RE: SSL problem
From: Allen Razdow [mailto:araz...@truenum.com] Subject: SSL problem Using Tomcat 6.0.14 on an amazon EC2 server instance Don't suppose you'd like to try this on a version that's a bit less than three years old? Pretty pointless to debug on something that ancient. Also, what JVM are you using with Tomcat? Running keytool -list on it reveals 3 entries: Are you sure one of those is your Go Daddy certificate? (Use the -v option with -list to display the details.) javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. What signature algorithms does -list -v show for the Go Daddy certificate? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL problem
: 82:BD:9A:0B:82:6A:0E:3E:91:AD:3E:27:04:2B:3F:45 SHA1: DE:70:F4:E2:11:6F:7F:DC:E7:5F:9D:13:01:2B:7E:68:7A:3B:2C:62 Signature algorithm name: SHA1withRSA Version: 3 Extensions: #1: ObjectId: 2.5.29.15 Criticality=true KeyUsage [ Key_CertSign Crl_Sign ] #2: ObjectId: 2.5.29.19 Criticality=true BasicConstraints:[ CA:true PathLen:2147483647 ] #3: ObjectId: 2.5.29.14 Criticality=false SubjectKeyIdentifier [ KeyIdentifier [ : D2 C4 B0 D2 91 D4 4C 11 71 B3 61 CB 3D A1 FE DD ..L.q.a.=... 0010: A8 6A D4 E3.j.. ] ] #4: ObjectId: 1.3.6.1.5.5.7.1.1 Criticality=false AuthorityInfoAccess [ [accessMethod: 1.3.6.1.5.5.7.48.1 accessLocation: URIName: http://ocsp.godaddy.com] ] #5: ObjectId: 2.5.29.31 Criticality=false CRLDistributionPoints [ [DistributionPoint: [URIName: http://certificates.godaddy.com/repository/root.crl] ]] #6: ObjectId: 2.5.29.32 Criticality=false CertificatePolicies [ [CertificatePolicyId: [2.5.29.32.0] [PolicyQualifierInfo: [ qualifierID: 1.3.6.1.5.5.7.2.1 qualifier: : 16 2A 68 74 74 70 3A 2F 2F 63 65 72 74 69 66 69 .*http://certifi 0010: 63 61 74 65 73 2E 67 6F 64 61 64 64 79 2E 63 6F cates.godaddy.co 0020: 6D 2F 72 65 70 6F 73 69 74 6F 72 79 m/repository ]] ] ] #7: ObjectId: 2.5.29.35 Criticality=false AuthorityKeyIdentifier [ [emailaddress=i...@valicert.com, CN=http://www.valicert.com/, OU=ValiCert Class 2 Policy Validation Authority, O=ValiCert, Inc., L=ValiCert Validation Network] SerialNumber: [01] ] *** *** [r...@ip-10-212-151-97 ~]# -Original Message- From: Caldarale, Charles R [mailto:chuck.caldar...@unisys.com] Sent: Thursday, July 08, 2010 2:41 PM To: Tomcat Users List Subject: RE: SSL problem From: Allen Razdow [mailto:araz...@truenum.com] Subject: SSL problem Using Tomcat 6.0.14 on an amazon EC2 server instance Don't suppose you'd like to try this on a version that's a bit less than three years old? Pretty pointless to debug on something that ancient. Also, what JVM are you using with Tomcat? Running keytool -list on it reveals 3 entries: Are you sure one of those is your Go Daddy certificate? (Use the -v option with -list to display the details.) javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. What signature algorithms does -list -v show for the Go Daddy certificate? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL problem
From: Allen Razdow [mailto:araz...@truenum.com] Subject: RE: SSL problem Maybe I'll just start from scratch with the latest. Strongly recommended. The sigalg seems to be SHA1withRSA. I gather there is something like a cipher suite associated with JSEE... It's JSSE, not JSEE. Yes, the 1.5 and 1.6 JVMs come with basic cipher capabilities. The certificates I'm using on stock 1.5 and 1.6 JVMs use SHA1withRSA without problem. Hmmm... Try running this program on your JVM to see all the JSSE stuff that's available. import java.security.Provider; import java.security.Security; import java.util.Map; import java.util.Set; public class SecList { public static void main(String args[]) { Provider[] providers = Security.getProviders(); for (Provider p : providers) { System.out.print(p.getName() + , version + p.getVersion()); System.out.println(: + p.getInfo()); SetProvider.Service services = p.getServices(); for (Provider.Service s : services) { System.out.println( service + s.getType() + : + s.getAlgorithm() + ( + s.getClassName() + )); } SetMap.EntryObject, Object entries = p.entrySet(); for (Map.EntryObject, Object e : entries) { System.out.println( property + e.toString()); } } } } - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server When i write browser http://localhost:443 i can see the pages and applications. Which you shouldn't be able to - this is indicative of your server.xml being broken. But when i write https://localhost i cant reach any page or applications. Post your server.xml (preferably without all the comments, and obfuscate any passwords). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
On Tue, Apr 27, 2010 at 4:33 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server When i write browser http://localhost:443 i can see the pages and applications. Which you shouldn't be able to - this is indicative of your server.xml being broken. But when i write https://localhost i cant reach any page or applications. Post your server.xml (preferably without all the comments, and obfuscate any passwords). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. This is my server.xml. I have an mirror tomcat server installation that working perfect which have the same configuration and enviroment. But this server didnt work as i said before. -- Abdullah Teke = Tel: 0 555 337 21 89 MSN : abdullaht...@hotmail.com ICQ : 164500674 Web : www.abdullahteke.com ?xml version=1.0? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Example Server Configuration File -- !-- Note that component elements are nested corresponding to their parent-child relationships with each other -- !-- A Server is a singleton element that represents the entire JVM, which may contain one or more Service instances. The Server listens for a shutdown command on the indicated port. Note: A Server is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- Server port=8005 shutdown=SHUTDOWN !