Re: Secure Tomcat With SSL
Chris, Thank you for taking the time to help me in securing tomcat. I called godaddy and they instructed me to download the tomcat cert, which i did, and follow their provided instructions: http://support.godaddy.com/help/article/5239/generating-a-csr-and-installing-an-ssl-certificate-in-tomcat-4x5x6x?locale=en I skipped generating a keystore and csr in tomcat and went directly to install ssl in tomcat (generating a csr and keystore = tomcat already has a keystore, no? I already have generated the csr with godaddy (thats how i got the cert, no?) So in installing ssl in tomcat, i run the 1st command: keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file /root/2b05f72c7ddd37/gd_bundle.crt (this is the root cert according to rep with godaddy) and get this: Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias root already exists Then: ./keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file /root/2b05f72c7ddd37/gd_intermediate.crt and get this: Enter keystore password: Certificate already exists in keystore under alias root Do you still want to add it? [no]: y Certificate was added to keystore Then: ./keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file /root/2b05f72c7ddd37//2b05f72c7ddd37.crt and get this: Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias tomcat already exists Not sure where to go from here! Can anyone help? I just want to do something basic and that issecure tomcat with a godaddy SSL cert. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure Tomcat With SSL
-Original Message- From: Chris Arnold [mailto:carn...@electrichendrix.com] Sent: Wednesday, October 30, 2013 9:43 AM To: Tomcat Users List Subject: Re: Secure Tomcat With SSL Chris, Thank you for taking the time to help me in securing tomcat. I called godaddy and they instructed me to download the tomcat cert, which i did, and follow their provided instructions: http://support.godaddy.com/help/article/5239/generating-a-csr-and- installing-an-ssl-certificate-in-tomcat-4x5x6x?locale=en I skipped generating a keystore and csr in tomcat and went directly to install ssl in tomcat (generating a csr and keystore = tomcat already has a keystore, no? I already have generated the csr with godaddy (thats how i got the cert, no?) So in installing ssl in tomcat, i run the 1st command: keytool -import -alias root -keystore tomcat.keystore -trustcacerts - file /root/2b05f72c7ddd37/gd_bundle.crt (this is the root cert according to rep with godaddy) and get this: Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias root already exists Then: ./keytool -import -alias intermed -keystore tomcat.keystore - trustcacerts -file /root/2b05f72c7ddd37/gd_intermediate.crt and get this: Enter keystore password: Certificate already exists in keystore under alias root Do you still want to add it? [no]: y Certificate was added to keystore Then: ./keytool -import -alias tomcat -keystore tomcat.keystore -trustcacerts -file /root/2b05f72c7ddd37//2b05f72c7ddd37.crt and get this: Enter keystore password: keytool error: java.lang.Exception: Certificate not imported, alias tomcat already exists Not sure where to go from here! Can anyone help? I just want to do something basic and that issecure tomcat with a godaddy SSL cert. Chris, First, go back and re-read the last wonderful response you received from Ognjen. He is right on the money for how you last had your server.xml configured. If you haven't made any changes, you need to do so. Then, ignore the bad advice that GoDaddy is giving you, because they didn't understand that you are using OpenSSL, aka the Tomcat Native Libraries, aka APR, in your configuration. Go back to the GoDaddy site and re-issue the signed certificate and the bundled CA certs in apache format and save them somewhere that Tomcat can see them. Add the 3 SSL lines to the 2nd connector in your server.xml as Ognjen sugessted, and comment out the 4th connector to avoid conflicts (you didn't provide the port numbers for the connectors, so I can't be sure you won't have conflicts.) That should do it. And have fun. If you insist on using the Java keystore method that GoDaddy is assuming you use, you need to make a few more changes: 1) Comment out or remove the line in your server.xml: Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / This will prevent the APR library from loading for all connectors. 2) Comment out the 2nd Connector (first SSL connector) to avoid conflicts with your 4th Connector. 3) You must use the alias tomcat for the SSL certificate when you load it into your keystore. I really suggest that you just use the APR/OpenSSl setup that you have half-configured. It is much easier to maintain and you can avoid all this messy mucking about with keytool. Jeff
