AW: AW: Request for SSL Setup
Hello, > -Ursprüngliche Nachricht- > Von: Manibharathi R > Gesendet: Dienstag, 28. Juni 2022 08:56 > An: Tomcat Users List > Betreff: Re: AW: Request for SSL Setup > > Thanks for your prompt response. > > Could you please send me the procedure that how can we generate > certficates files? > > -Original Message- > From: Thomas Hoffmann (Speed4Trade GmbH) > Sent: Tuesday, June 28, 2022 12:13 PM > To: Tomcat Users List > Subject: AW: Request for SSL Setup > > This email came from an external source. Please do not click links or open > attachments unless you recognize the sender. > > > Hello, > > > -Ursprüngliche Nachricht- > > Von: Manibharathi R > > Gesendet: Dienstag, 28. Juni 2022 07:16 > > An: users@tomcat.apache.org > > Betreff: Request for SSL Setup > > > > Dear Team, > > > > Greetings, > > > > I have done keystore generation, import key features and changes done > > in server.xm. But still I am unable to access throught https. > > > > Kindly send me the causes of this issue > > > > Regards, > > R.Manibharathi, > > AM,Android Mobile App Developer > > > > > > > > Could you please check all logfiles if there are some errors shown? > Any stacktraces, warnings or errors visible? > Is there a line like "org.apache.coyote.AbstractProtocol.start Starting > ProtocolHandler ["https-openssl-nio-443"]" ? > > Greetings, Thomas > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > Regards, > R.Manibharathi, > AM,Android Mobile App Developer > You can do it e.g. with keytool: https://stackoverflow.com/questions/42541356/how-to-create-a-self-signed-ssl-certificate-for-use-with-tomcat This generates a self-signed certificate which is suitable for development and testing purposes. Another method is using OpenSSL but this involves multiple steps: https://www.baeldung.com/openssl-self-signed-cert If you need a public signed certificate, you can generate a CSR with OpenSSL and send it to a certificate authority to get it signed. Background information: For using SSL you always need a matching keypair, this is a public and a private key. The private key is signed. The clients needs to trust the signature (with the corresponding signatures public key). A jks-file can store both keys. Alternatively you can use two separate files (e.g. in PEM-format) and configure the tomcat-connector to use both files. Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: AW: Request for SSL Setup
Thanks for your prompt response. Could you please send me the procedure that how can we generate certficates files? -Original Message- From: Thomas Hoffmann (Speed4Trade GmbH) Sent: Tuesday, June 28, 2022 12:13 PM To: Tomcat Users List Subject: AW: Request for SSL Setup This email came from an external source. Please do not click links or open attachments unless you recognize the sender. Hello, -Ursprüngliche Nachricht- Von: Manibharathi R Gesendet: Dienstag, 28. Juni 2022 07:16 An: users@tomcat.apache.org Betreff: Request for SSL Setup Dear Team, Greetings, I have done keystore generation, import key features and changes done in server.xm. But still I am unable to access throught https. Kindly send me the causes of this issue Regards, R.Manibharathi, AM,Android Mobile App Developer Could you please check all logfiles if there are some errors shown? Any stacktraces, warnings or errors visible? Is there a line like "org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-443"]" ? Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Regards, R.Manibharathi, AM,Android Mobile App Developer This email and its attachments may contain confidential, proprietary or legally privileged information and is intended solely for the use of the individual or entity to whom it is addressed. If you have erroneously received this message, please delete it immediately and notify the sender. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, incomplete or contain viruses and any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Suguna Foods Private Limited, its associates/subsidiaries. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
AW: Request for SSL Setup
Hello, > -Ursprüngliche Nachricht- > Von: Manibharathi R > Gesendet: Dienstag, 28. Juni 2022 07:16 > An: users@tomcat.apache.org > Betreff: Request for SSL Setup > > Dear Team, > > Greetings, > > I have done keystore generation, import key features and changes done in > server.xm. But still I am unable to access throught https. > > Kindly send me the causes of this issue > > Regards, > R.Manibharathi, > AM,Android Mobile App Developer > > > Could you please check all logfiles if there are some errors shown? Any stacktraces, warnings or errors visible? Is there a line like "org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["https-openssl-nio-443"]" ? Greetings, Thomas - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Request for SSL Setup
Dear Team, Greetings, I have done keystore generation, import key features and changes done in server.xm. But still I am unable to access throught https. Kindly send me the causes of this issue Regards, R.Manibharathi, AM,Android Mobile App Developer This email and its attachments may contain confidential, proprietary or legally privileged information and is intended solely for the use of the individual or entity to whom it is addressed. If you have erroneously received this message, please delete it immediately and notify the sender. Any unauthorized review, use, disclosure, dissemination, forwarding, printing or copying of this email or any action taken in reliance on this e-mail is strictly prohibited and may be unlawful. E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted, corrupted, lost, destroyed, incomplete or contain viruses and any views expressed in this message are those of the individual sender and no binding nature of the message shall be implied or assumed unless the sender does so expressly with due authority of Suguna Foods Private Limited, its associates/subsidiaries.
Re: Question about TLS/SSL setup and SSLHostConfig or not
On 02.03.21 23:50, Peter Kreuser wrote: Alex, Am 02.03.2021 um 23:19 schrieb Alex : Hi. On 02.03.21 23:14, John Larsen wrote: I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. Unless you need some really fancy rewriting or caching, Tomcat is absolutely capable to handle this. Even static files are OK nowadays. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and openssl config. (See below) Even dynamic reloading of SSL configs can be achieved with the jmxproxy. Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to the backend, in this case tomcat. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: Hi. I try to make a "good" tomcat config and read the docs. Now in the Connector doc is the following statement. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support Each secure connector must define at least one SSLHostConfig. But when I look into the SSL/TLS Configuration How-To is the snipplet without SSLHostConfig. What's now the "best" way to setup TLS/SSL with tomcat. I would prefer to put SSLHostConfig but I'm not sure if it's the way how the developer think to setup the TLS in tomcat? I use JSSE as implementation. http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ``` ``` You should move this to SSLHostConfig. Thank you for the clarification, I will do it. HTH Peter What's your suggestion and opinion to configure the tomcat in a proper way to use TLS also for the future versions. Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
Alex, > Am 02.03.2021 um 23:19 schrieb Alex : > > Hi. > >> On 02.03.21 23:14, John Larsen wrote: >> I usually let the apache webserver or nginx handle the SSL while proxying >> to the tomcat. Unless you need some really fancy rewriting or caching, Tomcat is absolutely capable to handle this. Even static files are OK nowadays. >> To use tomcat's built in server you'll need to import the >> SSL certificate into the keystore via your jdk. That’s not the case anymore. Tomcat 8.5.x perfectly speaks PEM-files and openssl config. (See below) Even dynamic reloading of SSL configs can be achieved with the jmxproxy. > > Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to > the backend, in this case tomcat. > >> John Larsen >>> On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: >>> Hi. >>> >>> I try to make a "good" tomcat config and read the docs. >>> >>> Now in the Connector doc is the following statement. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support >>> http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support >>> >>> Each secure connector must define at least one SSLHostConfig. >>> >>> But when I look into the SSL/TLS Configuration How-To is the snipplet >>> without SSLHostConfig. What's now the "best" way to setup TLS/SSL >>> with tomcat. I would prefer to put SSLHostConfig but I'm not sure if >>> it's the way how the developer think to setup the TLS in tomcat? >>> >>> I use JSSE as implementation. >>> >>> http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html >>> http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html >>> >>> ``` >>> >>> >> protocol="org.apache.coyote.http11.Http11NioProtocol" >>> port="8443" maxThreads="200" >>> scheme="https" secure="true" SSLEnabled="true" >>> keystoreFile="${user.home}/.keystore" keystorePass="changeit" >>> clientAuth="false" sslProtocol="TLS"/> >>> ``` >>> You should move this to SSLHostConfig. HTH Peter >>> What's your suggestion and opinion to configure the tomcat in a >>> proper way to use TLS also for the future versions. >>> >>> Regards >>> Alex >>> >>> - >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
Hi. On 02.03.21 23:14, John Larsen wrote: I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. Fully agree, but sometimes it is requierd that the HAProxy/nginx talk TLS to the backend, in this case tomcat. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: Hi. I try to make a "good" tomcat config and read the docs. Now in the Connector doc is the following statement. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support Each secure connector must define at least one SSLHostConfig. But when I look into the SSL/TLS Configuration How-To is the snipplet without SSLHostConfig. What's now the "best" way to setup TLS/SSL with tomcat. I would prefer to put SSLHostConfig but I'm not sure if it's the way how the developer think to setup the TLS in tomcat? I use JSSE as implementation. http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ``` ``` What's your suggestion and opinion to configure the tomcat in a proper way to use TLS also for the future versions. Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Question about TLS/SSL setup and SSLHostConfig or not
I usually let the apache webserver or nginx handle the SSL while proxying to the tomcat. To use tomcat's built in server you'll need to import the SSL certificate into the keystore via your jdk. John Larsen On Tue, Mar 2, 2021 at 3:06 PM Alex wrote: > Hi. > > I try to make a "good" tomcat config and read the docs. > > Now in the Connector doc is the following statement. > > http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support > http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support > > Each secure connector must define at least one SSLHostConfig. > > But when I look into the SSL/TLS Configuration How-To is the snipplet > without SSLHostConfig. What's now the "best" way to setup TLS/SSL > with tomcat. I would prefer to put SSLHostConfig but I'm not sure if > it's the way how the developer think to setup the TLS in tomcat? > > I use JSSE as implementation. > > http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html > http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html > > ``` > > protocol="org.apache.coyote.http11.Http11NioProtocol" > port="8443" maxThreads="200" > scheme="https" secure="true" SSLEnabled="true" > keystoreFile="${user.home}/.keystore" keystorePass="changeit" > clientAuth="false" sslProtocol="TLS"/> > ``` > > What's your suggestion and opinion to configure the tomcat in a > proper way to use TLS also for the future versions. > > Regards > Alex > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
Question about TLS/SSL setup and SSLHostConfig or not
Hi. I try to make a "good" tomcat config and read the docs. Now in the Connector doc is the following statement. http://tomcat.apache.org/tomcat-9.0-doc/config/http.html#SSL_Support http://tomcat.apache.org/tomcat-10.0-doc/config/http.html#SSL_Support Each secure connector must define at least one SSLHostConfig. But when I look into the SSL/TLS Configuration How-To is the snipplet without SSLHostConfig. What's now the "best" way to setup TLS/SSL with tomcat. I would prefer to put SSLHostConfig but I'm not sure if it's the way how the developer think to setup the TLS in tomcat? I use JSSE as implementation. http://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html http://tomcat.apache.org/tomcat-10.0-doc/ssl-howto.html ``` ``` What's your suggestion and opinion to configure the tomcat in a proper way to use TLS also for the future versions. Regards Alex - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Peter Kreuser [mailto:l...@kreuser.name] Sent: Wednesday, September 27, 2017 3:43 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup John, > Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>: > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: l...@kreuser.name [mailto:l...@kreuser.name] > Sent: Tuesday, September 26, 2017 3:26 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" >defaultSSLHostConfigName=“ localhost” > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl > > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary to get > it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out > server.crt # you may need your own ca and a signing-process to make this work > in all browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts > -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit > > > Hope this helps for a start. > > Re
RE: tomcat ssl setup
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Peter Kreuser [mailto:l...@kreuser.name] Sent: Wednesday, September 27, 2017 3:43 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup John, > Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>: > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: l...@kreuser.name [mailto:l...@kreuser.name] > Sent: Tuesday, September 26, 2017 3:26 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" >defaultSSLHostConfigName=“ localhost” > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl > > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary to get > it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out > server.crt # you may need your own ca and a signing-process to make this work > in all browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts > -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit > >
RE: tomcat ssl setup
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Peter Kreuser [mailto:l...@kreuser.name] Sent: Wednesday, September 27, 2017 3:43 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup John, > Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>: > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: l...@kreuser.name [mailto:l...@kreuser.name] > Sent: Tuesday, September 26, 2017 3:26 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" >defaultSSLHostConfigName=“ localhost” > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl > > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary to get > it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out > server.crt # you may need your own ca and a signing-process to make this work > in all browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts > -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit > > > Hope this helps for a start. > >
Re: tomcat ssl setup
John, > Am 27.09.2017 um 18:08 schrieb John Ellis <john.el...@lsgsolutions.com>: > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: l...@kreuser.name [mailto:l...@kreuser.name] > Sent: Tuesday, September 26, 2017 3:26 PM > To: Tomcat Users List <users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" >defaultSSLHostConfigName=“ localhost” > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl > > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary to get > it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out > server.crt # you may need your own ca and a signing-process to make this work > in all browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts > -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit > > > Hope this helps for a start. > > Regards > > Peter > > Peter I have never seen entries in the "" part of the > server.xml file. Does that have to be in there for SSL to work in Tomcat? > That's the way you define one Connector on one port with different certificates in TC 8.5 and 9.0. I guess that's one of the important new features! > > > > > > > > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: l...@kreuser.name [mailto:l...@kreuser.name] Sent: Tuesday, September 26, 2017 3:26 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup John, > Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: > > Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is > what Jira and/or Confluence would use so I did that and it worked fine on > http port of 8080. I then edited the server.xml file again for the SSL port > and got the same result as before; never gets to a webpage login using the > secure port of 8443 but I can still get the webpage on port 8080. When I look > at the Tomcat 8 Catalina log file I see several lines where it says- > "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been > googling that error and found a couple of posts saying to change from JKS to > JCEKS but when I ran the commands I didn't have JKS in the command; only RSA > for the algorithm. Can someone provide me with the proper keytool commands > that I need to use to create an SSL certificate for Tomcat? > > John Ellis > > 405.285.2500 office > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. So my setup is as follows: server.xml: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> I use openssl to create the certs (as let’s encrypt for an official cert will generate the same structure) and then convert to JKS: openssl genrsa -aes256 -out server.key 4096 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" openssl req -new -key server.key -out server.csr -sha512 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" #there is more to it to get SAN extensions, but that’s not necessary to get it running openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt # you may need your own ca and a signing-process to make this work in all browsers #Verify Server Cert openssl x509 -in server.crt -text -noout openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit Hope this helps for a start. Regards Peter Peter I have never seen entries in the "" part of the server.xml file. Does that have to be in there for SSL to work in Tomcat? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
