RE: Configuring Tomcat 6.0.28 with SSL
Jorge, I do get the INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.pat. When I try and access my webapp via 443, I am getting a 404 error Not Found, even though I removed jakarta from IIS and commented out the AJP 1.3 connector. Seems as though isapi_redirect.dll is stil being used, I cannot delete from my directory. Any Help would be great. -Original Message- From: Jorge Medina [mailto:cerebrotecnolog...@gmail.com] Sent: Tuesday, August 10, 2010 4:27 PM To: Tomcat Users List Subject: Re: Configuring Tomcat 6.0.28 with SSL There are two ways to add SSL support to Tomcat a) Pure java support b) Using OpenSSL through the APR library For (b) you need to compile (or use a distribution with) the Tomcat Native Library. Configuring SSL using (a) is different than when using (b). You may now if your server is running the APR by looking at the logs, at startup you may find a line similar to: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: After you have determined if you have the APR, look at how to configure SSL at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html -Jorge On Tue, Aug 10, 2010 at 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 jason.t.hansel@navy.mil wrote: I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL into our web application due to the authentication process taking a while, causing the web app to run abnormally slow. I am wanting to use our server certificate (PKCS12) as the keystore. I've been doing a lot of research and it seems that I need to import the root certificates into the keystore using OpenSSL. What I am not too clear on is how to edit the server.xml file to accommodate these configurations. Here is what I have thus far, however, SSL does not seem to be working. Copied from Notepad: !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Program Files\Apache Software Foundation\Tomcat 6.0\con\geo.pfx keystorePass=password keystoreType=pkcs12 clientAuth=false sslProtocol=TLS / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Configuring Tomcat 6.0.28 with SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL I do get the INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.pat. So APR is not in use, meaning you should follow the SSL doc here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html (Which you probably have been doing.) When I try and access my webapp via 443 Post your current server.xml, with comments removed and privileged information masked. Do a netstat -ano and find out what process is actually listening on 443. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Chuck, Well, IIS is listening on 443. Our users authenticate via PKI, through IIS (which is set-up for SSL/Single-Sign On). Ideally, I'd like this to be the same for the web app I'm trying to make available on the web server, however, the isapi_redirect loads the page very very very slow. I know that I'd have to establish a different port (according to the SysAdmin) if I'd want to authenticate through Tomcat, can this be done on 8443? Sorry for the questions, I'm a GIS guy learning Web. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, August 11, 2010 10:59 AM To: Tomcat Users List Subject: RE: Configuring Tomcat 6.0.28 with SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL I do get the INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.pat. So APR is not in use, meaning you should follow the SSL doc here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html (Which you probably have been doing.) When I try and access my webapp via 443 Post your current server.xml, with comments removed and privileged information masked. Do a netstat -ano and find out what process is actually listening on 443. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Configuring Tomcat 6.0.28 with SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Well, IIS is listening on 443. Then Tomcat can't - unless you use different IP addresses for IIS and Tomcat. if I'd want to authenticate through Tomcat, can this be done on 8443? Yes, just use that port in the URL. But be aware that many versions of we-don't-need-no-stinkin'-standards-IE get confused when SSL is used over something other than 443, so you'll need to verify that it works with all the browsers your users have. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Chuck, Do you know of any methods to speed up performance when configuring Tomcat-isapi_redirect-IIS? I've googled this for a few days and have found people experiencing the same issue, however, no solution has been discovered. -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Wednesday, August 11, 2010 11:46 AM To: Tomcat Users List Subject: RE: Configuring Tomcat 6.0.28 with SSL From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Well, IIS is listening on 443. Then Tomcat can't - unless you use different IP addresses for IIS and Tomcat. if I'd want to authenticate through Tomcat, can this be done on 8443? Yes, just use that port in the URL. But be aware that many versions of we-don't-need-no-stinkin'-standards-IE get confused when SSL is used over something other than 443, so you'll need to verify that it works with all the browsers your users have. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
RE: Configuring Tomcat 6.0.28 with SSL
From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Do you know of any methods to speed up performance when configuring Tomcat-isapi_redirect-IIS? Sorry, no. I try to avoid IIS if at all possible. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