-- Comment these entries out to disable JMX MBeans support used for the administration web application -- Listener className=org.apache.catalina.core.AprLifecycleListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ !-- Global JNDI resources -- GlobalNamingResources !-- Test entry for demonstration purposes -- Environment name=simpleValue type=java.lang.Integer value=30/ !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container (and therefore the web applications visible within that Container). Normally, that Container is an Engine, but this is not required. Note: A Service is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- !-- Define the Tomcat Stand-Alone Service -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated Container (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8080. You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. * Execute: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA (Windows) $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA (Unix) with a password value of changeit for both the certificate and the keystore itself.
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
On 27/04/2010 14:57, Abdullah Teke wrote: On Tue, Apr 27, 2010 at 4:33 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server When i write browser http://localhost:443 i can see the pages and applications. Which you shouldn't be able to - this is indicative of your server.xml being broken. But when i write https://localhost i cant reach any page or applications. Post your server.xml (preferably without all the comments, and obfuscate any passwords). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. This is my server.xml. I have an mirror tomcat server installation that working perfect which have the same configuration and enviroment. But this server didnt work as i said before. The list often strips attachments, it's better to post the contents of the file, inline. (Makes it easier to suggest edits, too). p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
On Tue, Apr 27, 2010 at 5:03 PM, Pid p...@pidster.com wrote: On 27/04/2010 14:57, Abdullah Teke wrote: On Tue, Apr 27, 2010 at 4:33 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server When i write browser http://localhost:443 i can see the pages and applications. Which you shouldn't be able to - this is indicative of your server.xml being broken. But when i write https://localhost i cant reach any page or applications. Post your server.xml (preferably without all the comments, and obfuscate any passwords). - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. This is my server.xml. I have an mirror tomcat server installation that working perfect which have the same configuration and enviroment. But this server didnt work as i said before. The list often strips attachments, it's better to post the contents of the file, inline. (Makes it easier to suggest edits, too). p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ok then. ?xml version=1.0? !-- Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the License); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an AS IS BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. -- !-- Example Server Configuration File -- !-- Note that component elements are nested corresponding to their parent-child relationships with each other -- !-- A Server is a singleton element that represents the entire JVM, which may contain one or more Service instances. The Server listens for a shutdown command on the indicated port. Note: A Server is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- Server port=8005 shutdown=SHUTDOWN !-- Comment these entries out to disable JMX MBeans support used for the administration web application -- Listener className=org.apache.catalina.core.AprLifecycleListener / Listener className=org.apache.catalina.mbeans.ServerLifecycleListener / Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener / Listener className=org.apache.catalina.storeconfig.StoreConfigLifecycleListener/ !-- Global JNDI resources -- GlobalNamingResources !-- Test entry for demonstration purposes -- Environment name=simpleValue type=java.lang.Integer value=30/ !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources !-- A Service is a collection of one or more Connectors that share a single Container (and therefore the web applications visible within that Container). Normally, that Container is an Engine, but this is not required. Note: A Service is not itself a Container, so you may not define subcomponents such as Valves or Loggers at this level. -- !-- Define the Tomcat Stand-Alone Service -- Service name=Catalina !-- A Connector represents an endpoint by which requests are received and responses are returned. Each Connector passes requests on to the associated Container (normally an Engine) for processing. By default, a non-SSL HTTP/1.1 Connector is established on port 8080. You can also enable an SSL HTTP/1.1 Connector on port 8443 by following the instructions below and uncommenting the second Connector entry. SSL support requires the following steps (see the SSL Config HOWTO in the Tomcat 5 documentation bundle for more detailed instructions): * If your JDK version 1.3 or prior, download and install JSSE 1.0.2 or later, and put the JAR