2017-09-27 2:52 GMT+03:00 John Ellis: > Mark I don't see where you wrote anything in this reply? The rules: http://tomcat.apache.org/lists.html#tomcat-users -> 6. Top-posting is bad. Mark posted a link to Webinar video on Youtube, from 2016 webinar series, "TLS key/certificate generation" Also available here: http://tomcat.apache.org/presentations.html > > https://youtu.be/I6TbMqH9WFg > > Mark > Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Mark I don't see where you wrote anything in this reply? John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Tuesday, September 26, 2017 5:49 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: RE: tomcat ssl setup On 26 September 2017 20:26:58 BST, John Ellis <john.el...@lsgsolutions.com> wrote: >Yesterday my boss suggested setting up Tomcat vers. 8 as he thought >this is what Jira and/or Confluence would use so I did that and it >worked fine on http port of 8080. I then edited the server.xml file >again for the SSL port and got the same result as before; never gets to >a webpage login using the secure port of 8443 but I can still get the >webpage on port 8080. When I look at the Tomcat 8 Catalina log file I >see several lines where it says- "java.security.KeyStoreException: >Cannot store non-PrivateKeys". I have been googling that error and >found a couple of posts saying to change from JKS to JCEKS but when I >ran the commands I didn't have JKS in the command; only RSA for the >algorithm. Can someone provide me with the proper keytool commands that >I need to use to create an SSL certificate for Tomcat? > >John Ellis > >405.285.2500 office > > > > >http://biz-e.io > >-Original Message- >From: Mark Thomas [mailto:ma...@apache.org] >Sent: Friday, September 22, 2017 2:20 PM >To: Tomcat Users List <users@tomcat.apache.org> >Subject: Re: tomcat ssl setup > >On 22/09/17 16:44, John Ellis wrote: >> I have installed Tomcat 9.0.0.M27 on this test server but I still get >the same result; when I try to connect to Tomcat on the secure port of >8443 it just sits there and has a spinner up at the top of the browser >window but if I try to connect to it back on the non-secure port of >8080 it works fine. Here is a Dropbox link to the server.xml file that >I edited- >> >> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 >> >> Here is a Dropbox link to the Catalina log file- >> >> >https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 >> >> Thanks, >> >> John Ellis > >How did you generate the key and certificate files? > >Mark > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org https://youtu.be/I6TbMqH9WFg Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
On 26 September 2017 20:26:58 BST, John Ellis <john.el...@lsgsolutions.com> wrote: >Yesterday my boss suggested setting up Tomcat vers. 8 as he thought >this is what Jira and/or Confluence would use so I did that and it >worked fine on http port of 8080. I then edited the server.xml file >again for the SSL port and got the same result as before; never gets to >a webpage login using the secure port of 8443 but I can still get the >webpage on port 8080. When I look at the Tomcat 8 Catalina log file I >see several lines where it says- "java.security.KeyStoreException: >Cannot store non-PrivateKeys". I have been googling that error and >found a couple of posts saying to change from JKS to JCEKS but when I >ran the commands I didn't have JKS in the command; only RSA for the >algorithm. Can someone provide me with the proper keytool commands that >I need to use to create an SSL certificate for Tomcat? > >John Ellis > >405.285.2500 office > > > > >http://biz-e.io > >-Original Message- >From: Mark Thomas [mailto:ma...@apache.org] >Sent: Friday, September 22, 2017 2:20 PM >To: Tomcat Users List <users@tomcat.apache.org> >Subject: Re: tomcat ssl setup > >On 22/09/17 16:44, John Ellis wrote: >> I have installed Tomcat 9.0.0.M27 on this test server but I still get >the same result; when I try to connect to Tomcat on the secure port of >8443 it just sits there and has a spinner up at the top of the browser >window but if I try to connect to it back on the non-secure port of >8080 it works fine. Here is a Dropbox link to the server.xml file that >I edited- >> >> https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 >> >> Here is a Dropbox link to the Catalina log file- >> >> >https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 >> >> Thanks, >> >> John Ellis > >How did you generate the key and certificate files? > >Mark > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org > > > >- >To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >For additional commands, e-mail: users-h...@tomcat.apache.org https://youtu.be/I6TbMqH9WFg Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Yes I have run into that. I'm using an xml editor to check my work. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: l...@kreuser.name [mailto:l...@kreuser.name] Sent: Tuesday, September 26, 2017 3:32 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup G, I hate formatting in Mails... Beware of “ when copying source code! > Am 26.09.2017 um 22:25 schrieb l...@kreuser.name: > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" defaultSSLHostConfigName=“localhost” > > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-sign > ed-certificate-with-openssl > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-sig > ned-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary > to get it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key > -out server.crt # you may need your own ca and a signing-process to > make this work in all browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out > jssecacerts -name tomcat keytool -list -v -keystore jssecacerts > -storepass changeit > > > Hope this helps for a start. > > Regards > > Peter > > > > > > > > > > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
G, I hate formatting in Mails... Beware of “ when copying source code! > Am 26.09.2017 um 22:25 schrieb l...@kreuser.name: > > John, > > > >> Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: >> >> Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is >> what Jira and/or Confluence would use so I did that and it worked fine on >> http port of 8080. I then edited the server.xml file again for the SSL port >> and got the same result as before; never gets to a webpage login using the >> secure port of 8443 but I can still get the webpage on port 8080. When I >> look at the Tomcat 8 Catalina log file I see several lines where it says- >> "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been >> googling that error and found a couple of posts saying to change from JKS to >> JCEKS but when I ran the commands I didn't have JKS in the command; only RSA >> for the algorithm. Can someone provide me with the proper keytool commands >> that I need to use to create an SSL certificate for Tomcat? >> >> John Ellis >> >> 405.285.2500 office >> >> > > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride > a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. > > So my setup is as follows: > > server.xml: > > protocol="org.apache.coyote.http11.Http11Nio2Protocol" > > sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEImplementation" >allowTrace="false" >maxThreads="150" >SSLEnabled="true" >compression="off" >scheme="https" >server="Apache Tomcat" >secure="true" defaultSSLHostConfigName=“localhost” > > >hostName="localhost" >honorCipherOrder="true" >certificateVerification="none" >protocols="TLSv1.2" > > ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS"> > certificateKeystoreFile="${catalina.base}/conf/ssl/jssecacerts" > certificateKeystorePassword="changeit" > certificateKeyAlias="tomcat" > type="RSA" /> > > > > https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl > > <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> > > I use openssl to create the certs (as let’s encrypt for an official cert will > generate the same structure) and then convert to JKS: > > openssl genrsa -aes256 -out server.key 4096 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" > openssl req -new -key server.key -out server.csr -sha512 -subj > "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" > #there is more to it to get SAN extensions, but that’s not necessary to get > it running > > openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out > server.crt > # you may need your own ca and a signing-process to make this work in all > browsers > > #Verify Server Cert > openssl x509 -in server.crt -text -noout > > openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts > -name tomcat > keytool -list -v -keystore jssecacerts -storepass changeit > > > Hope this helps for a start. > > Regards > > Peter > > > > > > > > > >
RE: tomcat ssl setup
Yes version 8.5 is what I downloaded & tried but I had already tried both versions (M26 and M27) of 9.0.0. I think this is just something that I am overlooking here; I am not a programmer and have just had to learn all of this to work with Jira and Confluence, that we use here in our office. I will try this tomorrow. Thanks so much for the info! John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: l...@kreuser.name [mailto:l...@kreuser.name] Sent: Tuesday, September 26, 2017 3:26 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup John, > Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: > > Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is > what Jira and/or Confluence would use so I did that and it worked fine on > http port of 8080. I then edited the server.xml file again for the SSL port > and got the same result as before; never gets to a webpage login using the > secure port of 8443 but I can still get the webpage on port 8080. When I look > at the Tomcat 8 Catalina log file I see several lines where it says- > "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been > googling that error and found a couple of posts saying to change from JKS to > JCEKS but when I ran the commands I didn't have JKS in the command; only RSA > for the algorithm. Can someone provide me with the proper keytool commands > that I need to use to create an SSL certificate for Tomcat? > > John Ellis > > 405.285.2500 office > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. So my setup is as follows: server.xml: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> I use openssl to create the certs (as let’s encrypt for an official cert will generate the same structure) and then convert to JKS: openssl genrsa -aes256 -out server.key 4096 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" openssl req -new -key server.key -out server.csr -sha512 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" #there is more to it to get SAN extensions, but that’s not necessary to get it running openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt # you may need your own ca and a signing-process to make this work in all browsers #Verify Server Cert openssl x509 -in server.crt -text -noout openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit Hope this helps for a start. Regards Peter - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
John, > Am 26.09.2017 um 21:26 schrieb John Ellis <john.el...@lsgsolutions.com>: > > Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is > what Jira and/or Confluence would use so I did that and it worked fine on > http port of 8080. I then edited the server.xml file again for the SSL port > and got the same result as before; never gets to a webpage login using the > secure port of 8443 but I can still get the webpage on port 8080. When I look > at the Tomcat 8 Catalina log file I see several lines where it says- > "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been > googling that error and found a couple of posts saying to change from JKS to > JCEKS but when I ran the commands I didn't have JKS in the command; only RSA > for the algorithm. Can someone provide me with the proper keytool commands > that I need to use to create an SSL certificate for Tomcat? > > John Ellis > > 405.285.2500 office > > We’re talking about Tomcat 8.5, 8.0 is EOLed so it may not make sense to ride a dead horse, also SSL setup has changed quite a bit in 8.5/9.0. So my setup is as follows: server.xml: https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl <https://stackoverflow.com/questions/10175812/how-to-create-a-self-signed-certificate-with-openssl> I use openssl to create the certs (as let’s encrypt for an official cert will generate the same structure) and then convert to JKS: openssl genrsa -aes256 -out server.key 4096 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost" openssl req -new -key server.key -out server.csr -sha512 -subj "/C=XX/ST=XX/L=XX/O=XX/CN=localhost/emailAddress=x...@xx.com" #there is more to it to get SAN extensions, but that’s not necessary to get it running openssl x509 -req -sha256 -days 365 -in server.csr -signkey server.key -out server.crt # you may need your own ca and a signing-process to make this work in all browsers #Verify Server Cert openssl x509 -in server.crt -text -noout openssl pkcs12 -export -in server.crt -inkey server.key -out jssecacerts -name tomcat keytool -list -v -keystore jssecacerts -storepass changeit Hope this helps for a start. Regards Peter
RE: tomcat ssl setup
Yesterday my boss suggested setting up Tomcat vers. 8 as he thought this is what Jira and/or Confluence would use so I did that and it worked fine on http port of 8080. I then edited the server.xml file again for the SSL port and got the same result as before; never gets to a webpage login using the secure port of 8443 but I can still get the webpage on port 8080. When I look at the Tomcat 8 Catalina log file I see several lines where it says- "java.security.KeyStoreException: Cannot store non-PrivateKeys". I have been googling that error and found a couple of posts saying to change from JKS to JCEKS but when I ran the commands I didn't have JKS in the command; only RSA for the algorithm. Can someone provide me with the proper keytool commands that I need to use to create an SSL certificate for Tomcat? John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 2:20 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 16:44, John Ellis wrote: > I have installed Tomcat 9.0.0.M27 on this test server but I still get the > same result; when I try to connect to Tomcat on the secure port of 8443 it > just sits there and has a spinner up at the top of the browser window but if > I try to connect to it back on the non-secure port of 8080 it works fine. > Here is a Dropbox link to the server.xml file that I edited- > > https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 > > Here is a Dropbox link to the Catalina log file- > > https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 > > Thanks, > > John Ellis How did you generate the key and certificate files? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Ok please disregard my last question re using keytool. I DID use it on the server we are trying to get the ssl certificate to work on. It's just that it was awhile back and I wasn't seeing the commands when I went by through the command history. My Bad John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 2:20 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 16:44, John Ellis wrote: > I have installed Tomcat 9.0.0.M27 on this test server but I still get the > same result; when I try to connect to Tomcat on the secure port of 8443 it > just sits there and has a spinner up at the top of the browser window but if > I try to connect to it back on the non-secure port of 8080 it works fine. > Here is a Dropbox link to the server.xml file that I edited- > > https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 > > Here is a Dropbox link to the Catalina log file- > > https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 > > Thanks, > > John Ellis How did you generate the key and certificate files? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