Re: Secure Tomcat With SSL
On 30.10.2013 18:41, Jeffrey Janner wrote: Not sure where to go from here! Can anyone help? I just want to do something basic and that issecure tomcat with a godaddy SSL cert. First, go back and re-read the last wonderful response you received from Ognjen. He is right on the money for how you last had your server.xml configured. If you haven't made any changes, you need to do so. Then, ignore the bad advice that GoDaddy is giving you, because they didn't understand that you are using OpenSSL, aka the Tomcat Native Libraries, aka APR, in your configuration. Go back to the GoDaddy site and re-issue the signed certificate and the bundled CA certs in apache format and save them somewhere that Tomcat can see them. Add the 3 SSL lines to the 2nd connector in your server.xml as Ognjen sugessted, and comment out the 4th connector to avoid conflicts (you didn't provide the port numbers for the connectors, so I can't be sure you won't have conflicts.) That should do it. And have fun. There are actually so many questions for Chris. For starters: 1. Did someone configured this Tomcat instance before you? 2. Who added 4th connector to server.xml? 3. If the 4th connector is working, and according to log messages it does, then why did you add the 2nd connector? 4. If the 4th connector for some reason is not working correctly, maybe you should comment it out, as Jeffrey suggests, and them we could try to configure the 2nd connector together. I will stop here. Before we sort out the basic stuff, I wouldn't be so sure what to advise you to do next. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 10/26/13, 6:47 PM, Ognjen Blagojevic wrote: Chris, On 26.10.2013 23:39, Chris Arnold wrote: Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go daddy bundle in crt format. I can download the cert bundle from go daddy for tomcat but it also is a crt file. Do i have to run this exact command: openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain It looks ok to me. Does it work for you? It will create PKCS#12 keystore file (mycert.p12), so you may: 1. add parameter keystoreType=pkcs12 to your HTTPS connector, and use that file, or 2. convert PKCS#12 keystore to Java Keystore format, and use default keystore type (JKS). This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.15 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSbnYVAAoJEBzwKT+lPKRYa9wP/0OFuBG5EySMixPWt3y/H07w 4AE+P1NI877g4+ec8I2S2y7KGeHi9kxZ/5WzgOwnzGFddt930xVpzlb0FlMiIqZC Y1OAkKSYm92W2+RA6Vf6SkKuHe9t0deDfrhuY87tU1n0JBg4MnQn7jvMxg/sowi5 axb0vuNYrCnMhtW13KtLeSWlgBnZiD3X2jpZkh8tg3O24S31uzxwFEigzIoYpPj+ 3JTNeEeehAUgLe0o9uXC7+3135q4sipL9H32HDses00RhRd6TLYu9nZUsYjN6Kyl 31J3sescbxrDOQ/ex+c1ESmaAbIgnklOP0i5lRE2IqlnH/VFFZKaAhS6qyZPCLW3 ynI/2Tlo4I1ZfIcYpMQh5eFSv8gsATwkh9DaPhnazCdTymlLbaMiuceZvfWHc3/L spI4HIciE1RbAjeiA1TMUIsL/wrtUXelAbG1wegVFPkFKr5wQifk3Bfb2ayoy5pA kckziemb89Rif8wnO1wuA8ZPb4nKdvbX1QfUXIp3KI8GrQ0pM3ixURDelqituPw8 t2Jk3RZ545vukJtOaOeyCtBUwA8Ej44SLz29/tPb5jvhyo9dxwts6HPg0UKqycfB LAd32e6UrO8won0EdPYjgLayvcpo7kNt+KcgaqccvN+LdX/6RkEoiTEQ75ilrxkP DR67odtPTEgKE9nD4EJm =AD/Q -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure Tomcat With SSL
-Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Subject: Re: Secure Tomcat With SSL I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? - -chris From my book of spells. Used this to configure SSL in Apache httpd for subversion edge. openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12 keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore C:/svnedge.jks Leo
RE: Secure Tomcat With SSL
-Original Message- From: Chris Arnold [mailto:carn...@electrichendrix.com] Sent: Saturday, October 26, 2013 7:47 PM To: Tomcat Users List Subject: Re: Secure Tomcat With SSL Chris, On 26.10.2013 23:39, Chris Arnold wrote: Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go daddy bundle in crt format. I can download the cert bundle from go daddy for tomcat but it also is a crt file. Do i have to run this exact command: openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain It looks ok to me. Does it work for you? It doesn't look like it will work as i do not have a ca file. It will create PKCS#12 keystore file (mycert.p12), so you may: 1. add parameter keystoreType=pkcs12 to your HTTPS connector, and use that file, or 2. convert PKCS#12 keystore to Java Keystore format, and use default keystore type (JKS). This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. Not sure what either of these are. I just need secure tomcat Chris, If it turns out you are using APR, when you export your signed certificate and CA-bundles, just specify that you want them for apache not tomcat. Then you can reference the files directly in the server.xml. If you are using the java-based connectors, you should ask for tomcat signed certificates, and I think you have to somehow combine them for use in the keystore (it's been a long time since I did that, I'm APR only). In other words, when you request a cert signed for tomcat at GoDaddy, it really means a java keystore compatible certificate. When you select apache it really means an OpenSSL compatible certificate. Jeff - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