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Abdulla, On 4/27/2010 10:09 AM, Abdullah Teke wrote: On Tue, Apr 27, 2010 at 5:03 PM, Pid p...@pidster.com wrote: The list often strips attachments, it's better to post the contents of the file, inline. (Makes it easier to suggest edits, too). FWIW, it looks like the attachment came through the first time. Listener className=org.apache.catalina.core.AprLifecycleListener / Are you using APR for SSL? If so, the configuration for the Connector is different. !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=C:\keystore keystorePass= / The comment doesn't reflect the Connector definition, but that all looks good to me. Are you sure Tomcat is using this server.xml? We've heard reports that Eclipse, NetBeans, and other IDEs sometimes use a different server.xml than you expect it to. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvXI5QACgkQ9CaO5/Lv0PCTNQCgoKnwC598syZ27DRsuxfWbBra C38An0HIHjO2iakZEo2Pw+Uoh91/+QFC =3TdH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server This is my server.xml. Connector port=8080 If you're using port 443 for HTTPS traffic, why are you using 8080 for HTTP? redirectPort=8443 This should be 443, not 8443. You're either not actually using this server.xml, or something else is listening on 443, or your browser is ignoring the port number (which some versions of IE are known to do). Do you have httpd or IIS in front of Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
On Tue, Apr 27, 2010 at 8:56 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Abdullah Teke [mailto:abdullaht...@gmail.com] Subject: Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server This is my server.xml. Connector port=8080 If you're using port 443 for HTTPS traffic, why are you using 8080 for HTTP? redirectPort=8443 This should be 443, not 8443. You're either not actually using this server.xml, or something else is listening on 443, or your browser is ignoring the port number (which some versions of IE are known to do). Do you have httpd or IIS in front of Tomcat? - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. I think it uses this server.xml because after changed configuration and restart server, we can see the changes. It is wanted to use both http and https. -- Abdullah Teke = Tel: 0 555 337 21 89 MSN : abdullaht...@hotmail.com ICQ : 164500674 Web : www.abdullahteke.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL Problem with Tomcat 5.5.25 on Windows 2003 Server
On Tue, Apr 27, 2010 at 8:49 PM, Christopher Schultz ch...@christopherschultz.net wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Abdulla, On 4/27/2010 10:09 AM, Abdullah Teke wrote: On Tue, Apr 27, 2010 at 5:03 PM, Pid p...@pidster.com wrote: The list often strips attachments, it's better to post the contents of the file, inline. (Makes it easier to suggest edits, too). FWIW, it looks like the attachment came through the first time. Listener className=org.apache.catalina.core.AprLifecycleListener / Are you using APR for SSL? If so, the configuration for the Connector is different. !-- Define a SSL HTTP/1.1 Connector on port 8443 -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=C:\keystore keystorePass= / The comment doesn't reflect the Connector definition, but that all looks good to me. Are you sure Tomcat is using this server.xml? We've heard reports that Eclipse, NetBeans, and other IDEs sometimes use a different server.xml than you expect it to. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkvXI5QACgkQ9CaO5/Lv0PCTNQCgoKnwC598syZ27DRsuxfWbBra C38An0HIHjO2iakZEo2Pw+Uoh91/+QFC =3TdH -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Yes i am sure server use this server.xml file. But i use the HP SM on this. If i use APR for SSL can you tell me how should i change configuration? Thanks. -- Abdullah Teke = Tel: 0 555 337 21 89 MSN : abdullaht...@hotmail.com ICQ : 164500674 Web : www.abdullahteke.com - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL problem
From: Carl [mailto:c...@etrak-plus.com] Subject: SSL problem Access to 8080 works fine but neither 8443 nor 443 work. What does that mean? Does Tomcat return a message saying not working? (I doubt it.) I believe 443 and 8443 are up because a nmap gives: Do a netstat -an while Tomcat is running and make sure it's actually listening on those ports. The relevant portions of server.xml are: snip Did you perhaps snip out the comment marker that the default server.xml has around the SSL Connector? Post all of your server.xml. Are you using the APR library (probably named tcnative-1.so in Tomcat's bin directory)? If so, the SSL configuration is quite different. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL problem
On 15/12/2009 18:18, Carl wrote: Connector port=443 maxHttpHeaderSize=8192 maxThreads=600 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/local/certs/tomcat_keystore.ks keystorePass=jellybean/ You are missing SSLEnabled=true to tell Tomcat to actually use SSL for that connector. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL problem
=false sslProtocol=TLS / -- !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 enableLookups=false redirectPort=443 protocol=AJP/1.3 / !-- An Engine represents the entry point (within Catalina) that processes every request. The Engine implementation for Tomcat stand alone analyzes the HTTP headers included with the request, and passes them on to the appropriate Host (virtual host). Documentation at /docs/config/engine.html -- !-- You should set jvmRoute to support load-balancing via AJP ie : Engine name=Catalina defaultHost=localhost jvmRoute=jvm1 -- Engine name=Catalina defaultHost=localhost !--For clustering, please take a look at documentation at: /docs/cluster-howto.html (simple how to) /docs/config/cluster.html (reference documentation) -- !-- Cluster className=org.apache.catalina.ha.tcp.SimpleTcpCluster/ -- !-- The request dumper valve dumps useful debugging information about the request and response data received and sent by Tomcat. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.RequestDumperValve/ -- !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ !-- Define the default virtual host Note: XML Schema validation will not work with Xerces 2.2. -- Host name=localhost appBase=webapps unpackWARs=true autoDeploy=true deployOnStartup=true xmlValidation=false xmlNamespaceAware=false !-- SingleSignOn valve, share authentication between web applications Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.authenticator.SingleSignOn / -- !-- Access log processes all example. Documentation at: /docs/config/valve.html -- !-- Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false/ -- /Host /Engine /Service /Server I don't think I am using APR. Here is the startup from catalina.out: Dec 15, 2009 2:43:02 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: /usr/lib64/ java/lib/amd64/server:/usr/lib64/java/lib/amd64:/usr/lib64/java/../lib/amd64:/us r/java/packages/lib/amd64:/lib:/usr/lib Dec 15, 2009 2:43:02 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Dec 15, 2009 2:43:02 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Dec 15, 2009 2:43:02 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Dec 15, 2009 2:43:02 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 550 ms Dec 15, 2009 2:43:02 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Dec 15, 2009 2:43:02 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.20 RequestFilter initialized RequestFilter initialized RequestFilter initialized Dec 15, 2009 2:43:04 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Dec 15, 2009 2:43:05 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Dec 15, 2009 2:43:05 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-443 Dec 15, 2009 2:43:05 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Dec 15, 2009 2:43:05 PM org.apache.jk.server.JkMain start Hope this helps solve the mystery. TIA, Carl - Original Message - From: Caldarale, Charles R chuck.caldar...@unisys.com To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, December 15, 2009 1:26 PM Subject: RE: SSL problem From: Carl [mailto:c...@etrak-plus.com] Subject: SSL problem Access to 8080 works fine but neither 8443 nor 443 work. What does that mean? Does Tomcat return a message saying not working? (I doubt it.) I believe 443 and 8443 are up because a nmap gives: Do a netstat -an while Tomcat is running and make sure it's actually listening on those ports. The relevant portions of server.xml are: snip Did you perhaps snip out the comment marker that the default server.xml has around the SSL Connector? Post all of your server.xml. Are you using the APR library (probably named tcnative-1.so in Tomcat's bin directory)? If so, the SSL configuration is quite different. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail
Re: SSL problem
Mark and Chuck, I am so embarrassed, I should have caught that. It works properly with that one little addition. You guys (and others also) provide so much help. All I can say is thanks. Carl - Original Message - From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Sent: Tuesday, December 15, 2009 1:28 PM Subject: Re: SSL problem On 15/12/2009 18:18, Carl wrote: Connector port=443 maxHttpHeaderSize=8192 maxThreads=600 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/local/certs/tomcat_keystore.ks keystorePass=jellybean/ You are missing SSLEnabled=true to tell Tomcat to actually use SSL for that connector. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL problem
Carl wrote: Fresh Tomact 6.0.20 install on a new Slackware (version 13 - 64bit) linux box. Access to 8080 works fine but neither 8443 nor 443 work. Can you define does not work ? What error are you seeing ? - is it a failure to even connect to that port on the server ? - or do you get a Tomcat error page as a response ? I believe 443 and 8443 are up because a nmap gives: Discovered open port 443/tcp on 127.0.0.1 Discovered open port 8080/tcp on 127.0.0.1 Discovered open port 8443/tcp on 127.0.0.1 Try on the server : netstat -pan and verify that the process associated with each of the ports is really Tomcat, or something else. The relevant portions of server.xml are: snip Connector port=8443 maxHttpHeaderSize=8192 maxThreads=600 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/local/certs/tomcat_keystore.ks keystorePass=jellybean/ Connector port=443 maxHttpHeaderSize=8192 maxThreads=600 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/usr/local/certs/tomcat_keystore.ks keystorePass=jellybean/ /snip These look OK (to me), provided that they do not have !-- ... -- tags around them. (Neither really your snip../snip tags above). Come on, do check. It is a frequent enough error. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: SSL problem with Tomcat 5.5
Hi Bob There is a SSL checklist that starts with 1)installing and configuring JSSE (now comes with JDK.1.4 or 1.5) 2)a)create keystore b)import the certificate into just created keystore 3)uncomment the SSL Connector entry in $CATALINA_HOME/conf/server.xml and tweak keystoreFile to point to just created keystore http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html HTH/ Martin- - Original Message - From: Bob Grabbe [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Monday, November 26, 2007 1:04 PM Subject: SSL problem with Tomcat 5.5 Our web site has had an ssl certificate from Godaddy for the last two years. I'm trying to update the certificate because it just expired. After the expiration, before updating I was able to get to the main page, with a certificate error. After the update of the certificaste I'm not able to get to the https page at all. Environment is Windows 2003 server, Tomcat 5.5.9, Server.xml is set to redirect http (port 80) to port 443, and did work before. What I've done so far: Downloaded the server certificate, Godaddy certificates and recreated the keystore. No errors along the way. Verified that server.xml has the correct keystore file and password. Restarted Tomcat. Under webapps/root there is a redirector to send the browser to my other app's index.html. At this point I can open the http page, but if I try to open the https url I don't get anything. I'm open and would be very grateful for any suggestions. Thanks Bob Grabbe Michigan Proteome Consortium University of Michigan [EMAIL PROTECTED] _ If we knew what we were doing, it wouldn't be called research, would it ? --Albert Einstien - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL problem with Tomcat 5.5