I have another question. In visiting with my boss just now he brought up this question. Do we have to run something like the keytool command and go through all of those steps to get a certificate just in order to try to connect to Tomcat on a secure port, like 8443? I thought we could connect try to connect to it 1st and THEN setup the certificate. Maybe I missed this. As I said in the past when I first started posting my questions for the SSL issue I am not a programmer; my background is in computer hardware. I have only learned what I know about Jira and Confluence from OJT here with this position, in the last few years. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 2:20 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 16:44, John Ellis wrote: > I have installed Tomcat 9.0.0.M27 on this test server but I still get the > same result; when I try to connect to Tomcat on the secure port of 8443 it > just sits there and has a spinner up at the top of the browser window but if > I try to connect to it back on the non-secure port of 8080 it works fine. > Here is a Dropbox link to the server.xml file that I edited- > > https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 > > Here is a Dropbox link to the Catalina log file- > > https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 > > Thanks, > > John Ellis How did you generate the key and certificate files? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Mark although I am not finding it now I'm pretty sure that I sent out a reply to this last week saying I am getting the same exact result with ver. M27 as I was with M26; can't get a webpage login when I try the secure port of 8443. It just churns on the screen but never connects. However if I plug in the non-secure port of 8080 it goes to the 9.0.0.M27 webpage immediately. Also my boss suggested that I try using "Let's Encrypt so I tried that on Friday. It instructed me to run several updates first but when I tried to run the actual command of- ./certbot-auto --apache I got a messages below- /opt/eff.org/certbot/venv/lib/python2.6/site-packages/cryptography/__init__.py:26: DeprecationWarning: Python 2.6 is no longer supported by the Python core team, please upgrade your Python. A future version of cryptography will drop support for Python 2.6 DeprecationWarning Saving debug log to /var/log/letsencrypt/letsencrypt.log Failed to find executable apache2ctl in PATH: /usr/lib64/qt-3.3/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/usr/bin:/usr/bin:/root/bin The apache plugin is not working; there may be problems with your existing configuration. The error was: NoInstallationError('Cannot find Apache control command apache2ctl',) I went to the cert.bot website and it suggested running the command ./certbot-auto --apache certonly but it gave the same error. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 9:17 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 15:05, John Ellis wrote: > Andre I saw where you asked Mark Thomas, on another thread, if the > issue on that thread might be causing the SSL issue that I am having. > On the server that I have been using for the testing of Tomcat 9 > version 8 was already installed on it. It's just that my boss said to > download, install and work with version 9. I wonder if it might work on with > version 8? Try with 9.0.0.M27. You'll need to follow the browse link on the download page and then up a directory to find it. (It has been released but CVE-2017-12617 happened and we decided not to announce it as the next 9.0.x release will be following shortly.) Note there is still a regression in the keystore handling but it affects fewer configurations (just FIPS as far as I know). Mark > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 4:40 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > Hi. > > I just downloaded tomcat 9 myself (the windows zip version, but it > should be the same), to look at the standard server.xml. > > There is something which does not quite fit in all of this. > I can also not see, in the snippets of server.xml that you pasted, any > obvious XML errors or imbricated comments. > Yet the logfile points to these lines.. > Somehow the logfile which you uploaded to drop-box, does not seem to > match the server.xml lines that you pasted here. > > Ooooh, wait. > I know why it did not fit. > > After looking again, more carefully, at the logfile that you posted, I > see what was confusing : that logfile shows several starts and stops of > tomcat. > It just accumulates. I was looking just at the beginning, the first > error that I found. > You have for example this : > > 08-Sep-2017 11:10:32.131 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] > 08-Sep-2017 11:10:32.136 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] > 08-Sep-2017 11:10:32.137 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 18916 ms > > Just before the error message that I was mentioning, which was : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must > consist of well-formed character data or markup. > org.xml.sax.SAXParseException; systemId: > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; > lineNumber: 87; > columnNumber: > 6; The content of elements must consist of well-formed character data > or markup. > > But that was like 21 minutes later, after tomcat had been running for > 21 minutes. > > Then after that there are a few more starts and stops, and a the > lastest attempt, the problem is different : > > 08-Sep-2017 15:24:35.920 INFO [main] > org.apa
RE: tomcat ssl setup
I used the keytool command, then submitted the CSR to the cacert.org site, then put root and main certificates in place and referenced them in the server.xml file. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 2:20 PM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 16:44, John Ellis wrote: > I have installed Tomcat 9.0.0.M27 on this test server but I still get the > same result; when I try to connect to Tomcat on the secure port of 8443 it > just sits there and has a spinner up at the top of the browser window but if > I try to connect to it back on the non-secure port of 8080 it works fine. > Here is a Dropbox link to the server.xml file that I edited- > > https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 > > Here is a Dropbox link to the Catalina log file- > > https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 > > Thanks, > > John Ellis How did you generate the key and certificate files? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
On 22/09/17 16:44, John Ellis wrote: > I have installed Tomcat 9.0.0.M27 on this test server but I still get the > same result; when I try to connect to Tomcat on the secure port of 8443 it > just sits there and has a spinner up at the top of the browser window but if > I try to connect to it back on the non-secure port of 8080 it works fine. > Here is a Dropbox link to the server.xml file that I edited- > > https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 > > Here is a Dropbox link to the Catalina log file- > > https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 > > Thanks, > > John Ellis How did you generate the key and certificate files? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
I have installed Tomcat 9.0.0.M27 on this test server but I still get the same result; when I try to connect to Tomcat on the secure port of 8443 it just sits there and has a spinner up at the top of the browser window but if I try to connect to it back on the non-secure port of 8080 it works fine. Here is a Dropbox link to the server.xml file that I edited- https://www.dropbox.com/s/rdjjjxn6lzrucs0/server.xml?dl=0 Here is a Dropbox link to the Catalina log file- https://www.dropbox.com/s/c0x8svk4neqp5xo/catalina.2017-09-22.log?dl=0 Thanks, John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 9:17 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 15:05, John Ellis wrote: > Andre I saw where you asked Mark Thomas, on another thread, if the > issue on that thread might be causing the SSL issue that I am having. > On the server that I have been using for the testing of Tomcat 9 > version 8 was already installed on it. It's just that my boss said to > download, install and work with version 9. I wonder if it might work on with > version 8? Try with 9.0.0.M27. You'll need to follow the browse link on the download page and then up a directory to find it. (It has been released but CVE-2017-12617 happened and we decided not to announce it as the next 9.0.x release will be following shortly.) Note there is still a regression in the keystore handling but it affects fewer configurations (just FIPS as far as I know). Mark > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 4:40 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > Hi. > > I just downloaded tomcat 9 myself (the windows zip version, but it > should be the same), to look at the standard server.xml. > > There is something which does not quite fit in all of this. > I can also not see, in the snippets of server.xml that you pasted, any > obvious XML errors or imbricated comments. > Yet the logfile points to these lines.. > Somehow the logfile which you uploaded to drop-box, does not seem to > match the server.xml lines that you pasted here. > > Ooooh, wait. > I know why it did not fit. > > After looking again, more carefully, at the logfile that you posted, I > see what was confusing : that logfile shows several starts and stops of > tomcat. > It just accumulates. I was looking just at the beginning, the first > error that I found. > You have for example this : > > 08-Sep-2017 11:10:32.131 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] > 08-Sep-2017 11:10:32.136 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] > 08-Sep-2017 11:10:32.137 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 18916 ms > > Just before the error message that I was mentioning, which was : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must > consist of well-formed character data or markup. > org.xml.sax.SAXParseException; systemId: > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; > lineNumber: 87; > columnNumber: > 6; The content of elements must consist of well-formed character data > or markup. > > But that was like 21 minutes later, after tomcat had been running for > 21 minutes. > > Then after that there are a few more starts and stops, and a the > lastest attempt, the problem is different : > > 08-Sep-2017 15:24:35.920 INFO [main] > org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-jsse-nio-8443"] > 08-Sep-2017 15:24:36.300 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed > to initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler > initialization failed ... > Caused by: java.lang.IllegalArgumentException: > java.security.KeyStoreException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJss > eEndpoint.java:113) > > > So, here is what happened : > > - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), > it started fine, ending in the line > 08-Sep-2017 10:05:03.371 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 48
RE: tomcat ssl setup
OK I will try to find, download and try that version. Thanks! John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, September 22, 2017 9:17 AM To: Tomcat Users List <users@tomcat.apache.org> Subject: Re: tomcat ssl setup On 22/09/17 15:05, John Ellis wrote: > Andre I saw where you asked Mark Thomas, on another thread, if the > issue on that thread might be causing the SSL issue that I am having. > On the server that I have been using for the testing of Tomcat 9 > version 8 was already installed on it. It's just that my boss said to > download, install and work with version 9. I wonder if it might work on with > version 8? Try with 9.0.0.M27. You'll need to follow the browse link on the download page and then up a directory to find it. (It has been released but CVE-2017-12617 happened and we decided not to announce it as the next 9.0.x release will be following shortly.) Note there is still a regression in the keystore handling but it affects fewer configurations (just FIPS as far as I know). Mark > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 4:40 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > Hi. > > I just downloaded tomcat 9 myself (the windows zip version, but it > should be the same), to look at the standard server.xml. > > There is something which does not quite fit in all of this. > I can also not see, in the snippets of server.xml that you pasted, any > obvious XML errors or imbricated comments. > Yet the logfile points to these lines.. > Somehow the logfile which you uploaded to drop-box, does not seem to > match the server.xml lines that you pasted here. > > Ooooh, wait. > I know why it did not fit. > > After looking again, more carefully, at the logfile that you posted, I > see what was confusing : that logfile shows several starts and stops of > tomcat. > It just accumulates. I was looking just at the beginning, the first > error that I found. > You have for example this : > > 08-Sep-2017 11:10:32.131 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] > 08-Sep-2017 11:10:32.136 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] > 08-Sep-2017 11:10:32.137 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 18916 ms > > Just before the error message that I was mentioning, which was : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must > consist of well-formed character data or markup. > org.xml.sax.SAXParseException; systemId: > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; > lineNumber: 87; > columnNumber: > 6; The content of elements must consist of well-formed character data > or markup. > > But that was like 21 minutes later, after tomcat had been running for > 21 minutes. > > Then after that there are a few more starts and stops, and a the > lastest attempt, the problem is different : > > 08-Sep-2017 15:24:35.920 INFO [main] > org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-jsse-nio-8443"] > 08-Sep-2017 15:24:36.300 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed > to initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler > initialization failed ... > Caused by: java.lang.IllegalArgumentException: > java.security.KeyStoreException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(Abstr > actJss > eEndpoint.java:113) > > > So, here is what happened : > > - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), > it started fine, ending in the line > 08-Sep-2017 10:05:03.371 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 482 ms > > but then, you did not have the connector for port 8443 enabled yet. > > - then you stopped tomcat, and you started it again at > 08-Sep-2017 11:10:13.141 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log > Server version:Apache Tomcat/9.0.0.M26 > > - and then you had this : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The co
Re: tomcat ssl setup
On 22/09/17 15:05, John Ellis wrote: > Andre I saw where you asked Mark Thomas, on another thread, if the issue on > that thread might be causing the SSL issue that I am having. On the server > that I have been using for the testing of Tomcat 9 version 8 was already > installed on it. It's just that my boss said to download, install and work > with version 9. I wonder if it might work on with version 8? Try with 9.0.0.M27. You'll need to follow the browse link on the download page and then up a directory to find it. (It has been released but CVE-2017-12617 happened and we decided not to announce it as the next 9.0.x release will be following shortly.) Note there is still a regression in the keystore handling but it affects fewer configurations (just FIPS as far as I know). Mark > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 4:40 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > Hi. > > I just downloaded tomcat 9 myself (the windows zip version, but it should be > the same), to look at the standard server.xml. > > There is something which does not quite fit in all of this. > I can also not see, in the snippets of server.xml that you pasted, any > obvious XML errors or imbricated comments. > Yet the logfile points to these lines.. > Somehow the logfile which you uploaded to drop-box, does not seem to match > the server.xml lines that you pasted here. > > Ooooh, wait. > I know why it did not fit. > > After looking again, more carefully, at the logfile that you posted, I see > what was confusing : that logfile shows several starts and stops of tomcat. > It just accumulates. I was looking just at the beginning, the first error > that I found. > You have for example this : > > 08-Sep-2017 11:10:32.131 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["http-nio-8080"] > 08-Sep-2017 11:10:32.136 INFO [main] > org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler > ["ajp-nio-8009"] > 08-Sep-2017 11:10:32.137 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 18916 ms > > Just before the error message that I was mentioning, which was : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must consist > of well-formed character data or markup. > org.xml.sax.SAXParseException; systemId: > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; > columnNumber: > 6; The content of elements must consist of well-formed character data or > markup. > > But that was like 21 minutes later, after tomcat had been running for 21 > minutes. > > Then after that there are a few more starts and stops, and a the lastest > attempt, the problem is different : > > 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init > Initializing ProtocolHandler ["https-jsse-nio-8443"] > 08-Sep-2017 15:24:36.300 SEVERE [main] > org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to > initialize component [Connector[HTTP/1.1-8443]] > org.apache.catalina.LifecycleException: Protocol handler initialization > failed ... > Caused by: java.lang.IllegalArgumentException: > java.security.KeyStoreException: Cannot store non-PrivateKeys > at > org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss > eEndpoint.java:113) > > > So, here is what happened : > > - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it > started fine, ending in the line > 08-Sep-2017 10:05:03.371 INFO [main] > org.apache.catalina.startup.Catalina.start Server startup in 482 ms > > but then, you did not have the connector for port 8443 enabled yet. > > - then you stopped tomcat, and you started it again at > 08-Sep-2017 11:10:13.141 INFO [main] > org.apache.catalina.startup.VersionLoggerListener.log > Server version:Apache Tomcat/9.0.0.M26 > > - and then you had this : > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > Parse Fatal Error at line 87 column 6: The content of elements must consist > of well-formed character data or markup. > > so my guess is that you modified the server.xml, while tomcat was still > running, and then you did a "shutdown.sh", to prepare to restart tomcat. > > - And then there was that parse error. > > And the reason is that the shutdown command, in fac
RE: tomcat ssl setup
