catalina.load(Catalina.java:629) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) >> at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) >> at java.lang.reflect.Method.invoke(Unknown Source) >> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) >> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) >> Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.cre >> ate(J)J >> at org.apache.tomcat.jni.Pool.create(Native Method) >> at org.apache.tomcat.util.net.openssl.OpenSSLEngine.(Op >> enSSLEngine.java:75) >> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplemente >> dProtocols(OpenSSLUtil.java:61) >> at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46) >> at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(OpenSS >> LUtil.java:41) >> at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.get >> SSLUtil(OpenSSLImplementation.java:36) >> at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSs >> l(AbstractJsseEndpoint.java:82) >> at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261) >> at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd >> point.java:798) >> at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547) >> at org.apache.coyote.http11.AbstractHttp11Protocol.
Re: Trying to understand How Tomcat uses Keystore for SSL
Didn't read closely enough. The protocol that I used is no longer applicable for Tomcat 9. Don On Sun, Nov 26, 2017 at 3:15 PM, Don Flinn wrote: > Chris > > Thank you for your excellent reply and references. > > I've been doing a lot of reading on SSL, certificates, keys, algorithms, > etc. Woo! However I still don't have it correct. > > I've retrieved certificates from letsencrypt and following your > suggestions did the following. > > Created a pkcs12 store using the following command line. > openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" > -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout > "pass:changeit" > > where the domain-chain.crt contains two certificates and ICDTrustRoot > contains one as shown below - > PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer > -in domaincert1.crt (the first cert in domain-chain.crt) > subject= /CN=info.finwoks.com > issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > > PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer > -in domaincert2.crt (the second cert in domain-chain.crt) > subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 > issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 > > PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer > -in ICDTrustRoot.crt > subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 > issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 > so I have the three certificates and the private key which is shared with > letsencrypt called domain.key > My server.xml contains: > sslImplementationName="org.apache.tomcat.util.net.openssl. > OpenSSLImplementation" >port="8443" maxThreads="200" >scheme="https" secure="true" SSLEnabled="true" keystoreType="PKCS12" >keystoreFile="/users/don/Security/MM.p12" keystorePass="changeit" > clientAuth="false" sslProtocol="TLS" >/> > > However when I restart Tomcat is get the following error in the Tomcat > error log and of course it fails in the handshake with the browser > > org.apache.catalina.core.StandardService.initInternal Failed to > initialize connector [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Failed to initialize component > [Connector[HTTP/1.1-8443]] > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) > at org.apache.catalina.core.StandardService.initInternal(Standa > rdService.java:549) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.core.StandardServer.initInternal(Standar > dServer.java:873) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > at org.apache.catalina.startup.Catalina.load(Catalina.java:606) > at org.apache.catalina.startup.Catalina.load(Catalina.java:629) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) > at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) > at java.lang.reflect.Method.invoke(Unknown Source) > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) > Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool.cre > ate(J)J > at org.apache.tomcat.jni.Pool.create(Native Method) > at org.apache.tomcat.util.net.openssl.OpenSSLEngine.( > OpenSSLEngine.java:75) > at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplemente > dProtocols(OpenSSLUtil.java:61) > at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46) > at org.apache.tomcat.util.net.openssl.OpenSSLUtil.(OpenSS > LUtil.java:41) > at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.get > SSLUtil(OpenSSLImplementation.java:36) > at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSs > l(AbstractJsseEndpoint.java:82) > at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261) > at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEnd > point.java:798) > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547) > at org.apache.coyote.http11.AbstractHttp11Protocol.init(Abstrac > tHttp11Protocol.java:66) > at org.apache.catalina.connector.Connector.initInternal(Connect > or.java:1010) > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) > ... 12 more > > I'm running Tomcat 9 in Amazon Web services using Windows Server. I don't > know what I'm doing wrong. Further help will be appreciated. It appears I > have the pkcs12 wrong. > > Don > > On Tue, Nov 14, 2017 at 4:33 PM, Christopher Schultz < > ch...@christopherschultz.net> wrote: > >> -BEGIN PGP SIGNED MESSAGE- >> Hash: SHA256 >> >> Don, >> >> On 11/14/17 1:57 AM, Don Flinn wrote: >> > I've done some reading on SSL and understand the protocol is as >> > follows; Client/Browser sends ClientHello and server Tomcat replies >> > with ServerHello. This establishes the protocol they