Chris, Leo, On 28.10.2013 18:23, Leo Donahue - OETX wrote: I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? From my book of spells. Used this to configure SSL in Apache httpd for subversion edge. openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12 keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore C:/svnedge.jks During TLS handshake, server may respond with complete certificate chain (server certificate with all intermediate certificates) or with incomplete certificate chain (e.g. server certificate, without any/some intermediate certificates). Most servers, around 88% of them, deliver full certificate chain, according to research mentioned here [1]. Complete certificate chain is being recognized as valid by every client that implements TLS (assuming that root CA certificate is in the client keystore). Incomplete certificate chain may be recognized as valid by some TLS clients (e.g. Internet Explorer), using information from X.509v3 extension called Authority Information Access (AIA), or using previously validated certificate chains. Some clients will not recognize incomplete certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). Even the same client may sometimes recognize incomplete certificate chains as valid and sometimes as invalid, thanks to caching of intermediate certificates. Therefore, it is best practice always to deliver complete certificate chain to the client. Having root CA certificate in the chain is unnecessary, as it wastes your bandwidth during TLS handshake (your client already have root CA certificate in its own keystore). Assuming that intermediate certificates (intermediates.pem), server certificate (server.pem) and private key (server.key) are all in PEM format, you need to add option -certfile to command Leo provided: openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem -inkey server.key -certfile intermediates.pem Verify that the contents of the p12 keystore with: openssl pkcs12 -in keystore.p12 -nokeys You should verify that the certificate chain is complete (up to, but without root CA certificate). Now, you may use that keystore for BIO and NIO connectors: keystoreFile=keystore.p12 keyAlias=myserver keystoreType=pkcs12 Or you may convert it to JKS keystore as Leo suggests. -Ognjen [1] https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
This tool has saved me a few times over: http://sourceforge.net/projects/portecle/ On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Chris, Leo, On 28.10.2013 18:23, Leo Donahue - OETX wrote: I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? From my book of spells. Used this to configure SSL in Apache httpd for subversion edge. openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12 keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore C:/svnedge.jks During TLS handshake, server may respond with complete certificate chain (server certificate with all intermediate certificates) or with incomplete certificate chain (e.g. server certificate, without any/some intermediate certificates). Most servers, around 88% of them, deliver full certificate chain, according to research mentioned here [1]. Complete certificate chain is being recognized as valid by every client that implements TLS (assuming that root CA certificate is in the client keystore). Incomplete certificate chain may be recognized as valid by some TLS clients (e.g. Internet Explorer), using information from X.509v3 extension called Authority Information Access (AIA), or using previously validated certificate chains. Some clients will not recognize incomplete certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). Even the same client may sometimes recognize incomplete certificate chains as valid and sometimes as invalid, thanks to caching of intermediate certificates. Therefore, it is best practice always to deliver complete certificate chain to the client. Having root CA certificate in the chain is unnecessary, as it wastes your bandwidth during TLS handshake (your client already have root CA certificate in its own keystore). Assuming that intermediate certificates (intermediates.pem), server certificate (server.pem) and private key (server.key) are all in PEM format, you need to add option -certfile to command Leo provided: openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem -inkey server.key -certfile intermediates.pem Verify that the contents of the p12 keystore with: openssl pkcs12 -in keystore.p12 -nokeys You should verify that the certificate chain is complete (up to, but without root CA certificate). Now, you may use that keystore for BIO and NIO connectors: keystoreFile=keystore.p12 keyAlias=myserver keystoreType=pkcs12 Or you may convert it to JKS keystore as Leo suggests. -Ognjen [1] https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72 --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
Let us first determine which connector do you have configured (BIO, NIO or APR), because HTTPS configuration depends on connector type. Could you send your server.xml with comments and sensitive information removed? ?xml version='1.0' encoding='utf-8'? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Note: A Server is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/server.html -- Server port=8xxx shutdown=SHUTDOWN !-- Security listener. Documentation at /docs/config/listeners.html Listener className=org.apache.catalina.security.SecurityListener / -- !--APR library loader. Documentation at /docs/apr.html -- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / !--Initialize Jasper prior to webapps are loaded. Documentation at /docs/jasper-howto.html -- Listener className=org.apache.catalina.core.JasperListener / !-- Prevent memory leaks due to use of particular java/javax APIs-- !-- Listener className=org.apache.catalina.core.JreMemoryLeakPreventionListener /-- Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / !-- Listener className=org.apache.catalina.core.ThreadLocalLeakPreventionListener /-- !-- Global JNDI resources Documentation at /docs/jndi-resources-howto.html -- GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=removed / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container Note: A Service is not itself a Container, so you may not define subcomponents such as Valves at this level. Documentation at /docs/config/service.html -- Service name=Catalina !--The connectors can use a shared executor, you can define one or more named thread pools-- !-- Executor name=tomcatThreadPool namePrefix=catalina-exec- maxThreads=150 minSpareThreads=4/ -- !-- A Connector represents an endpoint by which requests are received and responses are returned. Documentation at : Java HTTP Connector: /docs/config/http.html (blocking non-blocking) Java AJP Connector: /docs/config/ajp.html APR (HTTP/AJP) Connector: /docs/apr.html Define a non-SSL HTTP/1.1 Connector on port 8080 -- Connector port=xx URIEncoding=UTF-8 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=x maxHttpHeaderSize=32768 / !-- A Connector using the shared thread pool-- !-- Connector executor=tomcatThreadPool port=8080 URIEncoding=UTF-8 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=x maxHttpHeaderSize=32768 / -- !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=x URIEncoding=UTF-8 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS maxHttpHeaderSize=32768 / !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=x URIEncoding=UTF-8 protocol=AJP/1.3 redirectPort=x / Connector port=x URIEncoding=UTF-8 protocol=org.apache.coyote.http11.Http11Protocol SSLEnabled=true maxThreads=150 scheme=https keystoreFile=/opt/alfresco/alf_data/keystore/ssl.keystore keystorePass=kT9X6oe68t keystoreType=JCEKS secure=true connectionTimeout=24 truststoreFile=/opt/alfresco/alf_data/keystore/ssl.truststore truststorePass=kT9X6oe68t truststoreType=JCEKS clientAuth=want sslProtocol=TLS allowUnsafeLegacyRenegotiation=true maxHttpHeaderSize=32768 / !-- An Engine
Re: Secure Tomcat With SSL
Chris, On 28.10.2013 21:45, Chris Arnold wrote: Let us first determine which connector do you have configured (BIO, NIO or APR), because HTTPS configuration depends on connector type. Could you send your server.xml with comments and sensitive information removed? ?xml version='1.0' encoding='utf-8'? !