Andre I saw where you asked Mark Thomas, on another thread, if the issue on that thread might be causing the SSL issue that I am having. On the server that I have been using for the testing of Tomcat 9 version 8 was already installed on it. It's just that my boss said to download, install and work with version 9. I wonder if it might work on with version 8? John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 4:40 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup Hi. I just downloaded tomcat 9 myself (the windows zip version, but it should be the same), to look at the standard server.xml. There is something which does not quite fit in all of this. I can also not see, in the snippets of server.xml that you pasted, any obvious XML errors or imbricated comments. Yet the logfile points to these lines.. Somehow the logfile which you uploaded to drop-box, does not seem to match the server.xml lines that you pasted here. Ooooh, wait. I know why it did not fit. After looking again, more carefully, at the logfile that you posted, I see what was confusing : that logfile shows several starts and stops of tomcat. It just accumulates. I was looking just at the beginning, the first error that I found. You have for example this : 08-Sep-2017 11:10:32.131 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["http-nio-8080"] 08-Sep-2017 11:10:32.136 INFO [main] org.apache.coyote.AbstractProtocol.start Starting ProtocolHandler ["ajp-nio-8009"] 08-Sep-2017 11:10:32.137 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 18916 ms Just before the error message that I was mentioning, which was : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. But that was like 21 minutes later, after tomcat had been running for 21 minutes. Then after that there are a few more starts and stops, and a the lastest attempt, the problem is different : 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"] 08-Sep-2017 15:24:36.300 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed ... Caused by: java.lang.IllegalArgumentException: java.security.KeyStoreException: Cannot store non-PrivateKeys at org.apache.tomcat.util.net.AbstractJsseEndpoint.createSSLContext(AbstractJss eEndpoint.java:113) So, here is what happened : - when you first started tomcat (timestamp 08-Sep-2017 10:05:02.807), it started fine, ending in the line 08-Sep-2017 10:05:03.371 INFO [main] org.apache.catalina.startup.Catalina.start Server startup in 482 ms but then, you did not have the connector for port 8443 enabled yet. - then you stopped tomcat, and you started it again at 08-Sep-2017 11:10:13.141 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:Apache Tomcat/9.0.0.M26 - and then you had this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. so my guess is that you modified the server.xml, while tomcat was still running, and then you did a "shutdown.sh", to prepare to restart tomcat. - And then there was that parse error. And the reason is that the shutdown command, in fact starts another (small) instance of tomcat, to issue the shutdown command to the running instance. But that shutdown instance also reads server.xml, and at that time you /did/ have a syntax error in it. So that is where this syntax error came from. Later you apparently corrected the syntax, and restarted tomcat : 08-Sep-2017 15:24:34.889 INFO [main] org.apache.catalina.startup.VersionLoggerListener.log Server version:Apache Tomcat/9.0.0.M26 and this time, there was no syntax error anymore in server.xml, but then there is this other problem : 08-Sep-2017 15:24:35.920 INFO [main] org.apache.coyote.AbstractProtocol.init Initializing ProtocolHandler ["https-jsse-nio-8443"] 08-Sep-2017 15:24:36.300 SEVERE [main] org.apache.catalina.util.LifecycleBase.handleSubClassException Failed to initialize component [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed ... Caused by: java.lang.Illegal
Re: tomcat ssl setup
haviour a bit questionable)(unless it is optional) So anyway, your problem now is not the syntax of server.xml anymore, it is something to do with your SSL keystore. And for that I am not competent to help, and I'll have to ask someone else to follow-up. And now I've been top-posting myself all of this, contrary to the rules. Apologies. But John, for the rest, I suggest that before you restart tomcat, delete or rename that old logfile, so that when you restart it will be "fresh" and contain only the result of the last attempt. It will be clearer for everyone. On 21.09.2017 21:47, John Ellis wrote: One more thing Andre. I don't know if it matters or not but when I try to access Tomcat 9 on the secure port of 8443 I see it saying down in the bottom left hand corner of my browser- "Performing a TLS handshake to 10.22.8.70..." but it never gives the webpage. However once I change the IP address to 10.22.8.70:8080 it immediately goes to the Tomcat 9 webpage. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 11:34 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 17:17, John Ellis wrote: OK. As I said there is nothing on line 87 but here is line 114- SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" I think you need to provide a bit more context then. Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and tell at which line number this starts in server.xml (so that we can compare with the log) ? The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 10:15 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 16:43, John Ellis wrote: Thanks so much for the quick reply Andre. There doesn't appear to be anything on line 87 but there is on line 114. See the screenshot I took of the server.xml file below- Unfortunately, this list strips most attachments, and in fact asks for text-only messages. (and to avoid top-posting) See : http://tomcat.apache.org/lists.html#tomcat-users --> Important Please paste the corresponding lines directly, as text, in your next message. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:41 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 17:07, John Ellis wrote: > All of what I have done so far has been in Tomcat version 9, which I > downloaded from the Apache Tomcat website. The way I start tomcat is > by running the command ./startup.sh from within the > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the > command ./shutdown.sh from the same directory. > Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml file. And since this is a "standard tomcat", that server.xml must be in .. let me look at the logfile again) .. 08-Sep-2017 10:05:02.911 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml and considering this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. there is something on line 87, position 6, that he does not like. And further down also : 08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 6; The string "--" is not permitted within comments. but maybe this is not in the server.xml file itself, but in something else that the server.xml references there (like an external "XML entity" or something). Why don't you get those 2 lines from your server.xml and paste them here : ... > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message-
RE: tomcat ssl setup
One more thing Andre. I don't know if it matters or not but when I try to access Tomcat 9 on the secure port of 8443 I see it saying down in the bottom left hand corner of my browser- "Performing a TLS handshake to 10.22.8.70..." but it never gives the webpage. However once I change the IP address to 10.22.8.70:8080 it immediately goes to the Tomcat 9 webpage. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 11:34 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 17:17, John Ellis wrote: > OK. As I said there is nothing on line 87 but here is line 114- > > SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" I think you need to provide a bit more context then. Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and tell at which line number this starts in server.xml (so that we can compare with the log) ? The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway. > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 10:15 AM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > > > On 21.09.2017 16:43, John Ellis wrote: >> Thanks so much for the quick reply Andre. There doesn't appear to be >> anything on line 87 but there is on line 114. See the screenshot I >> took of the server.xml file below- >> > > Unfortunately, this list strips most attachments, and in fact asks for > text-only messages. > (and to avoid top-posting) > > See : http://tomcat.apache.org/lists.html#tomcat-users --> Important > > Please paste the corresponding lines directly, as text, in your next > message. > > >> John Ellis >> >> 405.285.2500 office >> >> http://biz-e.io >> >> -Original Message- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Wednesday, September 20, 2017 10:41 AM >> To: users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> On 20.09.2017 17:07, John Ellis wrote: >> >> > All of what I have done so far has been in Tomcat version 9, which >> I >> >> > downloaded from the Apache Tomcat website. The way I start tomcat >> is >> >> > by running the command ./startup.sh from within the >> >> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the >> >> > command ./shutdown.sh from the same directory. >> >> > >> >> Ok, perfect. So there is only one tomcat9 we can be talking about, and >> one server.xml file. And since this is a "standard tomcat", that >> server.xml must be in .. let me look at the logfile again) .. >> >> 08-Sep-2017 10:05:02.911 INFO [main] >> >> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web >> application directory >> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] >> >> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml >> >> and considering this : >> >> 08-Sep-2017 11:31:21.952 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 87 column 6: The content of elements must >> consist of well-formed character data or markup. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 87; columnNumber: >> >> 6; The content of elements must consist of well-formed character data or > markup. >> >> there is something on line 87, position 6, that he does not like. >> >> And further down also : >> >> 08-Sep-2017 13:17:36.947 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 114 column 6: The string "--" is not permitted > within comments. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 114; columnNumber: >> >> 6; The string "--" is not permitted within comments. >> >> but maybe this is not in the server.xml file itself, but in something >> else that the server.xml references there (like an external "XML entity" > or something). >> >> Why don't you get those 2 lines from your serve
RE: tomcat ssl setup
Andre I just realized that I forgot to do the same thing with line 114; here are all the lines in the section that includes line 114- it starts at line 107 and ends at line 117. Thanks again, John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 11:34 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 17:17, John Ellis wrote: > OK. As I said there is nothing on line 87 but here is line 114- > > SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" I think you need to provide a bit more context then. Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and tell at which line number this starts in server.xml (so that we can compare with the log) ? The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway. > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 10:15 AM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > > > On 21.09.2017 16:43, John Ellis wrote: >> Thanks so much for the quick reply Andre. There doesn't appear to be >> anything on line 87 but there is on line 114. See the screenshot I >> took of the server.xml file below- >> > > Unfortunately, this list strips most attachments, and in fact asks for > text-only messages. > (and to avoid top-posting) > > See : http://tomcat.apache.org/lists.html#tomcat-users --> Important > > Please paste the corresponding lines directly, as text, in your next > message. > > >> John Ellis >> >> 405.285.2500 office >> >> http://biz-e.io >> >> -----Original Message- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Wednesday, September 20, 2017 10:41 AM >> To: users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> On 20.09.2017 17:07, John Ellis wrote: >> >> > All of what I have done so far has been in Tomcat version 9, which >> I >> >> > downloaded from the Apache Tomcat website. The way I start tomcat >> is >> >> > by running the command ./startup.sh from within the >> >> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the >> >> > command ./shutdown.sh from the same directory. >> >> > >> >> Ok, perfect. So there is only one tomcat9 we can be talking about, and >> one server.xml file. And since this is a "standard tomcat", that >> server.xml must be in .. let me look at the logfile again) .. >> >> 08-Sep-2017 10:05:02.911 INFO [main] >> >> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web >> application directory >> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] >> >> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml >> >> and considering this : >> >> 08-Sep-2017 11:31:21.952 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 87 column 6: The content of elements must >> consist of well-formed character data or markup. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 87; columnNumber: >> >> 6; The content of elements must consist of well-formed character data or > markup. >> >> there is something on line 87, position 6, that he does not like. >> >> And further down also : >> >> 08-Sep-2017 13:17:36.947 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 114 column 6: The string "--" is not permitted > within comments. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 114; columnNumber: >> >> 6; The string "--" is not permitted within comments. >> >> but maybe this is not in the server.xml file itself, but in something >> else that the server.xml references there (like an external "XML entity" > or something). >> >> Why don't you get those 2 lines from your server.xml and paste them here : >> >> ... >> >> > John Ellis >> >> > >> >> > 405.285.2500 office >> >> > >> &g
RE: tomcat ssl setup
Sure this is starting with line number 73 thru line 101 so I could get the entire sections- John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 11:34 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 17:17, John Ellis wrote: > OK. As I said there is nothing on line 87 but here is line 114- > > SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" I think you need to provide a bit more context then. Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and tell at which line number this starts in server.xml (so that we can compare with the log) ? The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway. > > > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Thursday, September 21, 2017 10:15 AM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > > > On 21.09.2017 16:43, John Ellis wrote: >> Thanks so much for the quick reply Andre. There doesn't appear to be >> anything on line 87 but there is on line 114. See the screenshot I >> took of the server.xml file below- >> > > Unfortunately, this list strips most attachments, and in fact asks for > text-only messages. > (and to avoid top-posting) > > See : http://tomcat.apache.org/lists.html#tomcat-users --> Important > > Please paste the corresponding lines directly, as text, in your next > message. > > >> John Ellis >> >> 405.285.2500 office >> >> http://biz-e.io >> >> -----Original Message- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Wednesday, September 20, 2017 10:41 AM >> To: users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> On 20.09.2017 17:07, John Ellis wrote: >> >> > All of what I have done so far has been in Tomcat version 9, which >> I >> >> > downloaded from the Apache Tomcat website. The way I start tomcat >> is >> >> > by running the command ./startup.sh from within the >> >> > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the >> >> > command ./shutdown.sh from the same directory. >> >> > >> >> Ok, perfect. So there is only one tomcat9 we can be talking about, and >> one server.xml file. And since this is a "standard tomcat", that >> server.xml must be in .. let me look at the logfile again) .. >> >> 08-Sep-2017 10:05:02.911 INFO [main] >> >> org.apache.catalina.startup.HostConfig.deployDirectory Deploying web >> application directory >> [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] >> >> so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml >> >> and considering this : >> >> 08-Sep-2017 11:31:21.952 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 87 column 6: The content of elements must >> consist of well-formed character data or markup. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 87; columnNumber: >> >> 6; The content of elements must consist of well-formed character data or > markup. >> >> there is something on line 87, position 6, that he does not like. >> >> And further down also : >> >> 08-Sep-2017 13:17:36.947 SEVERE [main] >> org.apache.tomcat.util.digester.Digester.fatalError >> >> Parse Fatal Error at line 114 column 6: The string "--" is not permitted > within comments. >> >> org.xml.sax.SAXParseException; systemId: >> >> file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: > 114; columnNumber: >> >> 6; The string "--" is not permitted within comments. >> >> but maybe this is not in the server.xml file itself, but in something >> else that the server.xml references there (like an external "XML entity" > or something). >> >> Why don't you get those 2 lines from your server.xml and paste them here : >> >> ... >> >> > John Ellis >> >> > >> >> > 405.285.2500 office >> >> > >> >> > >> >> > >> >> > >> >&g
Re: tomcat ssl setup