-Original Message- From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Well, IIS is listening on 443. Our users authenticate via PKI, through IIS (which is set-up for SSL/Single-Sign On). Ideally, I'd like this to be the same for the web app I'm trying to make available on the web server, however, the isapi_redirect loads the page very very very slow. I know that I'd have to establish a different port (according to the SysAdmin) if I'd want to authenticate through Tomcat, can this be done on 8443? Sorry for the questions, I'm a GIS guy learning Web. Jason, Sorry I'm late chiming in, but I had to go back and read the archives to see the history. Are you trying to secure something ArcGIS Server related? (or, ArcIMS?) I am able to avoid needing IIS/ISAPI for any of our GIS web apps, so far. Even when I had IIS/ISAPI configured, I didn't experience the same issues you have had with performance. can this be done on 8443? That is how I have to develop and test our GIS web apps that use SSL. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Configuring Tomcat 6.0.28 with SSL
Leo, I'm actually configuring the Geoportal Extension. I've got everything working w/respect to LDAP and my database. My IIS is running as 32 bit, due to some applications that need 32as64. -Original Message- From: Leo Donahue - PLANDEVX [mailto:leodona...@mail.maricopa.gov] Sent: Wednesday, August 11, 2010 1:32 PM To: 'Tomcat Users List' Subject: RE: Configuring Tomcat 6.0.28 with SSL -Original Message- From: Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 [mailto:jason.t.hansel@navy.mil] Subject: RE: Configuring Tomcat 6.0.28 with SSL Well, IIS is listening on 443. Our users authenticate via PKI, through IIS (which is set-up for SSL/Single-Sign On). Ideally, I'd like this to be the same for the web app I'm trying to make available on the web server, however, the isapi_redirect loads the page very very very slow. I know that I'd have to establish a different port (according to the SysAdmin) if I'd want to authenticate through Tomcat, can this be done on 8443? Sorry for the questions, I'm a GIS guy learning Web. Jason, Sorry I'm late chiming in, but I had to go back and read the archives to see the history. Are you trying to secure something ArcGIS Server related? (or, ArcIMS?) I am able to avoid needing IIS/ISAPI for any of our GIS web apps, so far. Even when I had IIS/ISAPI configured, I didn't experience the same issues you have had with performance. can this be done on 8443? That is how I have to develop and test our GIS web apps that use SSL. Leo - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org smime.p7s Description: S/MIME cryptographic signature
Configuring Tomcat 6.0.28 with SSL
I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL into our web application due to the authentication process taking a while, causing the web app to run abnormally slow. I am wanting to use our server certificate (PKCS12) as the keystore. I've been doing a lot of research and it seems that I need to import the root certificates into the keystore using OpenSSL. What I am not too clear on is how to edit the server.xml file to accommodate these configurations. Here is what I have thus far, however, SSL does not seem to be working. Copied from Notepad: !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Program Files\Apache Software Foundation\Tomcat 6.0\con\geo.pfx keystorePass=password keystoreType=pkcs12 clientAuth=false sslProtocol=TLS / smime.p7s Description: S/MIME cryptographic signature
Re: Configuring Tomcat 6.0.28 with SSL
There are two ways to add SSL support to Tomcat a) Pure java support b) Using OpenSSL through the APR library For (b) you need to compile (or use a distribution with) the Tomcat Native Library. Configuring SSL using (a) is different than when using (b). You may now if your server is running the APR by looking at the logs, at startup you may find a line similar to: INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: After you have determined if you have the APR, look at how to configure SSL at http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html -Jorge On Tue, Aug 10, 2010 at 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 jason.t.hansel@navy.mil wrote: I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL into our web application due to the authentication process taking a while, causing the web app to run abnormally slow. I am wanting to use our server certificate (PKCS12) as the keystore. I've been doing a lot of research and it seems that I need to import the root certificates into the keystore using OpenSSL. What I am not too clear on is how to edit the server.xml file to accommodate these configurations. Here is what I have thus far, however, SSL does not seem to be working. Copied from Notepad: !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Program Files\Apache Software Foundation\Tomcat 6.0\con\geo.pfx keystorePass=password keystoreType=pkcs12 clientAuth=false sslProtocol=TLS / - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Configuring Tomcat 6.0.28 with SSL
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Jason, On 8/10/2010 3:41 PM, Hansel, Jason T CTR SPAWARSYSCEN-ATLANTIC, 55E00 wrote: I am abandoning the IIS/isapi_redirect.dll method of authenticating via SSL into our web application due to the authentication process taking a while, causing the web app to run abnormally slow. I am wanting to use our server certificate (PKCS12) as the keystore. I've been doing a lot of research and it seems that I need to import the root certificates into the keystore using OpenSSL. What I am not too clear on is how to edit the server.xml file to accommodate these configurations. Here is what I have thus far, however, SSL does not seem to be working. Copied from Notepad: !-- Define a SSL HTTP/1.1 Connector on port 8443 This connector uses the JSSE configuration, when using APR, the connector should be using the OpenSSL style configuration described in the APR documentation -- Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=C:\Program Files\Apache Software Foundation\Tomcat 6.0\con\geo.pfx keystorePass=password keystoreType=pkcs12 clientAuth=false sslProtocol=TLS / Wait, are you trying to do CLIENT-CERT authentication? If so, you'll want to do clientAuth=want (if you want a cert, but don't want to fail otherwise, which I think is usually what one wants to do) and set the truststore* attributes on the Connector. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxhvGQACgkQ9CaO5/Lv0PA7xQCdGdGEwXko++Jm0t8/lJR1eAQb el0An3FjqgDbTP54DX3oSX9wscDMaqLk =jLqM -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org