Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Just for future reference to others, the problem was this line in Funambol data synchronization server's start.sh script: JAVA_OPTS=$JAVA_OPTS -Djavax.net.ssl.trustStore=$FUNAMBOL_HOME/lib/security/cacerts Commenting this out fixed the problem. I still fail to see how this should affect the keystorePass parameter handling in Tomcat in any way. So why does changeit work but some other password doesn't? Well, go figure. Samuli From: Samuli Seppänen [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED] I suppose this Tomcat home does not apply if I use absolute pathnames, like /root/newkeystore? There's always a home directory for the process, usually based on the userid the process is running under. If you've put the keystore file in any location other than the userid's home directory, you must specify the location with the keystoreFile attribute. Just for reference, the problem was not Tomcat after all... it is somehow related to Funambol sync server. Until this point I had started Tomcat only via the Funambol startup scripts. Then I tested Tomcat 5.5.25 standalone on my laptop and on the Funambol server (e.g. with startup.sh and shutdown.sh) and everything worked perfectly with JRE 1.5 and 1.6. I could select whatever password I want and the SSL listener would come up just fine. I have to dig into Funambol to see what is going on here, it's pretty weird. Anyway, thanks for the tips! Samuli - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
From: Samuli Seppänen [mailto:[EMAIL PROTECTED]
Subject: Re: Tomcat 5.5 and SSL connector: keystore was
tampered with [SOLVED]
Tomcat SSL Connector entries accept the following parameters:
- keystorePass (password for the JKS (Java keystore)
- keypass (password for the key inside the JKS
- keystoreFile (keystore location in filesystem)
The problem with your analysis is that the kepass attribute is not in the
Tomcat doc, and you've misinterpreted the code. As currently implemented, the
keypass attribute is simply an internal alias for keystorePass, nothing else.
Yes, you're probably right, I didn't have time to really dig into the code.
Note the following from the SSL how-to:
Finally, you will be prompted for the key password, which is the password
specifically for this Certificate (as opposed to any other Certificates stored in the
same keystore file). You MUST use the same password here as was used for the keystore
password itself.
Note: your private key password and keystore password should be the same.
If you want things to work differently, submit an enhancement request
(preferably with a patch).
I've been aware of that, and I do understand the difference. My only
problem has been the requirement to use the default password changeit.
As a sysadmin I'm against using a widely known default password for
anything, especially if it has anything to do with the Internet.
I have nothing against using the same password for the JKS _and_ for the
certificate, as long as the password is not changeit. Anyways, please
tell me if my conserns are unfounded from a security perspective.
At least on 5.5.20 the keystoreFile parameters has
to be inserted straight into Connector, contrary to
what the Howto says.
Where else does the doc say the keystoreFile attribute can be specified? I
can't find anything other than a comment about its default location, which
seems to work fine.
Take a look at Troubleshooting section in
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
---
# When Tomcat starts up, I get an exception like
java.io.FileNotFoundException: {some-directory}/{some-file} not found.
A likely explanation is that Tomcat cannot find the keystore file where
it is looking. By default, Tomcat expects the keystore file to be named
.keystore in the user home directory under which Tomcat is running
(which may or may not be the same as yours :-). If the keystore file is
anywhere else, you will need to add a keystoreFile attribute to the
Factory element in the Tomcat configuration file.
---
I'll verify this thing one more time to be sure and then file a
bugreport and attach a patch.