On 21.09.2017 17:17, John Ellis wrote: OK. As I said there is nothing on line 87 but here is line 114- SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" I think you need to provide a bit more context then. Can you paste here, say, that same line, but with 10 lines before and 10 lines after, and tell at which line number this starts in server.xml (so that we can compare with the log) ? The error messages in the log were apparently about comments (between ), so if these lines are (or contain) comments, copy them anyway. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 10:15 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 16:43, John Ellis wrote: Thanks so much for the quick reply Andre. There doesn't appear to be anything on line 87 but there is on line 114. See the screenshot I took of the server.xml file below- Unfortunately, this list strips most attachments, and in fact asks for text-only messages. (and to avoid top-posting) See : http://tomcat.apache.org/lists.html#tomcat-users --> Important Please paste the corresponding lines directly, as text, in your next message. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:41 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 17:07, John Ellis wrote: > All of what I have done so far has been in Tomcat version 9, which I > downloaded from the Apache Tomcat website. The way I start tomcat is > by running the command ./startup.sh from within the > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the > command ./shutdown.sh from the same directory. > Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml file. And since this is a "standard tomcat", that server.xml must be in .. let me look at the logfile again) .. 08-Sep-2017 10:05:02.911 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml and considering this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. there is something on line 87, position 6, that he does not like. And further down also : 08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 6; The string "--" is not permitted within comments. but maybe this is not in the server.xml file itself, but in something else that the server.xml references there (like an external "XML entity" or something). Why don't you get those 2 lines from your server.xml and paste them here : ... > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Wednesday, September 20, 2017 10:02 AM > To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > On 20.09.2017 15:20, John Ellis wrote: >> Andre can you tell me which log file you are saying tells where the >> problem is? > > That's the one you uploaded to the dropbox : > >> > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 > > I have of course no idea at this point, which tomcat or which > server.xml this was related to, but i suppose you do. > > I am not seeing it but I may not be even looking for the right thing. > I >> did open the server.xml file up in an XML file editor program and it >> didn't give any errors. > > Then it must be that this tomcat who wrote the logfile, is not looking > at the same server.xml file than the one you're looking at. > (Or else your XML file editor is not really good) > > How do you start this tomcat, on your server ? > And where did you get this tomcat from ? Is it the one from the tomcat >
RE: tomcat ssl setup
OK. As I said there is nothing on line 87 but here is line 114- SSLCertificateChainFile="/usr/java/jdk1.8.0_45/jre/bin/root.pem" John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Thursday, September 21, 2017 10:15 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 21.09.2017 16:43, John Ellis wrote: > Thanks so much for the quick reply Andre. There doesn't appear to be > anything on line 87 but there is on line 114. See the screenshot I > took of the server.xml file below- > Unfortunately, this list strips most attachments, and in fact asks for text-only messages. (and to avoid top-posting) See : http://tomcat.apache.org/lists.html#tomcat-users --> Important Please paste the corresponding lines directly, as text, in your next message. > John Ellis > > 405.285.2500 office > > http://biz-e.io > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Wednesday, September 20, 2017 10:41 AM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > On 20.09.2017 17:07, John Ellis wrote: > > > All of what I have done so far has been in Tomcat version 9, which > I > > > downloaded from the Apache Tomcat website. The way I start tomcat > is > > > by running the command ./startup.sh from within the > > > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the > > > command ./shutdown.sh from the same directory. > > > > > Ok, perfect. So there is only one tomcat9 we can be talking about, and > one server.xml file. And since this is a "standard tomcat", that > server.xml must be in .. let me look at the logfile again) .. > > 08-Sep-2017 10:05:02.911 INFO [main] > > org.apache.catalina.startup.HostConfig.deployDirectory Deploying web > application directory > [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] > > so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml > > and considering this : > > 08-Sep-2017 11:31:21.952 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > > Parse Fatal Error at line 87 column 6: The content of elements must > consist of well-formed character data or markup. > >org.xml.sax.SAXParseException; systemId: > > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: > > 6; The content of elements must consist of well-formed character data or markup. > > there is something on line 87, position 6, that he does not like. > > And further down also : > > 08-Sep-2017 13:17:36.947 SEVERE [main] > org.apache.tomcat.util.digester.Digester.fatalError > > Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. > >org.xml.sax.SAXParseException; systemId: > > file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: > > 6; The string "--" is not permitted within comments. > > but maybe this is not in the server.xml file itself, but in something > else that the server.xml references there (like an external "XML entity" or something). > > Why don't you get those 2 lines from your server.xml and paste them here : > > ... > > > John Ellis > > > > > > 405.285.2500 office > > > > > > > > > > > > > > > http://biz-e.io > > > > > > > > > -Original Message- > > > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > > > Sent: Wednesday, September 20, 2017 10:02 AM > > > To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> > > > Subject: Re: tomcat ssl setup > > > > > > On 20.09.2017 15:20, John Ellis wrote: > > >> Andre can you tell me which log file you are saying tells where > the > > >> problem is? > > > > > > That's the one you uploaded to the dropbox : > > > >> > > > > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 > > > > > > I have of course no idea at this point, which tomcat or which > > > server.xml this was related to, but i suppose you do. > > > > > > I am not seeing it but I may not be even looking for the right thing. > > > I > > >> did open the server.xml file up in an XML file editor program and > it > > >> didn't give any errors. > > > > > > Then it must be that this tomcat who wrote the logfile, is not > looking > > > at the same server.xm
Re: tomcat ssl setup
On 21.09.2017 16:43, John Ellis wrote: Thanks so much for the quick reply Andre. There doesn't appear to be anything on line 87 but there is on line 114. See the screenshot I took of the server.xml file below- Unfortunately, this list strips most attachments, and in fact asks for text-only messages. (and to avoid top-posting) See : http://tomcat.apache.org/lists.html#tomcat-users --> Important Please paste the corresponding lines directly, as text, in your next message. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:41 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 17:07, John Ellis wrote: > All of what I have done so far has been in Tomcat version 9, which I > downloaded from the Apache Tomcat website. The way I start tomcat is > by running the command ./startup.sh from within the > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the > command ./shutdown.sh from the same directory. > Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml file. And since this is a "standard tomcat", that server.xml must be in .. let me look at the logfile again) .. 08-Sep-2017 10:05:02.911 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml and considering this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. there is something on line 87, position 6, that he does not like. And further down also : 08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 6; The string "--" is not permitted within comments. but maybe this is not in the server.xml file itself, but in something else that the server.xml references there (like an external "XML entity" or something). Why don't you get those 2 lines from your server.xml and paste them here : ... > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Wednesday, September 20, 2017 10:02 AM > To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> > Subject: Re: tomcat ssl setup > > On 20.09.2017 15:20, John Ellis wrote: >> Andre can you tell me which log file you are saying tells where the >> problem is? > > That's the one you uploaded to the dropbox : > >> > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 > > I have of course no idea at this point, which tomcat or which > server.xml this was related to, but i suppose you do. > > I am not seeing it but I may not be even looking for the right thing. > I >> did open the server.xml file up in an XML file editor program and it >> didn't give any errors. > > Then it must be that this tomcat who wrote the logfile, is not looking > at the same server.xml file than the one you're looking at. > (Or else your XML file editor is not really good) > > How do you start this tomcat, on your server ? > And where did you get this tomcat from ? Is it the one from the tomcat > website ? > >> >> John Ellis >> >> 405.285.2500 office >> >> >> >> >> http://biz-e.io >> >> >> -Original Message- >> From: André Warnier (tomcat) [mailto:a...@ice-sa.com] >> Sent: Tuesday, September 19, 2017 3:47 PM >> To: users@tomcat.apache.org <mailto:users@tomcat.apache.org> >> Subject: Re: tomcat ssl setup >> >> On 19.09.2017 20:17, John Ellis wrote: >>> Here are the tomcat 9 log file DropBox links- >>> >>> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl >>> = >>> 0 >> >> Well, there you go. It tells you explicitly where you made the >> mistakes, up to the file and line
RE: tomcat ssl setup
Thanks so much for the quick reply Andre. There doesn't appear to be anything on line 87 but there is on line 114. See the screenshot I took of the server.xml file below- John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:41 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 17:07, John Ellis wrote: > All of what I have done so far has been in Tomcat version 9, which I > downloaded from the Apache Tomcat website. The way I start tomcat is > by running the command ./startup.sh from within the > apache-tomcat-9.0.0.M26/bin directory. I stop it by running the > command ./shutdown.sh from the same directory. > Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml file. And since this is a "standard tomcat", that server.xml must be in .. let me look at the logfile again) .. 08-Sep-2017 10:05:02.911 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml and considering this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. there is something on line 87, position 6, that he does not like. And further down also : 08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 6; The string "--" is not permitted within comments. but maybe this is not in the server.xml file itself, but in something else that the server.xml references there (like an external "XML entity" or something). Why don't you get those 2 lines from your server.xml and paste them here : ... > John Ellis > > 405.285.2500 office > > > > > <http://biz-e.io> http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [ <mailto:a...@ice-sa.com> mailto:a...@ice-sa.com] > Sent: Wednesday, September 20, 2017 10:02 AM > To: <mailto:users@tomcat.apache.org> users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > On 20.09.2017 15:20, John Ellis wrote: >> Andre can you tell me which log file you are saying tells where the >> problem is? > > That's the one you uploaded to the dropbox : > >> > <https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 > > I have of course no idea at this point, which tomcat or which > server.xml this was related to, but i suppose you do. > > I am not seeing it but I may not be even looking for the right thing. > I >> did open the server.xml file up in an XML file editor program and it >> didn't give any errors. > > Then it must be that this tomcat who wrote the logfile, is not looking > at the same server.xml file than the one you're looking at. > (Or else your XML file editor is not really good) > > How do you start this tomcat, on your server ? > And where did you get this tomcat from ? Is it the one from the tomcat > website ? > >> >> John Ellis >> >> 405.285.2500 office >> >> >> >> >> <http://biz-e.io> http://biz-e.io >> >> >> -Original Message- >> From: André Warnier (tomcat) [ <mailto:a...@ice-sa.com> mailto:a...@ice-sa.com] >> Sent: Tuesday, September 19, 2017 3:47 PM >> To: <mailto:users@tomcat.apache.org> users@tomcat.apache.org >> Subject: Re: tomcat ssl setup >> >> On 19.09.2017 20:17, John Ellis wrote: >>> Here are the tomcat 9 log file DropBox links- >>> >>> <https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl >>> = >>> 0 >> >> Well, there you go. It tells you explicitly where you made the >> mistakes, up to the file and line numbers
Re: tomcat ssl setup
On 20.09.2017 17:07, John Ellis wrote: All of what I have done so far has been in Tomcat version 9, which I downloaded from the Apache Tomcat website. The way I start tomcat is by running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin directory. I stop it by running the command ./shutdown.sh from the same directory. Ok, perfect. So there is only one tomcat9 we can be talking about, and one server.xml file. And since this is a "standard tomcat", that server.xml must be in .. let me look at the logfile again) .. 08-Sep-2017 10:05:02.911 INFO [main] org.apache.catalina.startup.HostConfig.deployDirectory Deploying web application directory [/home/tomcat9/apache-tomcat-9.0.0.M26/webapps/ROOT] so here : /home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml and considering this : 08-Sep-2017 11:31:21.952 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 87 column 6: The content of elements must consist of well-formed character data or markup. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 87; columnNumber: 6; The content of elements must consist of well-formed character data or markup. there is something on line 87, position 6, that he does not like. And further down also : 08-Sep-2017 13:17:36.947 SEVERE [main] org.apache.tomcat.util.digester.Digester.fatalError Parse Fatal Error at line 114 column 6: The string "--" is not permitted within comments. org.xml.sax.SAXParseException; systemId: file:/home/tomcat9/apache-tomcat-9.0.0.M26/conf/server.xml; lineNumber: 114; columnNumber: 6; The string "--" is not permitted within comments. but maybe this is not in the server.xml file itself, but in something else that the server.xml references there (like an external "XML entity" or something). Why don't you get those 2 lines from your server.xml and paste them here : ... John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:02 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 15:20, John Ellis wrote: Andre can you tell me which log file you are saying tells where the problem is? That's the one you uploaded to the dropbox : >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 I have of course no idea at this point, which tomcat or which server.xml this was related to, but i suppose you do. I am not seeing it but I may not be even looking for the right thing. I did open the server.xml file up in an XML file editor program and it didn't give any errors. Then it must be that this tomcat who wrote the logfile, is not looking at the same server.xml file than the one you're looking at. (Or else your XML file editor is not really good) How do you start this tomcat, on your server ? And where did you get this tomcat from ? Is it the one from the tomcat website ? John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 3:47 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 19.09.2017 20:17, John Ellis wrote: Here are the tomcat 9 log file DropBox links- https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl= 0 Well, there you go. It tells you explicitly where you made the mistakes, up to the file and line numbers. I can't see your server.xml, but I would bet that you have modified it, by surrounding some XML comment sections by another comment pair That crashes because XML does not allow that. You cannot have this kind of thing : --> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-0 9 -19.txt?dl=0 Thanks, John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] *Sent:* Tuesday, September 19, 2017 11:10 AM *To:* users@tomcat.apache.org *Subject:* Re: tomcat ssl setup Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this "| -->|" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the need
RE: tomcat ssl setup