Did all that, to no avail. As I said, it was working until the certificate expired, and the new certificate seems to have broken things, although I can't see anything wrong with it. What it looks like, actually, is that the server isn't processing the server.xml entries that redirect http to https. I can't see why, though. Bob Grabbe Umiversity of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 2:02 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 Hi Bob There is a SSL checklist that starts with 1)installing and configuring JSSE (now comes with JDK.1.4 or 1.5) 2)a)create keystore b)import the certificate into just created keystore 3)uncomment the SSL Connector entry in $CATALINA_HOME/conf/server.xml and tweak keystoreFile to point to just created keystore http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html HTH/ Martin- - Original Message - From: Bob Grabbe [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Monday, November 26, 2007 1:04 PM Subject: SSL problem with Tomcat 5.5 Our web site has had an ssl certificate from Godaddy for the last two years. I'm trying to update the certificate because it just expired. After the expiration, before updating I was able to get to the main page, with a certificate error. After the update of the certificaste I'm not able to get to the https page at all. Environment is Windows 2003 server, Tomcat 5.5.9, Server.xml is set to redirect http (port 80) to port 443, and did work before. What I've done so far: Downloaded the server certificate, Godaddy certificates and recreated the keystore. No errors along the way. Verified that server.xml has the correct keystore file and password. Restarted Tomcat. Under webapps/root there is a redirector to send the browser to my other app's index.html. At this point I can open the http page, but if I try to open the https url I don't get anything. I'm open and would be very grateful for any suggestions. Thanks Bob Grabbe Michigan Proteome Consortium University of Michigan [EMAIL PROTECTED] _ If we knew what we were doing, it wouldn't be called research, would it ? --Albert Einstien - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
On Nov 26, 2007 10:04 AM, Bob Grabbe [EMAIL PROTECTED] wrote: Our web site has had an ssl certificate from Godaddy for the last two years. I'm trying to update the certificate because it just expired. After the expiration, before updating I was able to get to the main page, with a certificate error. After the update of the certificaste I'm not able to get to the https page at all. Downloaded the server certificate, Godaddy certificates and recreated the keystore. ? That sounds a little off -- the keystore should have been created as a first step, followed by generating the certificate request to send off to GoDaddy. At this point I can open the http page, but if I try to open the https url I don't get anything. And the logs say ? -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL problem with Tomcat 5.5
Not sure which logs would help, but I've attached a notepad file with excerpts. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? What I did after downloading the new certificates was 1. Stop tomcat 2. rename the old keystore file 3. run the keytool to import the new certificates. If there's a different sequence I should have used, I'll appreciate the input. Thanks Bob Grabbe Umiversity of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 3:38 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 On Nov 26, 2007 10:04 AM, Bob Grabbe [EMAIL PROTECTED] wrote: Our web site has had an ssl certificate from Godaddy for the last two years. I'm trying to update the certificate because it just expired. After the expiration, before updating I was able to get to the main page, with a certificate error. After the update of the certificaste I'm not able to get to the https page at all. Downloaded the server certificate, Godaddy certificates and recreated the keystore. ? That sounds a little off -- the keystore should have been created as a first step, followed by generating the certificate request to send off to GoDaddy. At this point I can open the http page, but if I try to open the https url I don't get anything. And the logs say ? -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] Catalina log INFO: Reloading context [] Nov 26, 2007 3:50:30 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-80 Nov 26, 2007 3:50:30 PM org.apache.coyote.http11.Http11Protocol pause INFO: Pausing Coyote HTTP/1.1 on http-443 Nov 26, 2007 3:50:31 PM org.apache.catalina.core.StandardService stop INFO: Stopping service Catalina Nov 26, 2007 3:50:31 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-80 Nov 26, 2007 3:50:31 PM org.apache.coyote.http11.Http11Protocol destroy INFO: Stopping Coyote HTTP/1.1 on http-443 localhost log Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@6db33c') Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextDestroyed() Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextDestroyed() Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@159e6e8') Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@1469658') Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@1389b3f') Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: SessionListener: contextDestroyed() Nov 26, 2007 3:50:31 PM org.apache.catalina.core.ApplicationContext log INFO: ContextListener: contextDestroyed() localhost access log\ 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET / HTTP/1.1 200 121 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/ HTTP/1.1 200 1876 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/topFrame.htm HTTP/1.1 200 2420 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/leftUserInfoPage.htm HTTP/1.1 200 10850 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/images/NRPP.jpg HTTP/1.1 200 4814 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/JS/md5.js HTTP/1.1 200 8827 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/images/New_icons.gif HTTP/1.1 200 165 192.168.0.1 - - [26/Nov/2007:15:50:09 -0500] GET /prime/images/groups_bar.gif HTTP/1.1 200 2273 192.168.0.1 - - [26/Nov/2007:15:50:24 -0500] GET /prime/ HTTP/1.1 302 - 192.168.0.1 - - [26/Nov/2007:15:50:24 -0500] GET /prime/ HTTP/1.1 200 1876 192.168.0.1 - - [26/Nov/2007:15:50:24 -0500] GET /prime/leftUserInfoPage.htm HTTP/1.1 200 10850 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