Best regards,
Samuli
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
I had no problems running with a password other than changeit on any of 5.5.23, 5.5.25, and various 6.0.x levels. As long as the keystore is built with both passwords the same, everything functions as documented. Take a look at Troubleshooting section in http://tomcat.apache.org/tomcat-5.5-du oc/ssl-howto.html I don't see any problems with that portion of the doc. Remember that Tomcat's home directory may not be what you think it is. Use JConsole or Lambda Probe to check the value of the user.home system property in a running Tomcat to find out what the default location is. I suppose this Tomcat home does not apply if I use absolute pathnames, like /root/newkeystore? Anyways thanks for the tip, I'll check JConsole and Lambda Probe out. Samuli - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
From: Samuli Seppänen [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED] I suppose this Tomcat home does not apply if I use absolute pathnames, like /root/newkeystore? There's always a home directory for the process, usually based on the userid the process is running under. If you've put the keystore file in any location other than the userid's home directory, you must specify the location with the keystoreFile attribute. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
From: Samuli Seppänen [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED] My only problem has been the requirement to use the default password changeit. I had no problems running with a password other than changeit on any of 5.5.23, 5.5.25, and various 6.0.x levels. As long as the keystore is built with both passwords the same, everything functions as documented. Take a look at Troubleshooting section in http://tomcat.apache.org/tomcat-5.5-du oc/ssl-howto.html I don't see any problems with that portion of the doc. Remember that Tomcat's home directory may not be what you think it is. Use JConsole or Lambda Probe to check the value of the user.home system property in a running Tomcat to find out what the default location is. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Update on this thing Tomcat+SSL+keystore thing: I dug into the Tomcat 5.5.25 source code to see what's really going on. Here's what I found - hopefully it's useful to someone. Tomcat SSL Connector entries accept the following parameters: - keystorePass (password for the JKS (Java keystore) - keypass (password for the key inside the JKS - keystoreFile (keystore location in filesystem) At least Tomcat 5.5.20 (older, yes) supports only the keystoreFile parameter. The keypass and keystorePass get messed up somehow, no matter how they're defined in the Connector part. The default password (changeit) is used instead. In Tomcat 5.5.21 a Java property check was added to the code to allow a property (javax.net.keystorePassword or something) to define the keystore password. In Tomcat 5.5.25 it seems to be possible to use a different keystore password and key password. One of them has to be the default (changeit), can't remember which. I didn't have time to check this properly. There's also a bug in Tomcat SSL Howto - I'll file a bug report on it unless it's has been done already. At least on 5.5.20 the keystoreFile parameters has to be inserted straight into Connector, contrary to what the Howto says. This is easily verifiable with strace. Unless somebody proves me wrong, I would consider the parameters keypass and keystorePass useless with Tomcat 5.5.x versions. There is no practical way to change those without Java debugging and/or patching, which is beyond the skill of most system admins. If the parameters are indeed usable, please update the Tomcat 5.5 SSL documentation to reflect their correct usage. Alternatively tell me how to use them correctly and I'll file a patch to the SSL howto. This configuration hell aside, Tomcat has been a real workhorse. Keep on the good work! Best regards, Samuli Some additional info: Debian Etch w/o system-wide Java installation These are included in the Funambol sync server bundle (6.5.12): Java Runtime environment 1.5.0 Tomcat 5.5.20 First of all, instead of recipes, I'd prefer to be pointed at information on how to debug this problem. I'm not a professional Java developer so all these Servlet/Java/log4j/properties/Connector/Factory things are a bit strange for me. Anyways, here are the HTTPS/SSL connector settings that I've tried to no avail. Please tell me which one _should_ work, or if they are all faulty. The paths are correct. !-- This is based strictly on Tomcat 5.5 SSL Howto. Still -- !-- it does not work. The keystoreFile should be in -- !-- Connector part, not Factory part. Feel free to -- !-- verify with strace to see what I mean. -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=something keyAlias=tomcat Factory clientAuth=false protocol=TLS keystoreFile=/root/newkeystore/ /Connector !-- Another variant with keystorePass in Connector -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=something keyAlias=tomcat keystoreFile=/root/newkeystore Factory clientAuth=false protocol=TLS/ /Connector !-- Another variant with keystorePass inside Factory -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=/root/newkeystore Factory clientAuth=false protocol=TLS keystorePass=something/ /Connector !-- Another variant without Factory part -- Connector port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=something keyAlias=tomcat keystoreFile=/root/newkeystore/ So none of these work. Any ideas? Hi! I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat 5.0 with both a self-created certificate and a signed (trusted) certificate, both inside a Java keystore (JKS). Now, with Tomcat 5.5 the SSL connector refuses to start with the dreaded keystore was
RE: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
From: Samuli Seppänen [mailto:[EMAIL PROTECTED] Subject: Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED] Tomcat SSL Connector entries accept the following parameters: - keystorePass (password for the JKS (Java keystore) - keypass (password for the key inside the JKS - keystoreFile (keystore location in filesystem) The problem with your analysis is that the kepass attribute is not in the Tomcat doc, and you've misinterpreted the code. As currently implemented, the keypass attribute is simply an internal alias for keystorePass, nothing else. Note the following from the SSL how-to: Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself. Note: your private key password and keystore password should be the same. If you want things to work differently, submit an enhancement request (preferably with a patch). At least on 5.5.20 the keystoreFile parameters has to be inserted straight into Connector, contrary to what the Howto says. Where else does the doc say the keystoreFile attribute can be specified? I can't find anything other than a comment about its default location, which seems to work fine. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