Re: Trying to understand How Tomcat uses Keystore for SSL
Chris Thank you for your excellent reply and references. I've been doing a lot of reading on SSL, certificates, keys, algorithms, etc. Woo! However I still don't have it correct. I've retrieved certificates from letsencrypt and following your suggestions did the following. Created a pkcs12 store using the following command line. openssl pkcs12 -export -in "domain-chain.crt" -inkey "domain.key" -certfile "ICDTrustRoot.crt" -out "MM.p12" -name tomcat -passout "pass:changeit" where the domain-chain.crt contains two certificates and ICDTrustRoot contains one as shown below - PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer -in domaincert1.crt (the first cert in domain-chain.crt) subject= /CN=info.finwoks.com issuer= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 PS C:\users\don\security\letsenc5> openssl x509 -noout -subject -issuer -in domaincert2.crt (the second cert in domain-chain.crt) subject= /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3 issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 PS C:\users\don\security\letsenc4> openssl x509 -noout -subject -issuer -in ICDTrustRoot.crt subject= /O=Digital Signature Trust Co./CN=DST Root CA X3 issuer= /O=Digital Signature Trust Co./CN=DST Root CA X3 so I have the three certificates and the private key which is shared with letsencrypt called domain.key My server.xml contains: However when I restart Tomcat is get the following error in the Tomcat error log and of course it fails in the handshake with the browser org.apache.catalina.core.StandardService.initInternal Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:112) at org.apache.catalina.core.StandardService.initInternal( StandardService.java:549) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.core.StandardServer.initInternal( StandardServer.java:873) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) at org.apache.catalina.startup.Catalina.load(Catalina.java:606) at org.apache.catalina.startup.Catalina.load(Catalina.java:629) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:311) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:494) Caused by: java.lang.UnsatisfiedLinkError: org.apache.tomcat.jni.Pool. create(J)J at org.apache.tomcat.jni.Pool.create(Native Method) at org.apache.tomcat.util.net.openssl.OpenSSLEngine. (OpenSSLEngine.java:75) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.getImplementedProtocols( OpenSSLUtil.java:61) at org.apache.tomcat.util.net.SSLUtilBase.(SSLUtilBase.java:46) at org.apache.tomcat.util.net.openssl.OpenSSLUtil.( OpenSSLUtil.java:41) at org.apache.tomcat.util.net.openssl.OpenSSLImplementation.getSSLUtil( OpenSSLImplementation.java:36) at org.apache.tomcat.util.net.AbstractJsseEndpoint.initialiseSsl( AbstractJsseEndpoint.java:82) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:261) at org.apache.tomcat.util.net.AbstractEndpoint.init( AbstractEndpoint.java:798) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:547) at org.apache.coyote.http11.AbstractHttp11Protocol.init( AbstractHttp11Protocol.java:66) at org.apache.catalina.connector.Connector.initInternal(Connector.java:1010) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:107) ... 12 more I'm running Tomcat 9 in Amazon Web services using Windows Server. I don't know what I'm doing wrong. Further help will be appreciated. It appears I have the pkcs12 wrong. Don On Tue, Nov 14, 2017 at 4:33 PM, Christopher Schultz < ch...@christopherschultz.net> wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA256 > > Don, > > On 11/14/17 1:57 AM, Don Flinn wrote: > > I've done some reading on SSL and understand the protocol is as > > follows; Client/Browser sends ClientHello and server Tomcat replies > > with ServerHello. This establishes the protocol they will use. The > > server then sends the certificate and the public key - in the > > clear The browser encrypts a message containing the servers domain, > > all encrypted with the server's public key to the CA which the > > browser trusts. The public key is in the certificate. The CA > > de-crypts the message with the server's private key. So the > > server's name/ domain must be not encrypted. If the server can > > decrypt the message it knows the server and it then sends a ack > > message back to the browser encrypted with the client's private > > key. > > Most of that is correct (enough) except for the last part: the server > never has the client's private key. The h