All of what I have done so far has been in Tomcat version 9, which I downloaded from the Apache Tomcat website. The way I start tomcat is by running the command ./startup.sh from within the apache-tomcat-9.0.0.M26/bin directory. I stop it by running the command ./shutdown.sh from the same directory. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Wednesday, September 20, 2017 10:02 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 20.09.2017 15:20, John Ellis wrote: > Andre can you tell me which log file you are saying tells where the > problem is? That's the one you uploaded to the dropbox : >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 I have of course no idea at this point, which tomcat or which server.xml this was related to, but i suppose you do. I am not seeing it but I may not be even looking for the right thing. I > did open the server.xml file up in an XML file editor program and it > didn't give any errors. Then it must be that this tomcat who wrote the logfile, is not looking at the same server.xml file than the one you're looking at. (Or else your XML file editor is not really good) How do you start this tomcat, on your server ? And where did you get this tomcat from ? Is it the one from the tomcat website ? > > John Ellis > > 405.285.2500 office > > > > > http://biz-e.io > > > -Original Message- > From: André Warnier (tomcat) [mailto:a...@ice-sa.com] > Sent: Tuesday, September 19, 2017 3:47 PM > To: users@tomcat.apache.org > Subject: Re: tomcat ssl setup > > On 19.09.2017 20:17, John Ellis wrote: >> Here are the tomcat 9 log file DropBox links- >> >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl= >> 0 > > Well, there you go. It tells you explicitly where you made the > mistakes, up to the file and line numbers. > I can't see your server.xml, but I would bet that you have modified > it, by surrounding some XML comment sections by another comment pair > That crashes because XML does not allow that. > You cannot have this kind of thing : > > --> > > >> >> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-0 >> 9 >> -19.txt?dl=0 >> >> Thanks, >> >> John Ellis >> >> 405.285.2500 office >> >> United States >> >> bize-logo-rgb-original_Ryan_Revised_portal >> sizecid:image002.jpg@01CECFDA.65B42CD0 >> >> http://biz-e.io >> >> *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] >> *Sent:* Tuesday, September 19, 2017 11:10 AM >> *To:* users@tomcat.apache.org >> *Subject:* Re: tomcat ssl setup >> >> Do you see what's on the log files, they can tell you what's the >> problem in. Maybe you can share those files too. >> >> I also saw on line 117 this "| -->|" Looks like there's left over. >> >> On 09/19/2017 09:31 AM, John Ellis wrote: >> >> I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL >> (version > 6.4) server for >> testing purposes. I downloaded & installed Tomcat9 fine and I >> get a > proper webpage on >> port 8080 but when I used the keytool commands and created a > certificate from >> cacert.org and then edited the server.xml file to setup the ssl > configuration to run >> on port 8443 I cannot get a webpage on that port; it defaults >> back to > port 8080. If I >> am not providing all the needed info or asking a wrong question >> please > forgive me. I >> am not a programmer. My background is in computer hardware. I >> have > just been forced to >> learn this to support two products that we use here in our >> office; > Jira and >> Confluence. I have actually been working on setting them up for >> an SSL > connection on a >> different server. I got Confluence working on a secure port but >> not > Jira so my boss >> suggested troubleshooting the issue by trying to first get SSL >> setup > for Tomcat on >> this other server. >> >> I am providing a copy of the Tomcat9 server.sml file here on a >> DropBox > link- >> https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 >> >> Thanks in advance! >> >> John Ellis >> >> 405.285.2500 office >> >> United States >> >> bize-logo-rgb-original_Ryan_Revised_portal >> sizecid:image002.jpg@01CECFDA.65B42CD0 >> >> http://biz-e.io >
Re: tomcat ssl setup
On 20.09.2017 15:20, John Ellis wrote: Andre can you tell me which log file you are saying tells where the problem is? That's the one you uploaded to the dropbox : >> https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 I have of course no idea at this point, which tomcat or which server.xml this was related to, but i suppose you do. I am not seeing it but I may not be even looking for the right thing. I did open the server.xml file up in an XML file editor program and it didn't give any errors. Then it must be that this tomcat who wrote the logfile, is not looking at the same server.xml file than the one you're looking at. (Or else your XML file editor is not really good) How do you start this tomcat, on your server ? And where did you get this tomcat from ? Is it the one from the tomcat website ? John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 3:47 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 19.09.2017 20:17, John Ellis wrote: Here are the tomcat 9 log file DropBox links- https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 Well, there you go. It tells you explicitly where you made the mistakes, up to the file and line numbers. I can't see your server.xml, but I would bet that you have modified it, by surrounding some XML comment sections by another comment pair That crashes because XML does not allow that. You cannot have this kind of thing : --> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09 -19.txt?dl=0 Thanks, John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] *Sent:* Tuesday, September 19, 2017 11:10 AM *To:* users@tomcat.apache.org *Subject:* Re: tomcat ssl setup Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this "| -->|" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io -- Alejandro Vargas Mayorga */Gerente Desarrollo C.A. & C./* *Tel. 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* <mailto:%20alejandro.var...@kymsolutions.com>* **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra aula virtual! * - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Andre can you tell me which log file you are saying tells where the problem is? I am not seeing it but I may not be even looking for the right thing. I did open the server.xml file up in an XML file editor program and it didn't give any errors. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 3:47 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 19.09.2017 20:17, John Ellis wrote: > Here are the tomcat 9 log file DropBox links- > > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 Well, there you go. It tells you explicitly where you made the mistakes, up to the file and line numbers. I can't see your server.xml, but I would bet that you have modified it, by surrounding some XML comment sections by another comment pair That crashes because XML does not allow that. You cannot have this kind of thing : --> > > https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09 > -19.txt?dl=0 > > Thanks, > > John Ellis > > 405.285.2500 office > > United States > > bize-logo-rgb-original_Ryan_Revised_portal > sizecid:image002.jpg@01CECFDA.65B42CD0 > > http://biz-e.io > > *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] > *Sent:* Tuesday, September 19, 2017 11:10 AM > *To:* users@tomcat.apache.org > *Subject:* Re: tomcat ssl setup > > Do you see what's on the log files, they can tell you what's the > problem in. Maybe you can share those files too. > > I also saw on line 117 this "| -->|" Looks like there's left over. > > On 09/19/2017 09:31 AM, John Ellis wrote: > > I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for > testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on > port 8080 but when I used the keytool commands and created a certificate from > cacert.org and then edited the server.xml file to setup the ssl configuration to run > on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I > am not providing all the needed info or asking a wrong question please forgive me. I > am not a programmer. My background is in computer hardware. I have just been forced to > learn this to support two products that we use here in our office; Jira and > Confluence. I have actually been working on setting them up for an SSL connection on a > different server. I got Confluence working on a secure port but not Jira so my boss > suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on > this other server. > > I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- > https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 > > Thanks in advance! > > John Ellis > > 405.285.2500 office > > United States > > bize-logo-rgb-original_Ryan_Revised_portal > sizecid:image002.jpg@01CECFDA.65B42CD0 > > http://biz-e.io > > -- > > > > Alejandro Vargas Mayorga > */Gerente Desarrollo C.A. & C./* > *Tel. 506- 7232-3366* > *Email:**alejandro.var...@kymsolutions.com* > <mailto:%20alejandro.var...@kymsolutions.com>* > **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra > aula virtual! * > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
The Dropbox link to the tomcat server.xml file is back in this email thread. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 3:47 PM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 19.09.2017 20:17, John Ellis wrote: > Here are the tomcat 9 log file DropBox links- > > https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 Well, there you go. It tells you explicitly where you made the mistakes, up to the file and line numbers. I can't see your server.xml, but I would bet that you have modified it, by surrounding some XML comment sections by another comment pair That crashes because XML does not allow that. You cannot have this kind of thing : --> > > https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09 > -19.txt?dl=0 > > Thanks, > > John Ellis > > 405.285.2500 office > > United States > > bize-logo-rgb-original_Ryan_Revised_portal > sizecid:image002.jpg@01CECFDA.65B42CD0 > > http://biz-e.io > > *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] > *Sent:* Tuesday, September 19, 2017 11:10 AM > *To:* users@tomcat.apache.org > *Subject:* Re: tomcat ssl setup > > Do you see what's on the log files, they can tell you what's the > problem in. Maybe you can share those files too. > > I also saw on line 117 this "| -->|" Looks like there's left over. > > On 09/19/2017 09:31 AM, John Ellis wrote: > > I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for > testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on > port 8080 but when I used the keytool commands and created a certificate from > cacert.org and then edited the server.xml file to setup the ssl configuration to run > on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I > am not providing all the needed info or asking a wrong question please forgive me. I > am not a programmer. My background is in computer hardware. I have just been forced to > learn this to support two products that we use here in our office; Jira and > Confluence. I have actually been working on setting them up for an SSL connection on a > different server. I got Confluence working on a secure port but not Jira so my boss > suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on > this other server. > > I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- > https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 > > Thanks in advance! > > John Ellis > > 405.285.2500 office > > United States > > bize-logo-rgb-original_Ryan_Revised_portal > sizecid:image002.jpg@01CECFDA.65B42CD0 > > http://biz-e.io > > -- > > > > Alejandro Vargas Mayorga > */Gerente Desarrollo C.A. & C./* > *Tel. 506- 7232-3366* > *Email:**alejandro.var...@kymsolutions.com* > <mailto:%20alejandro.var...@kymsolutions.com>* > **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra > aula virtual! * > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
On 19.09.2017 20:17, John Ellis wrote: Here are the tomcat 9 log file DropBox links- https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 Well, there you go. It tells you explicitly where you made the mistakes, up to the file and line numbers. I can't see your server.xml, but I would bet that you have modified it, by surrounding some XML comment sections by another comment pair That crashes because XML does not allow that. You cannot have this kind of thing : --> https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09-19.txt?dl=0 Thanks, John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io *From:*Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] *Sent:* Tuesday, September 19, 2017 11:10 AM *To:* users@tomcat.apache.org *Subject:* Re: tomcat ssl setup Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this "| -->|" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io -- Alejandro Vargas Mayorga */Gerente Desarrollo C.A. & C./* *Tel. 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* <mailto:%20alejandro.var...@kymsolutions.com>* **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra aula virtual! * - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat ssl setup
On 19.09.2017 20:19, John Ellis wrote: Andre at this point Alan, my boss, only has had me setup Tomcat 9 on this server; not jira or confluence. He thought it might be easier to get the SSL port working just on Tomcat first and then work with Jira and Confluence on this server. Yes, and he is right. And at least this way, we have a reasonable picture of what files and configuration to expect, to start with. That is, provided we can figure out where the (RedHat ?) package-management of your platform puts the files which normally constitute tomcat. I have a suggestion for you (and I know that you have already posted your current tomcat config files for people to look at, but do this in parallel). If you really want to understand how tomcat works in its basic form, then do this : - go to the "official tomcat website" tomcat.apache.org, and download an "official tomcat 9" from that website. - unpack it and install it, to some directory of your choice like "/opt/tomcat9" or "/srv/tomcat9" (pick somewhere where there are not already a lot of things). The difference with a packaged version, is mainly this : - the whole tomcat software and standard configuration files will be installed under a single directory of your choice (e.g. /opt/tomcat9), and will be in a simple layout, like - /opt/tomcat9 - bin (the basic startup scripts, and the initial tomcat "bootstrap.jar" which loads tomcat and starts it) - conf (the configuration files) - lib (the java libraries of tomcat and used by tomcat) - logs (the logfiles that tomcat writes) - temp (a writeable work directory for temporary files) - webapps (top of all the application directories) - ROOT (the "default" application - basically a basic "Hello" page) - work (where tomcat expands some files when it starts) (It will not put things anywhere else, nor interfere with any other software that is already there, and it will be easy to delete when you do not want it anymore.) This tomcat, you will not really run it at first. But it will give you an overview of the pieces, and how they relate to one another, in a simple layout. It will also make it a lot easier for you to get help here, and to find your way in the on-line tomcat documentation, which often refers to such a standard layout. (And you may even try to run it, following the detailed instructions that you will find in the top directory, in the file "RUNNING.txt". It is really quite simple.). The issue with per-platform packaged versions, is that they do re-arrange all these pieces and files into other locations, to better fit the logic of other packages on that platform. And then they put a series of links between these directories, files etc., to make that packaged tomcat find these different pieces when it runs. That is perfectly ok, and it makes it easier later, to run tomcat automatically as a daemon, update it, manage its logfiles etc. But makes it quite difficult to find things initially, unless you have that standard layout to guide you. (Because then at least you know what you are looking for). - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Andre at this point Alan, my boss, only has had me setup Tomcat 9 on this server; not jira or confluence. He thought it might be easier to get the SSL port working just on Tomcat first and then work with Jira and Confluence on this server. John Ellis 405.285.2500 office http://biz-e.io -Original Message- From: André Warnier (tomcat) [mailto:a...@ice-sa.com] Sent: Tuesday, September 19, 2017 10:57 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup On 19.09.2017 17:31, John Ellis wrote: > I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version > 6.4) server for testing purposes. I downloaded & installed Tomcat9 > fine and I get a proper webpage on port > 8080 but when I used the keytool commands and created a certificate > from cacert.org and then edited the server.xml file to setup the ssl > configuration to run on port 8443 I cannot get a webpage on that port; > it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. > My background is in computer hardware. I have just been forced to > learn this to support two products that we use here in our office; > Jira and Confluence. I have actually been working on setting them up > for an SSL connection on a different server. I got Confluence working > on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. > > I am providing a copy of the Tomcat9 server.sml file here on a DropBox > link- > https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 > > Thanks in advance! > Hi. No problem, and no need to apologise, we try to help everyone here. (Any tomcat user, at least). No matter what tomcat you are running or where you instlled it, it should be writing logfiles somewhere, in which it should tell you at start, what may be wrong. Have you found and looked at these files yet ? Maybe something else : I am no expert, but I believe that by default, each of Confluence and Jira sets up its own "private" tomcat server. Are you sure that you are looking at the right one ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: tomcat ssl setup
Here are the tomcat 9 log file DropBox links- https://www.dropbox.com/s/hlcg3cycddteyaz/catalina.2017-09-08.log?dl=0 https://www.dropbox.com/s/yj93ub9woxdoie0/localhost_access_log.2017-09-19.tx t?dl=0 Thanks, John Ellis 405.285.2500 office http://biz-e.io From: Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] Sent: Tuesday, September 19, 2017 11:10 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this " -->" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office http://biz-e.io -- Alejandro Vargas Mayorga Gerente Desarrollo C.A. & C. Tel. 506- 7232-3366 Email: <mailto:%20alejandro.var...@kymsolutions.com> alejandro.var...@kymsolutions.com <http://www.kymsolutions.com/> www.kymsolutions.com Visite nuestra aula virtual!