On Nov 26, 2007 12:58 PM, Bob Grabbe [EMAIL PROTECTED] wrote: Not sure which logs would help, but I've attached a notepad file with excerpts. What would be best would be catalina.log at startup, showing whether the SSL connector started cleanly. And of course, any log entry relating specifically to an HTTPS request. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? Dunno about GoDaddy, but when I renew a Thawte cert for one of my sites, I have to generate a new cert request. So I just create a new keystore file, named something like keystore-example.com-2007, and use that for the new cert. HTH! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Bob, Bob Grabbe wrote: Bob Grabbe Umiversity of Michigan Is that a typo or a joke? - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.7 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHSzYC9CaO5/Lv0PARArXbAJ9V3d6jhE686lVHcdwGQFUOL3Lw6ACcDRcW 4ga2HL5DHhhgqY8eqbKAbuk= =4/EU -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL problem with Tomcat 5.5
OK, I've attached a new file with the startup. Unfortunately I'm not seeing anything in any logs that indicate any https requests. Just in case, what's the command to generate a new empty keystore file ? I've seen the notes on the tomcat docs for creating the csr, but I didn't do that this time. I might try it though, if I can get godaddy to go through the process with me again, Thanks Bob Grabbe University of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 4:09 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 What would be best would be catalina.log at startup, showing whether the SSL connector started cleanly. And of course, any log entry relating specifically to an HTTPS request. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? Dunno about GoDaddy, but when I renew a Thawte cert for one of my sites, I have to generate a new cert request. So I just create a new keystore file, named something like keystore-example.com-2007, and use that for the new cert. HTH! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] INFO: Initializing Coyote HTTP/1.1 on http-80 Nov 26, 2007 4:11:02 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-443 Nov 26, 2007 4:11:02 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1500 ms Nov 26, 2007 4:11:02 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 26, 2007 4:11:02 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.9 Nov 26, 2007 4:11:02 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 26, 2007 4:11:03 PM org.apache.catalina.loader.WebappClassLoader validateJarFile INFO: validateJarFile(D:\jakarta-tomcat-5.5.9\jakarta-tomcat-5.5.9\webapps\prime\WEB-INF\lib\servlet-api.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class Nov 26, 2007 4:11:03 PM org.apache.catalina.loader.WebappClassLoader validateJarFile INFO: validateJarFile(D:\jakarta-tomcat-5.5.9\jakarta-tomcat-5.5.9\webapps\PRIMEInstallationSite\WEB-INF\lib\servlet-api.jar) - jar not loaded. See Servlet Spec 2.3, section 9.7.2. Offending class: javax/servlet/Servlet.class Nov 26, 2007 4:11:04 PM org.apache.struts.tiles.TilesPlugin initDefinitionsFactory INFO: Tiles definition factory loaded for module ''. Nov 26, 2007 4:11:04 PM org.apache.struts.validator.ValidatorPlugIn initResources INFO: Loading validation rules file from '/WEB-INF/validator-rules.xml' Nov 26, 2007 4:11:04 PM org.apache.struts.validator.ValidatorPlugIn initResources INFO: Loading validation rules file from '/WEB-INF/validation.xml' Nov 26, 2007 4:11:05 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-80 Nov 26, 2007 4:11:05 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-443 Nov 26, 2007 4:11:05 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 26, 2007 4:11:05 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/16 config=null Nov 26, 2007 4:11:05 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 26, 2007 4:11:05 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 3188 ms - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
On Nov 26, 2007 1:48 PM, Bob Grabbe [EMAIL PROTECTED] wrote: OK, I've attached a new file with the startup. Unfortunately I'm not seeing anything in any logs that indicate any https requests. mmm. Are you sure nothing else changed, firewall-wise? You might want to turn on the Request Dumper Valve to make sure requests are actually reaching TC. :-) Just in case, what's the command to generate a new empty keystore file ? I've seen the notes on the tomcat docs for creating the csr, but I didn't do that this time. It's all there in the SSL how-to. I'd just try it from scratch, maybe first with a self-signed cert and then go back to your cert vendor. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