Re: where to put jars used by several apps
One issue you might face in this configuration is if you have multiple versions of the same library existing on the same path, let's say com.example v1.0 and v2.0, and each is a dependency for one or more webapps. If a webapp depending on 2.0 requires class com.example.X which is available in both versions, and if the class loader looks in v1.0 jar file first, then you might see some CNF exceptions and such. To workaround this ensure both statements below are true: 1. The class loader searches in WEB-INF jar files before common.loader (I think it should be the case) 2. Update your build process to include in WEB-INF only jar files that have an older version in common.loader path (just to not break any webapp especially the one being installed). If you end up updating all webapps to use the latest version of the library com.example, you'll end up with all webapps having the latest version in WEB-INF and the unused older version in common.loader path. Then update the common.loader path by removing the old version and adding the new one, and remove it from WEB-INF directories. This might incur more work on managing the webapps. But if you could have an automated build process that decides where to put dependency jar files and have it as a step for all webapps builds, then it could be a time/space saver later. Regards, Nasry Al-Haddad Sent from BlueMail On Nov 25, 2017, 16:35, at 16:35, rich...@xentu.com wrote: >I've written a few jersey webapps, and each has about 20 jar files >included as Maven dependencies. > >The inclusion of those jars increases the size of the resulting wars by > >a factor of over 100. Uploading a war via 'Tomcat Web Application >Manager' takes several minutes, presumably due in part to the war size. > >Given that these webapps require the same set of jars in their >WEB-INF/lib/, I thought I could place them in say > >C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey > >where all webapps could find them. > >In catalina.properties, I appended this new directory to the >common.loader list of paths: > >common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar, > >${catalina.base}/lib/jersey/*.jar > >Then, in each jersey webapp, I'd modify pom.xml to exclude those files >from the war. > > > maven-war-plugin > 3.2.0 > > WEB-INF/lib/*.jar > > > >This approach seems to work. > >So, the question I'm seeking advise on is this: > >If I have a collection of jars that I want to keep on Tomcat, for some >but not all webapps, and those jars are not to be included in the wars, > >is this an acceptable technique? Or is it going to land me in trouble? >Does the order of locations in common.loader matter? > > >Thanks for any advice >Richard > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org
Re: where to put jars used by several apps
I see by your paths that you are an MS person. Your solution is clever but has the distribution problem that a war file may not be enough. For Unix based folks (MAC, Linux), there is a much easier solution. Put your common jars in some directory that you like (for me /opt/web_jars/acquired). Then HARD link the jars to where you want them e.g. ln /opt/web_jars/acquired/commons-logging-1.2.jar /opt/apache/webapps/application/WEB-INF/libThis does not solve the problem for a target machine running multiple applications, but it sure does solve the problem for a development machine with multiple applications and target machines running any one of them. War files work fine. Your solution does have one major advantage - war fles are smaller.But if you change any of those jars, you need to distribute those changes and the war file does NOT do it.! On Saturday, November 25, 2017 9:35 AM, "rich...@xentu.com" wrote: I've written a few jersey webapps, and each has about 20 jar files included as Maven dependencies. The inclusion of those jars increases the size of the resulting wars by a factor of over 100. Uploading a war via 'Tomcat Web Application Manager' takes several minutes, presumably due in part to the war size. Given that these webapps require the same set of jars in their WEB-INF/lib/, I thought I could place them in say C:\Program Files\Apache Software Foundation\Tomcat 7.0\lib\jersey where all webapps could find them. In catalina.properties, I appended this new directory to the common.loader list of paths: common.loader=${catalina.base}/lib,${catalina.base}/lib/*.jar,${catalina.home}/lib,${catalina.home}/lib/*.jar, ${catalina.base}/lib/jersey/*.jar Then, in each jersey webapp, I'd modify pom.xml to exclude those files from the war. maven-war-plugin 3.2.0 WEB-INF/lib/*.jar This approach seems to work. So, the question I'm seeking advise on is this: If I have a collection of jars that I want to keep on Tomcat, for some but not all webapps, and those jars are not to be included in the wars, is this an acceptable technique? Or is it going to land me in trouble? Does the order of locations in common.loader matter? Thanks for any advice Richard - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org