Re: A little trouble with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, On 9/20/12 12:53 PM, Andrea Freire wrote: Christopher Schultz chris at christopherschultz.net writes: Andrea, On 8/29/2010 10:39 PM, Andrea Freire wrote: There are the configuration files. Your attachments were stripped by the list. Please paste them inline and try again. -chris I know that is too late the answer but I want to post that I did. the problem was that I wasnt installed the tomcat native library, I just follow the step in the next link to install the library: http://tomcat.apache.org/native-doc/ You have to install this if you want to configure ssl direct in tomcat. :D tcnative is not required in order to configure SSL in Tomcat. It is only required if you want to use OpenSSL with the APR connector to configure SSL in Tomcat. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBdNqMACgkQ9CaO5/Lv0PCdWACeNEe1/vgwhwyVIe4PBUB13HPT s8UAn1DCdWLb3es8QvPynf+MQtOfcd67 =oBsk -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A little trouble with SSL
Christopher Schultz chris at christopherschultz.net writes: Andrea, On 8/29/2010 10:39 PM, Andrea Freire wrote: There are the configuration files. Your attachments were stripped by the list. Please paste them inline and try again. -chris I know that is too late the answer but I want to post that I did. the problem was that I wasnt installed the tomcat native library, I just follow the step in the next link to install the library: http://tomcat.apache.org/native-doc/ You have to install this if you want to configure ssl direct in tomcat. :D Andrea - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A little trouble with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, On 8/29/2010 10:39 PM, Andrea Freire wrote: There are the configuration files. Your attachments were stripped by the list. Please paste them inline and try again. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx/wxMACgkQ9CaO5/Lv0PBP8ACgh2V46cdChpwJ6lLRVkUYTLOi y/QAn0M3y56LfbygPkO4By3cMX7kQXC7 =8RNS -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: A little trouble with SSL
There are the configuration files. I can see the .jsp files throw the apache but only in port :80, when I put in port :443 only show that there are in apache only, not the .jsp or any servlet or application files. The .crt files for ssl works using this form-tomcat with mod_jk with apache- to redirect but after the authentication appears a message that the ubication is forbiden. I Try to impliment ssl just for tomcat but I have problems with the keytool. I have 2 location that manage this command, with both of them I create the cert but later their show me errors when I try to delete or remake the cert's,the first time that I implement this form the browser show me this message ssl_error_rx_record_too_long, someone told me that It could be the proxy -squid- but I put the port in the firewall to allow to pass and stop the proxy service and the netstat -tln command show me that the port of tomcat with ssl was open. Andrea Date: Thu, 26 Aug 2010 14:35:44 -0400 From: ch...@christopherschultz.net To: users@tomcat.apache.org Subject: Re: A little trouble with SSL -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, On 8/26/2010 2:07 PM, Andrea Freire wrote: I install tomcat 6 and all works without problem, but I had to install ssl then the problems started. Looking below, you are using Apache httpd along with Tomcat. Would you like httpd to terminate the SSL connection, or do you want to make SSL connections directly to Tomcat? I tried to configure using the module that connect tomcat6 with apache mod_jk, but send me the request was apparently not the apache server just redirects me what is going to port 80, when I put on port 443 I get that not on the server I'm having a little trouble understanding. Please post your mod_jk configuration and the Connectors from Tomcat's server.xml. Let's just start there and see how far we can get. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx2tAAACgkQ9CaO5/Lv0PBmSACePcBAiwsGMfyzyHWgA0DYPUxg qFIAoIdFnzrXENi+37ARSnB8fk1BAaCa =DbEQ -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: A little trouble with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Andrea, Please keep discussions on the mailing list. On 8/26/2010 5:19 PM, Andrea Freire wrote: I pass you my configuration, go ahead It looks like you have not configured Apache httpd for SSL. Did you want to have SSL terminate at Apache httpd or at Tomcat? Connector className=org.apache.tomcat.service.PoolTcpConnector Parameter name=handler value=org.apache.tomcat.service.http.HttpConnectionHandler/ Parameter name=port value=6443/ Parameter name=socketFactory value=org.apache.tomcat.net.SSLSocketFactory/ Parameter name=keystore value=/root/.keystore / Parameter name=keypass value=my_key_forsecurityreasonsInotputit/ Parameter name=clientAuth value=false/ /Connector That's a weird Connector configuration. Where did you get this example? I note you're trying to use a keystore in /root/.keystore... it's generally not a good idea to run Tomcat as root, and it's generally not a good idea to allow /root to be world-readable. From the above configuration, I suspect you are running Tomcat as root: seriously consider running Tomcat as a non-privileged user. There's a perfectly good SSL connector configuration listed already in server.xml (though it's commented-out): !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / -- You just need to uncomment this and add the following attributes: keystoreFile (note that your attribute was keystore, not keystorefile) keystorePass Please see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for reference. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkx36y0ACgkQ9CaO5/Lv0PBsOACfeKqk+2V7sKVtGytEboZG9ESx +hkAoJWJwwfElvvst+FCwZj3w3crWYN+ =94gF -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
A little trouble with SSL
I install tomcat 6 and all works without problem, but I had to install ssl then the problems started. I tried to configure using the module that connect tomcat6 with apache mod_jk, but send me the request was apparently not the apache server just redirects me what is going to port 80, when I put on port 443 I get that not on the server once I came out about the certificate but I redirected I get forgiven, then try to implement it directly in tomcat using a certificate using openssl, then use the keytool tool to generate the first time you use it if I generate a certificate but I put it in jks but It put me in another that beginning with g, the second time I said that already exists error code or a malformed key, keytool error: java.security.KeyStoreException: Alias [tomcat] already exists and DOES NOT IDENTIFY a Key Entry, I try with the jdk keytool to install but followed me out the same mistakes in some cases moved the keys to rebuilding the certificates and keys in the folder that I assign $ path $ / keys but I got the error malformed key.