Good Evening Bob Implementing webapps is similar to setting up a scientific experiment..you need to complete ALL the steps outlined in order or nothing works The SSL checklist that starts with 1)installing and configuring JSSE (now comes with JDK.1.4 or 1.5) 2)a)create keystore Did you create the keystore as explained Yes or No? b)import the certificate into just created keystore Did you import the certificate into the keystore Yes or No? 3)uncomment the SSL Connector entry in $CATALINA_HOME/conf/server.xml and edit keystoreFile to point to just created keystore Did you edit the connector to make sure keyStoreFile points to the new keystore Yes or No? finally read this url and verify you understand everything you see in the embodied page http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html Did you read all of this Yes or No? Do you understand everything that is explained here? If there is something in this process that is undocumented or poorly documented PLEASE let us know. HTH/ Martin- - Original Message - From: Bob Grabbe [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Monday, November 26, 2007 4:48 PM Subject: RE: SSL problem with Tomcat 5.5 OK, I've attached a new file with the startup. Unfortunately I'm not seeing anything in any logs that indicate any https requests. Just in case, what's the command to generate a new empty keystore file ? I've seen the notes on the tomcat docs for creating the csr, but I didn't do that this time. I might try it though, if I can get godaddy to go through the process with me again, Thanks Bob Grabbe University of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 4:09 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 What would be best would be catalina.log at startup, showing whether the SSL connector started cleanly. And of course, any log entry relating specifically to an HTTPS request. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? Dunno about GoDaddy, but when I renew a Thawte cert for one of my sites, I have to generate a new cert request. So I just create a new keystore file, named something like keystore-example.com-2007, and use that for the new cert. HTH! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
To ensure you have a valid keystore with the included private key and a refer to an alias 'tomcat' I recommend strongly to create a new keystore as described in the reference (see links in other answer mails). At least you can create a self-signed certificate if you don't need one signed by a trusted CA. To check if SSL is running you can test it from a Linux or Unix box with installed OpenSSL with the following command: echo -e GET /jsp-examples/index.jsp HTTP/1.0\r\n\r\n|openssl s_client -connect localhost:8443 -ssl3 -debug -quiet Replace URI-context and welcome file, replace hostname and port if neccessary, change SSL mode to ssl2 or tsl as needed Johann - Original Message - From: Bob Grabbe [EMAIL PROTECTED] To: 'Tomcat Users List' users@tomcat.apache.org Sent: Monday, November 26, 2007 10:48 PM Subject: RE: SSL problem with Tomcat 5.5 OK, I've attached a new file with the startup. Unfortunately I'm not seeing anything in any logs that indicate any https requests. Just in case, what's the command to generate a new empty keystore file ? I've seen the notes on the tomcat docs for creating the csr, but I didn't do that this time. I might try it though, if I can get godaddy to go through the process with me again, Thanks Bob Grabbe University of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 4:09 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 What would be best would be catalina.log at startup, showing whether the SSL connector started cleanly. And of course, any log entry relating specifically to an HTTPS request. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? Dunno about GoDaddy, but when I renew a Thawte cert for one of my sites, I have to generate a new cert request. So I just create a new keystore file, named something like keystore-example.com-2007, and use that for the new cert. HTH! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem with Tomcat 5.5
In my case, apache is in the front as a load balancer (JK module). I read an instruction that says SSL is only needed between client and Apache, but SSL is not configured between apache and tomcat. I am using JBOSS 4.2.2. In my environment, the security between apache and tomcat is a concern. How to configure SSL all the way between client -- Apache -- Tomcat? Thanks! dave Schadler Johann [EMAIL PROTECTED] wrote: To ensure you have a valid keystore with the included private key and a refer to an alias 'tomcat' I recommend strongly to create a new keystore as described in the reference (see links in other answer mails). At least you can create a self-signed certificate if you don't need one signed by a trusted CA. To check if SSL is running you can test it from a Linux or Unix box with installed OpenSSL with the following command: echo -e GET /jsp-examples/index.jsp HTTP/1.0\r\n\r\n|openssl s_client -connect localhost:8443 -ssl3 -debug -quiet Replace URI-context and welcome file, replace hostname and port if neccessary, change SSL mode to ssl2 or tsl as needed Johann - Original Message - From: Bob Grabbe To: 'Tomcat Users List' Sent: Monday, November 26, 2007 10:48 PM Subject: RE: SSL problem with Tomcat 5.5 OK, I've attached a new file with the startup. Unfortunately I'm not seeing anything in any logs that indicate any https requests. Just in case, what's the command to generate a new empty keystore file ? I've seen the notes on the tomcat docs for creating the csr, but I didn't do that this time. I might try it though, if I can get godaddy to go through the process with me again, Thanks Bob Grabbe University of Michigan [EMAIL PROTECTED] _ Research is the process of going up alleys to see if they are blind. -- Marston Bates -Original Message- From: Hassan Schroeder [mailto:[EMAIL PROTECTED] Sent: Monday, November 26, 2007 4:09 PM To: Tomcat Users List Subject: Re: SSL problem with Tomcat 5.5 What would be best would be catalina.log at startup, showing whether the SSL connector started cleanly. And of course, any log entry relating specifically to an HTTPS request. I didn't generate a new csr, I figured renewing the cert shouldn't need that. Do I need to go through that or should I be able to just renew it ? Dunno about GoDaddy, but when I renew a Thawte cert for one of my sites, I have to generate a new cert request. So I just create a new keystore file, named something like keystore-example.com-2007, and use that for the new cert. HTH! -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - Get easy, one-click access to your favorites. Make Yahoo! your homepage.