-- Please, remove comments next time, it will make it easier for us to read. Connector port=xx URIEncoding=UTF-8 protocol=HTTP/1.1 connectionTimeout=2 redirectPort=x maxHttpHeaderSize=32768 / ... Connector port=x URIEncoding=UTF-8 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS maxHttpHeaderSize=32768 / ... Connector port=x URIEncoding=UTF-8 protocol=AJP/1.3 redirectPort=x / Connector port=x URIEncoding=UTF-8 protocol=org.apache.coyote.http11.Http11Protocol SSLEnabled=true maxThreads=150 scheme=https keystoreFile=/opt/alfresco/alf_data/keystore/ssl.keystore keystorePass=kT9X6oe68t keystoreType=JCEKS secure=true connectionTimeout=24 truststoreFile=/opt/alfresco/alf_data/keystore/ssl.truststore truststorePass=kT9X6oe68t truststoreType=JCEKS clientAuth=want sslProtocol=TLS allowUnsafeLegacyRenegotiation=true maxHttpHeaderSize=32768 / Ok, so you have four connectors configured. First two of them have attribute protocol=HTTP/1.1, which means that it will automatically select between APR and BIO connector. APR will be selected if apropriate libarary is found on the system. If not, BIO connector will be selected. Note that you dislosed your keystore passwords on public mailing list, so you may consider to change them. Here it is but you will see both being initialized: Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] Ok, so APR library is found, and APR HTTP connector is initialized on port 8080. Second (HTTPS APR auto select) connector probably fails to initialize since you didn't provide necessary files containing key and certificates. Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] This is third connector in your configuration. It is used for communication between Apache httpd and Apache Tomcat. In case you don't use httpd, you may comment that one out. Oct 18, 2013 8:03:58 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-bio-8443] This is fourth connector from your configuration, and it is BIO connector, since attribute protocol is set to org.apache.coyote.http11.Http11Protocol. It seems to be working fine. Now you have two HTTPS connectors configured, APR (2nd in your configuration) and BIO (fourth in your configuration). APR fails to start. It is not clear from the information you provided so far are you trying to configure APR connector, but I will assume you do, since BIO connector looks configured already. You will have to make sure that ports for APR and BIO connector differs. Now, for APR connector, you don't need keystore, but seperate files for server key, server certificates, and intermediate certificates. Then add those attributes to APR connector: SSLCertificateFile=/home/tomcat/server.cert SSLCertificateKeyFile=/home/tomcat/server.key SSLCertificateChainFile=/home/tomcat/intermediates.pem When you get APR HTTPS connector up and running, to remove weak ciphers from OpenSSL default configuration, I strongly suggest that you also restrict cipher in use, using these two attiributes to connector configuration (*): SSLHonorCipherOrder=true SSLCipherSuite=EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA+SHA384:EECDH+ECDSA+SHA256:EECDH+aRSA+SHA384:EECDH+aRSA+SHA256:EECDH+aRSA+RC4:EECDH:EDH+aRSA:RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS For more info on setting up APR HTTPS connector, please read: https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_APR/Native -Ognjen (*) As recommeded by Ivan Ristic: https://community.qualys.com/blogs/securitylabs/2013/08/05/configuring-apache-nginx-and-openssl-for-forward-secrecy#/?page=2 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Secure Tomcat With SSL
For over a year I've been looking for a tool to show the RFC 822 name and the PEM Thanks craig! Martin Date: Mon, 28 Oct 2013 16:43:53 -0400 Subject: Re: Secure Tomcat With SSL From: craig.tay...@drivedominion.com To: users@tomcat.apache.org This tool has saved me a few times over: http://sourceforge.net/projects/portecle/ On Mon, Oct 28, 2013 at 4:41 PM, Ognjen Blagojevic ognjen.d.blagoje...@gmail.com wrote: Chris, Leo, On 28.10.2013 18:23, Leo Donahue - OETX wrote: I've been having some trouble lately converting keys and certs from OpenSSL format into Java's JKS format. I follow all of the magical incantations I can find online to convert key+cert into a Java keystore but I get no love. Is there a decent guide anywhere for how to do this? From my book of spells. Used this to configure SSL in Apache httpd for subversion edge. openssl pkcs12 -export -in C:/server.crt -inkey C:/server.key -name svnedge -out C:/server.p12 keytool -importkeystore -srckeystore C:/server.p12 -srcstoretype PKCS12 -destkeystore C:/svnedge.jks During TLS handshake, server may respond with complete certificate chain (server certificate with all intermediate certificates) or with incomplete certificate chain (e.g. server certificate, without any/some intermediate certificates). Most servers, around 88% of them, deliver full certificate chain, according to research mentioned here [1]. Complete certificate chain is being recognized as valid by every client that implements TLS (assuming that root CA certificate is in the client keystore). Incomplete certificate chain may be recognized as valid by some TLS clients (e.g. Internet Explorer), using information from X.509v3 extension called Authority