RE: tomcat ssl setup
Yes I will put the log files on DropBox as well when I get back from lunch. Thanks, John Ellis 405.285.2500 office http://biz-e.io From: Alejandro Vargas M. [mailto:alejandro.var...@kymsolutions.com] Sent: Tuesday, September 19, 2017 11:10 AM To: users@tomcat.apache.org Subject: Re: tomcat ssl setup Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this " -->" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office http://biz-e.io -- Alejandro Vargas Mayorga Gerente Desarrollo C.A. & C. Tel. 506- 7232-3366 Email: <mailto:%20alejandro.var...@kymsolutions.com> alejandro.var...@kymsolutions.com <http://www.kymsolutions.com/> www.kymsolutions.com Visite nuestra aula virtual!
Re: tomcat ssl setup
Do you see what's on the log files, they can tell you what's the problem in. Maybe you can share those files too. I also saw on line 117 this "|||-->|" Looks like there's left over. On 09/19/2017 09:31 AM, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office United States bize-logo-rgb-original_Ryan_Revised_portal sizecid:image002.jpg@01CECFDA.65B42CD0 http://biz-e.io -- Alejandro Vargas Mayorga /*Gerente Desarrollo C.A. & C.*/ *Tel. 506- 7232-3366* *Email:**alejandro.var...@kymsolutions.com* <mailto:%20alejandro.var...@kymsolutions.com>* **www.kymsolutions.com* <http://www.kymsolutions.com/>* Visite nuestra aula virtual! *
Re: tomcat ssl setup
On 19.09.2017 17:31, John Ellis wrote: I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! Hi. No problem, and no need to apologise, we try to help everyone here. (Any tomcat user, at least). No matter what tomcat you are running or where you instlled it, it should be writing logfiles somewhere, in which it should tell you at start, what may be wrong. Have you found and looked at these files yet ? Maybe something else : I am no expert, but I believe that by default, each of Confluence and Jira sets up its own "private" tomcat server. Are you sure that you are looking at the right one ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
tomcat ssl setup
I have been trying to setup SSL for tomcat 9.00.M26 on a RHEL (version 6.4) server for testing purposes. I downloaded & installed Tomcat9 fine and I get a proper webpage on port 8080 but when I used the keytool commands and created a certificate from cacert.org and then edited the server.xml file to setup the ssl configuration to run on port 8443 I cannot get a webpage on that port; it defaults back to port 8080. If I am not providing all the needed info or asking a wrong question please forgive me. I am not a programmer. My background is in computer hardware. I have just been forced to learn this to support two products that we use here in our office; Jira and Confluence. I have actually been working on setting them up for an SSL connection on a different server. I got Confluence working on a secure port but not Jira so my boss suggested troubleshooting the issue by trying to first get SSL setup for Tomcat on this other server. I am providing a copy of the Tomcat9 server.sml file here on a DropBox link- https://www.dropbox.com/s/k3l07w9p4n81fas/server.xml?dl=0 Thanks in advance! John Ellis 405.285.2500 office http://biz-e.io
Re: SSL setup - Apache Tomcat service won't start
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Khisanth, On 9/26/16 7:45 AM, TJ wrote: > I have Apache Tomcat/9.0.0.M10 on Windows 10 64bit and want to > setup SSL. Am following > https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and gone > through the steps of creating the keystore with a single self > signed cert using: > > "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA > > Thats fine and confirmed the certificate is in there. > > Next I alter the server.xml file as follows and go to restart the > Tomcat service: > > > > protocol="org.apache.coyote.http11.Http11NioProtocol" > maxThreads="150" SSLEnabled="true" > keystoreFile="c:\users\khisanth\.keystore" keystorePass="changeit" > /> certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> > > > Problem is the service will not restart. If I remove the added > comments it will restart fine. I am logged in as administrator. What do the logs say? %CATALINA_BASE%\logs\catalina.log or, if running as a Windows Service: %CATALINA_BASE%\logs\stdout-*.log While debugging startup errors, it's usually helpful to run Tomcat interactively from the command prompt, like this: C:\> %CATALINA_HOME%\bin\startup.bat Then you get the stdout log right there in the terminal, including any errors with the connector configurations. > The apache server status page does mention HTTPS. Apache httpd or Apache Tomcat? - -chris -BEGIN PGP SIGNATURE- Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJX6tvtAAoJEBzwKT+lPKRYDHsQAIrw4rcFPwyG7AFEC9gK7z2D uO+l8OmAnj3Kk8Sl+l3JVa4tkMFM9yXRgxCGd4dJEgQUypVP7K31/wg6OjzPpp/r 7iHseL2oJ5rLTfJXbB1y2BQQl/K55Y1M5dANSM3nmmy4+Mz8x8gNbFi+0FiUvgRv JaIRUiEjn2tnUudDLQS0+E0p+IHhYgAuETr4X7p0CKkldMgb/f9w7avGSwDZBw9+ 4a2pkLwXO9alvKT8X/LX92beVCG/OYXwCOVvInOJi6HUvkMLFN9k0RIji+V2rzYS fUJ3AORZ9ODrtrQG/0dZJ/liZgX4uCbKSZBfi5cXbQP78nf8d8B9agjqDeVCFaJi +vN7NEmooWg+AEAtboQwDj58MsoXfaN81Lb95ennBWPv/uqAYJwXlKHTBXadhG1W f9j/dv+GIvBOa6YMh0z2OWzDS9gLD/R4d6ReIxsNnHdC9Iwsj/E1+dwpGSgDOVY/ O54IXRa2AD2hH8iuHRMGJQ5plWSeEBKZLQHLseXW0TdOZnpOiVNwAYB5vkp1QZ9V zheM3Tb8Xqnt58dTx60NB2riMWblTagtwLOITwnoujcbtRXBCl3ARDu2gzUg52uH aElGTDcHoGQAIGVTYeAhVHQm/lshb5WIE594ZHlC1ApQ+a6QWhXEuxM41GXzmQfH 5ZrxwnYwz/eCjLiq+VLX =ZYYx -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL setup - Apache Tomcat service won't start
Hi all I have Apache Tomcat/9.0.0.M10 on Windows 10 64bit and want to setup SSL. Am following https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html and gone through the steps of creating the keystore with a single self signed cert using: "%JAVA_HOME%\bin\keytool" -genkey -alias tomcat -keyalg RSA Thats fine and confirmed the certificate is in there. Next I alter the server.xml file as follows and go to restart the Tomcat service: protocol="org.apache.coyote.http11.Http11NioProtocol" maxThreads="150" SSLEnabled="true" keystoreFile="c:\users\khisanth\.keystore" keystorePass="changeit" /> certificateKeystoreFile="conf/localhost-rsa.jks" type="RSA" /> Problem is the service will not restart. If I remove the added comments it will restart fine. I am logged in as administrator. The apache server status page does mention HTTPS. Any ideas? thanks khisanth
Need help with Tomcat SSL setup
Hi, I am new to tomcat. I have installed tomcat binaries and created one stand alone instance. Tomcat is working fine with http port, I get the message It works. But when I try to access with https port I am getting page cannot be found. Below is what I did ./keytool -genkey -alias tomcat -keyalg RSA -keystore /apps/tomcat.jks Added in server.xml Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/apps/tomcat.jks keystoreType=JKS keystorePass=changeit keyPass=changeit / please let me know what is wrong. Thanks Satish
Re: Need help with Tomcat SSL setup
2014-11-11 20:10 GMT+03:00 Gadhiraju, Satish satish.gadhir...@ally.com: Hi, I am new to tomcat. I have installed tomcat binaries and created one stand alone instance. Tomcat is working fine with http port, I get the message It works. But when I try to access with https port I am getting page cannot be found. Below is what I did ./keytool -genkey -alias tomcat -keyalg RSA -keystore /apps/tomcat.jks Added in server.xml Connector port=8443 protocol=org.apache.coyote.http11.Http11Protocol maxThreads=150 SSLEnabled=true scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/apps/tomcat.jks keystoreType=JKS keystorePass=changeit keyPass=changeit / please let me know what is wrong. 1. Did you restart Tomcat after editing its configuration file? 2. What is in Tomcat logs? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Mavenpol, On 16.9.2013 22:47, Mavenpol Saulon wrote: This server where I imported the certificates and has been encountering errors is just one of the servers that are configured to run SSL. All of the other servers have the same setup except for the keytool -delete.. that I used in this particular erring server. Other servers are OK in SSL. I'm worried that the keytool delete might have caused the problem? (On this list it is standard to put your text below the quote.) What is the content of your Java keystore now? You should have PrivateKeyEntry with valid certificate chain. Check it using keytool -list -v You may also check if the certificate chain is served properly to the client using openssl: openssl s_client -connect server.example.com:443 -showcerts Other than that, you may try to turn on TLS/SSL Java debugging using VM option: -Djavax.net.debug=all These commands/option will give you some insight what is wrong with keystore and TLS/SSL handshake. -Ognjen - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
-BEGIN PGP SIGNED MESSAGE- Hash: SHA256 Ognjen, On 9/17/13 4:37 AM, Ognjen Blagojevic wrote: Mavenpol, On 16.9.2013 22:47, Mavenpol Saulon wrote: This server where I imported the certificates and has been encountering errors is just one of the servers that are configured to run SSL. All of the other servers have the same setup except for the keytool -delete.. that I used in this particular erring server. Other servers are OK in SSL. I'm worried that the keytool delete might have caused the problem? (On this list it is standard to put your text below the quote.) What is the content of your Java keystore now? You should have PrivateKeyEntry with valid certificate chain. Check it using keytool -list -v You may also check if the certificate chain is served properly to the client using openssl: openssl s_client -connect server.example.com:443 -showcerts Other than that, you may try to turn on TLS/SSL Java debugging using VM option: -Djavax.net.debug=all These commands/option will give you some insight what is wrong with keystore and TLS/SSL handshake. It also would be helpful for OP to: a) Specify the version of Tomcat you are using b) Provide the Connector configuration from your conf/server.xml (without any sensitive material such as passwords) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.14 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBCAAGBQJSOFwPAAoJEBzwKT+lPKRYBWMQAIAE5pRZHe0xyCPBV5hMH81H ZNz9k94I/+vSdLOgBzFT0biT2jd+LUHU9jv8SMpwJ8UCDtz5HGCc/QGWZF1gpZ/3 0WzHx5dDMXLgKmV1ht82xWWNVrTvzFRob8vwRIFse3bc/GjavX/aTnrKKArkJKs+ Vl+IxLwtvcrdbUNefIBNFSvNbMb33BM0hy6vvAYgGbMVwavImn54FnXO9Ud+V3nr GXTwD7Wt4Es9ZgQDPIWJWPNKSjA8xhpvh90pZEIXw7/MBGUZbcbCYhPKOEVaHS1y 8gWVGnnbh1MsW2ZAUD1Z3UWVE7UIVDAca1YH7VOGjmuF4iGWAlsPaDWqj9cOzc8D GpE66qdDFvotvGN0uTBe+QHLoyh95u9i1BgBPy6aI4BQRQZS9gz0L9s+vjVGMBQ/ 8YJoGBdIyLe1zrHgIFJBi/lYhzNzUh9Ozh/+X+EEDd1S3NuqokELI/WsnPkHdoGO dg3ubzt6IEYWMu/5QJCfWneI+cbbgB/E/iLWUK0vmK4F/C6Li1Fi3WNB/8qoy5Ot ib5lVTIOhS1ovGclQd3E2Zl/JRms84gt1YuTa/AaV3swwDUz7g4nnbhs9ozDtnp5 2RYdkUKVeqKNC3GFQma119hCR55xQu8P/91IkVrR/kHLLIaklGLSlXnbqlH4wnBk GnvW4oyilc0IjjLwif9b =ociN -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Maybe it'd helpful not using the java key store (JKS). Personally on Linux Tomcat installations without native APR I use the .p12 files with this config Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=${catalina.home}/ssl/serverkey.p12 keystorePass=**PASS** keystoreType=pkcs12 / Jan Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the keytool -delete -alias certificate nicknames -keystore .keystore. Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Thank you all for your help. It just came to a point where I just had to delete the old keystore and create a new one, and request for new certificates. Now everything's working. On Tue, Sep 17, 2013 at 9:58 AM, Jan Vávra va...@602.cz wrote: Maybe it'd helpful not using the java key store (JKS). Personally on Linux Tomcat installations without native APR I use the .p12 files with this config Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=${catalina.home}/**ssl/serverkey.p12 keystorePass=**PASS** keystoreType=pkcs12 / Jan Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.htmlhttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the keytool -delete -alias certificate nicknames -keystore .keystore. Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance. --**--**- To unsubscribe, e-mail: users-unsubscribe@tomcat.**apache.orgusers-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the keytool -delete -alias certificate nicknames -keystore .keystore. Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance.
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
|Hello, on http://support.mozilla.org/cs/questions/952242 there is described smthg about ssl protocol settings for Firefox. It seems like you have configured ||in server.xml||eg. only SSLv2 protocol that is disabled in the client browser http://tomcat.apache.org/tomcat-7.0-doc/config/http.html sslProtocol http://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext Jan | Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the keytool -delete -alias certificate nicknames -keystore .keystore. Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance.