Re: SSL problem in Tomcat
I know its going to sound silly... but then, i found out the problem. its the -storepass -keypass. they have to be the same. i thought they are for different purpose... anyway, issue closed. -- View this message in context: http://www.nabble.com/SSL+problem+in+Tomcat-t1601673.html#a4554704 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem in Tomcat
Hi Gavin, I encountered the same problem as you. But i am unable to resolve it like you do. the following is my config. --Server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS / --Server.xml I have the following files in my tomcat home directory (but i did not specify any %TOMCAT_HOME% environment variables. not mentioned anywhere in the doc...) - client.cer client.keystore server.cer server.keystore i tried adding the line - keystoreFile=c:\Program Files\Java\jdk1.5.0_06\ssl\server.keystore into the server.xml but it still doesnt work. *Note: the c:\Program Files\Java\jdk1.5.0_06\ssl\ directory contains the same 4 files listed above. any advice? thanks. jfk. -- View this message in context: http://www.nabble.com/SSL+problem+in+Tomcat-t1601673.html#a4553342 Sent from the Tomcat - User forum at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem in Tomcat
I have a page that has some config info about SSL with Client Authentication turned on. You could have a look there and see if you find any of it useful. http://jack.godau.googlepages.com/jbosscertificatesandopenssl Cheers Jack... On 11/05/06, Gavin Alexander [EMAIL PROTECTED] wrote: Hi, I am having a problem getting Tomcat to work properly with SSL. My server.xml file contains the lines shown below, which appear fine to me. !-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified during installation -- Connector port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true / !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS / Tomcat works fine with html pages, JSPs and servlets until such time as they require SSL, and then I get the following message: Unable to connect Firefox can't establish a connection to the server at localhost:8443. * The site could be temporarily unavailable or too busy. Try again in a few moments. * If you are unable to load any pages, check your computer's network connection. * If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. or, in IE: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. Please try the following: ... If I enter https://localhost:8443 into the address bar of my browser (Firefox) I don't get the Tomcat splash page, as described in http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File. If anyone can suggest any other configuration details, or tests that I can use to figure out the problem, I would be grateful. Thankyou, Gavin Alexander -- Cheers Jack... The claim natural is not synonymous with safe. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL problem in Tomcat
Thanks for that Jack. Ironically, I just got things working again not 20 seconds before I got your email. For some reason the .keystore file had stopped working (maybe expired?) and I ended up creating a new one and adding a keystoreFile attribute with path to the new file in tomcat's server.xml. As often happens, I am mystified as to how it broke, but happy it is fixed! Cheers, Gavin At 09:27 12/05/2006, you wrote: I have a page that has some config info about SSL with Client Authentication turned on. You could have a look there and see if you find any of it useful. http://jack.godau.googlepages.com/jbosscertificatesandopenssl Cheers Jack... On 11/05/06, Gavin Alexander [EMAIL PROTECTED] wrote: Hi, I am having a problem getting Tomcat to work properly with SSL. My server.xml file contains the lines shown below, which appear fine to me. !-- Define a non-SSL Coyote HTTP/1.1 Connector on the port specified during installation -- Connector port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 disableUploadTimeout=true / !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS / Tomcat works fine with html pages, JSPs and servlets until such time as they require SSL, and then I get the following message: Unable to connect Firefox can't establish a connection to the server at localhost:8443. * The site could be temporarily unavailable or too busy. Try again in a few moments. * If you are unable to load any pages, check your computer's network connection. * If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web. or, in IE: The page cannot be displayed The page you are looking for is currently unavailable. The Web site might be experiencing technical difficulties, or you may need to adjust your browser settings. Please try the following: ... If I enter https://localhost:8443 into the address bar of my browser (Firefox) I don't get the Tomcat splash page, as described in http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html#Edit%20the%20Tomcat%20Configuration%20File. If anyone can suggest any other configuration details, or tests that I can use to figure out the problem, I would be grateful. Thankyou, Gavin Alexander -- Cheers Jack... The claim natural is not synonymous with safe. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]