Information Access (AIA), or using previously validated certificate chains. Some clients will not recognize incomplete certificate chain as valid (e.g. openssl or Apache HTTPCommons Client). Even the same client may sometimes recognize incomplete certificate chains as valid and sometimes as invalid, thanks to caching of intermediate certificates. Therefore, it is best practice always to deliver complete certificate chain to the client. Having root CA certificate in the chain is unnecessary, as it wastes your bandwidth during TLS handshake (your client already have root CA certificate in its own keystore). Assuming that intermediate certificates (intermediates.pem), server certificate (server.pem) and private key (server.key) are all in PEM format, you need to add option -certfile to command Leo provided: openssl pkcs12 -export -out keystore.p12 -name myserver -in server.pem -inkey server.key -certfile intermediates.pem Verify that the contents of the p12 keystore with: openssl pkcs12 -in keystore.p12 -nokeys You should verify that the certificate chain is complete (up to, but without root CA certificate). Now, you may use that keystore for BIO and NIO connectors: keystoreFile=keystore.p12 keyAlias=myserver keystoreType=pkcs12 Or you may convert it to JKS keystore as Leo suggests. -Ognjen [1] https://bugzilla.mozilla.org/**show_bug.cgi?id=399324#c72https://bugzilla.mozilla.org/show_bug.cgi?id=399324#c72 --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
Chris, On 27.10.2013 2:47, Chris Arnold wrote: This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. Not sure what either of these are. I just need secure tomcat Let us first determine which connector do you have configured (BIO, NIO or APR), because HTTPS configuration depends on connector type. Could you send your server.xml with comments and sensitive information removed? Also, could you send your Tomcat startup messages? Depending on your configuration you can find them at the console or in file logs/catalina*.*. We only need to see connector initialization log messages, like these: ??? 19, 2013 12:01:06 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [http-apr-8080] ??? 19, 2013 12:01:06 PM org.apache.coyote.AbstractProtocol init INFO: Initializing ProtocolHandler [ajp-apr-8009] In the above example, you can see that APR connector is being initialized. If you want to find out about different connector types, you may find more information here: 1. http://people.apache.org/~markt/presentations/2009-04-01-TomcatTuning.pdf (slides 13-20) 2. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Secure Tomcat With SSL
Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go daddy bundle in crt format. I can download the cert bundle from go daddy for tomcat but it also is a crt file. Do i have to run this exact command: openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
Chris, On 26.10.2013 23:39, Chris Arnold wrote: Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go daddy bundle in crt format. I can download the cert bundle from go daddy for tomcat but it also is a crt file. Do i have to run this exact command: openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain It looks ok to me. Does it work for you? It will create PKCS#12 keystore file (mycert.p12), so you may: 1. add parameter keystoreType=pkcs12 to your HTTPS connector, and use that file, or 2. convert PKCS#12 keystore to Java Keystore format, and use default keystore type (JKS). This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Secure Tomcat With SSL
Chris, On 26.10.2013 23:39, Chris Arnold wrote: Tomcat 7.0.42 on SLES11. I am following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration to secure tomcat. I have uncommented the SSL HTTP section. The configuration section of that doc, importing the certificate: i have a go daddy bundle in crt format. I can download the cert bundle from go daddy for tomcat but it also is a crt file. Do i have to run this exact command: openssl pkcs12 -export -in mycert.crt -inkey mykey.key \ -out mycert.p12 -name tomcat -CAfile myCA.crt \ -caname root -chain It looks ok to me. Does it work for you? It doesn't look like it will work as i do not have a ca file. It will create PKCS#12 keystore file (mycert.p12), so you may: 1. add parameter keystoreType=pkcs12 to your HTTPS connector, and use that file, or 2. convert PKCS#12 keystore to Java Keystore format, and use default keystore type (JKS). This is both possible, only if you plan to use either BIO or NIO HTTP connector. If you plan to use APR, connector configuration is completely different. Not sure what either of these are. I just need secure tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org