Re: Tomcat 7 SSL Setup: ERR_CONNECTION_REFUSED
Thanks Jan for replying. Unfortunately, I'm not inclined on going to the direction that it's a browser problem. This server where I imported the certificates and has been encountering errors is just one of the servers that are configured to run SSL. All of the other servers have the same setup except for the keytool -delete.. that I used in this particular erring server. Other servers are OK in SSL. I'm worried that the keytool delete might have caused the problem? On Mon, Sep 16, 2013 at 3:36 PM, Jan Vávra va...@602.cz wrote: |Hello, on http://support.mozilla.org/cs/**questions/952242http://support.mozilla.org/cs/questions/952242there is described smthg about ssl protocol settings for Firefox. It seems like you have configured ||in server.xml||eg. only SSLv2 protocol that is disabled in the client browser http://tomcat.apache.org/**tomcat-7.0-doc/config/http.**htmlhttp://tomcat.apache.org/tomcat-7.0-doc/config/http.html sslProtocol http://docs.oracle.com/javase/**7/docs/technotes/guides/** security/StandardNames.html#**SSLContexthttp://docs.oracle.com/javase/7/docs/technotes/guides/security/StandardNames.html#SSLContext Jan | Good Day! Everything was followed perfectly from this URL: http://tomcat.apache.org/**tomcat-7.0-doc/ssl-howto.htmlhttp://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html. I've done this setup a lot of times already and mostly I have been successful. Until our security team noticed that the installed root CA is incorrect. Instead of just importing the correct root CA, I deleted all the imported certificates (originally 2 certificates) using the keytool -delete -alias certificate nicknames -keystore .keystore. Afterwards, I imported the 2 certificates again. Now when I access https://mydomain:8443, it gives me a webpage not found with ERR_CONNECTION_REFUSED error in Chrome and ssl_error_no_cypher_overlap in Firefox. Could anyone please let me know what I must have did wrong? Thank you in advance.
Re: Tomcat 6.0.24 SSL Setup issue
On Wed, 2012-10-24 at 11:38 +0100, KumareshGopalsamy wrote: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ The only thing that looks weird is that space after '\key'. And perhaps the newline after 'keystoreFile='? But maybe I'm reading this too literally. Also, it looks like something is already bound to a port you want to use. --tim I have got the below error message when I restart the Tomcat server Could you please help me on this? 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], ra ndom [true]. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clie ntAuth' to 'false' did not find a matching property. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keys torePass' to 'changeit' did not find a matching property. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keys toreFile' to 'C:\.keystore' did not find a matching property. 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:720) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.jav a:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:100 7) at org.apache.catalina.core.StandardService.initialize(StandardService.j ava:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.jav a:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:540) at org.apache.catalina.startup.Catalina.load(Catalina.java:560) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 22-Oct-2012 11:21:44 org.apache.catalina.startup.Catalina load SEVERE: Catalina.start LifecycleException: Protocol handler initialization failed: java.lang.Exception : No Certificate file specified or invalid file format at org.apache.catalina.connector.Connector.initialize(Connector.java:100 9) at org.apache.catalina.core.StandardService.initialize(StandardService.j ava:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.jav a:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:540) at org.apache.catalina.startup.Catalina.load(Catalina.java:560) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 22-Oct-2012 11:21:44 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1836 ms 22-Oct-2012 11:21:44 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 22-Oct-2012 11:21:44 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 22-Oct-2012 11:21:44 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml 22-Oct-2012 11:21:44 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml 22-Oct-2012 11:21:44
Re: Tomcat 6.0.24 SSL Setup issue
On 24/10/2012 11:38, KumareshGopalsamy wrote: Hi I have followed below steps to setup SSL You are trying to use BIO/NIO (100% Java) SSL configuration for the APR(native) connector. That won't work. Fix your configuration or disable APR. See the SSL How-to, particularly the section on configuration. [1] Mark [1] http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Edit_the_Tomcat_Configuration_File - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.24 SSL Setup issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kumaresh, On 10/24/12 6:38 AM, KumareshGopalsamy wrote: I have followed below steps to setup SSL Details Tomcat 6.0.24 Windows server 2008 R2 Datacenter Since you are using SSL, I suspect you are interested in protecting your data. You should seriously upgrade to the latest Tomcat 6.0.36, as there are known vulnerabilities with your version: http://tomcat.apache.org/security-6.html Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ This is a JSSE keystore-based certificate configuration. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. You are using APR (tcnative). INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init Your Connector is auto-choosing APR-based HTTP/1.1 protocol. SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format APR uses a different file format and configuration from the BIO and NIO HTTP/1.1 connectors. So, either you need to re-do your certificates so that you have separate PEM-encoded files on the disk like httpd does, and configure them appropriately (http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS) or you need to change your Connector to use a non-APR connector like this for BIO: Connector protocol=org.apache.coyote.http11.Http11Protocol Or like this for NIO: Connector protocol=org.apache.coyote.http11.Http11NioProtocol Or you can disable APR by commenting-out the Listener in server.xml, or you can just remove the tcnative* binaries from your Tomcat installation. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCH8CYACgkQ9CaO5/Lv0PDVNgCgpOVZad9f/o87to6fWwezplHC 9Y4AnRnh3k72yIizIGQUCJeX7pYZrj61 =QUfe -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.24 SSL Setup issue
Hi Tim Thank you for your reply. I have attached Server.xml of my Tomcat. This machine is dedicated tomcat server as no other application runs in this, if any other is using please let me know how to delete/remove Thank you Regards Kumaresh Gopalsamy -Original Message- From: Tim Watts [mailto:t...@cliftonfarm.org] Sent: 24 October 2012 14:17 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue On Wed, 2012-10-24 at 11:38 +0100, KumareshGopalsamy wrote: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ The only thing that looks weird is that space after '\key'. And perhaps the newline after 'keystoreFile='? But maybe I'm reading this too literally. Also, it looks like something is already bound to a port you want to use. --tim I have got the below error message when I restart the Tomcat server Could you please help me on this? 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], ra ndom [true]. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'clie ntAuth' to 'false' did not find a matching property. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keys torePass' to 'changeit' did not find a matching property. 22-Oct-2012 11:21:43 org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'keys toreFile' to 'C:\.keystore' did not find a matching property. 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format at org.apache.tomcat.jni.SSLContext.setCertificate(Native Method) at org.apache.tomcat.util.net.AprEndpoint.init(AprEndpoint.java:720) at org.apache.coyote.http11.Http11AprProtocol.init(Http11AprProtocol.jav a:107) at org.apache.catalina.connector.Connector.initialize(Connector.java:100 7) at org.apache.catalina.core.StandardService.initialize(StandardService.j ava:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.jav a:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:540) at org.apache.catalina.startup.Catalina.load(Catalina.java:560) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 22-Oct-2012 11:21:44 org.apache.catalina.startup.Catalina load SEVERE: Catalina.start LifecycleException: Protocol handler initialization failed: java.lang.Exception : No Certificate file specified or invalid file format at org.apache.catalina.connector.Connector.initialize(Connector.java:100 9) at org.apache.catalina.core.StandardService.initialize(StandardService.j ava:677) at org.apache.catalina.core.StandardServer.initialize(StandardServer.jav a:795) at org.apache.catalina.startup.Catalina.load(Catalina.java:540) at org.apache.catalina.startup.Catalina.load(Catalina.java:560) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl. java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAcces sorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) 22-Oct-2012 11:21:44 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 1836 ms 22-Oct-2012 11:21:44 org.apache.catalina.core.StandardService start INFO: Starting service Catalina
RE: Tomcat 6.0.24 SSL Setup issue
Hi Chris We are planning to setup JSSE keystore-based certificate configuration so I have removed tcnative-1.dll file in C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\bin path. Still no success, below are the error message I have attached server.xml in this. Error Message 24-Oct-2012 14:52:36 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_30\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Window s;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wi ndowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.6.0_30\bin;. 24-Oct-2012 14:52:36 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:38 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:38 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2702 ms 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory docs 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:40 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 24-Oct-2012 14:52:40 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/32 config=null 24-Oct-2012 14:52:40 org.apache.catalina.startup.Catalina start INFO: Server startup in 1986 ms Thank you Regards Kumaresh Gopalsamy -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 24 October 2012 14:42 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kumaresh, On 10/24/12 6:38 AM, KumareshGopalsamy wrote: I have followed below steps to setup SSL Details Tomcat 6.0.24 Windows server 2008 R2 Datacenter Since you are using SSL, I suspect you are interested in protecting your data. You should seriously upgrade to the latest Tomcat 6.0.36, as there are known vulnerabilities with your version: http://tomcat.apache.org/security-6.html Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ This is a JSSE keystore-based certificate configuration. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. You are using APR (tcnative). INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init Your Connector is auto-choosing APR-based HTTP/1.1 protocol. SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format APR uses a different file format and configuration from the BIO and NIO HTTP/1.1 connectors. So, either you need to re-do your certificates so that you have separate PEM-encoded files on the disk like httpd does, and configure them appropriately (http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS) or you need to change your Connector to use a non-APR connector like this for BIO: Connector protocol=org.apache.coyote.http11.Http11Protocol Or like this for NIO: Connector protocol=org.apache.coyote.http11.Http11NioProtocol Or you can disable APR by commenting-out the Listener in server.xml, or you can just remove the tcnative* binaries from your Tomcat installation. Hope that helps, - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCH8CYACgkQ9CaO5/Lv0PDVNgCgpOVZad9f/o87to6fWwezplHC
Re: Tomcat 6.0.24 SSL Setup issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/10/2012 15:00, KumareshGopalsamy wrote: Hi Chris We are planning to setup JSSE keystore-based certificate configuration so I have removed tcnative-1.dll file in C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\bin path. Still no success, below are the error message There are no error messages in the logs quoted below. Mark I have attached server.xml in this. Error Message 24-Oct-2012 14:52:36 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_30\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Window s;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\Wi ndowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.6.0_30\bin;. 24-Oct-2012 14:52:36 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:38 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:38 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2702 ms 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory docs 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:40 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 24-Oct-2012 14:52:40 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/32 config=null 24-Oct-2012 14:52:40 org.apache.catalina.startup.Catalina start INFO: Server startup in 1986 ms Thank you Regards Kumaresh Gopalsamy -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 24 October 2012 14:42 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue Kumaresh, On 10/24/12 6:38 AM, KumareshGopalsamy wrote: I have followed below steps to setup SSL Details Tomcat 6.0.24 Windows server 2008 R2 Datacenter Since you are using SSL, I suspect you are interested in protecting your data. You should seriously upgrade to the latest Tomcat 6.0.36, as there are known vulnerabilities with your version: http://tomcat.apache.org/security-6.html Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ This is a JSSE keystore-based certificate configuration. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. You are using APR (tcnative). INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init Your Connector is auto-choosing APR-based HTTP/1.1 protocol. SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format APR uses a different file format and configuration from the BIO and NIO HTTP/1.1 connectors. So, either you need to re-do your certificates so that you have separate PEM-encoded files on the disk like httpd does, and configure them appropriately (http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS) or you need to change your Connector to use a non-APR connector like this for BIO: Connector protocol=org.apache.coyote.http11.Http11Protocol Or like this for NIO: Connector protocol=org.apache.coyote.http11.Http11NioProtocol Or you can disable APR by commenting-out the Listener in server.xml, or you can just remove the tcnative* binaries from your Tomcat installation. Hope that helps, -chris
RE: Tomcat 6.0.24 SSL Setup issue
Hi Mark Thank you. You are right. It was my mistake as page takes more time to load. But when I shutdown Tomcat from command prompt C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\binshutdown I could see Apache Tomcat homepage in http://localhost:8080/ but not in https://localhost:8443/ Will I continue to see homepage in http://localhost:8080/ after tomcat shutdown? Regards Kumaresh Gopalsamy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 24 October 2012 15:27 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/10/2012 15:00, KumareshGopalsamy wrote: Hi Chris We are planning to setup JSSE keystore-based certificate configuration so I have removed tcnative-1.dll file in C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\bin path. Still no success, below are the error message There are no error messages in the logs quoted below. Mark I have attached server.xml in this. Error Message 24-Oct-2012 14:52:36 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_30\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32 ;C:\Window s;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\Sys tem32\Wi ndowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.6.0_30\bin;. 24-Oct-2012 14:52:36 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:38 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:38 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2702 ms 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory docs 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:40 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 24-Oct-2012 14:52:40 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/32 config=null 24-Oct-2012 14:52:40 org.apache.catalina.startup.Catalina start INFO: Server startup in 1986 ms Thank you Regards Kumaresh Gopalsamy -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 24 October 2012 14:42 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue Kumaresh, On 10/24/12 6:38 AM, KumareshGopalsamy wrote: I have followed below steps to setup SSL Details Tomcat 6.0.24 Windows server 2008 R2 Datacenter Since you are using SSL, I suspect you are interested in protecting your data. You should seriously upgrade to the latest Tomcat 6.0.36, as there are known vulnerabilities with your version: http://tomcat.apache.org/security-6.html Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS keystorePass=changeit keystoreFile= C:\apache-tomcat-6.0.24-windows-x64\key \.keystore/ This is a JSSE keystore-based certificate configuration. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: Loaded APR based Apache Tomcat Native library 1.1.19. 22-Oct-2012 11:21:43 org.apache.catalina.core.AprLifecycleListener init INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters [false], random [true]. You are using APR (tcnative). INFO: Initializing Coyote HTTP/1.1 on http-8080 22-Oct-2012 11:21:44 org.apache.coyote.http11.Http11AprProtocol init Your Connector is auto-choosing APR-based HTTP/1.1 protocol. SEVERE: Error initializing endpoint java.lang.Exception: No Certificate file specified or invalid file format APR uses a different file format and configuration from the BIO and NIO HTTP/1.1 connectors. So, either you need to re-do your certificates so that you have
RE: Tomcat 6.0.24 SSL Setup issue
Mark is correct there are NO tomcat errors in the attached log but your JSSE is complaining about missing cert or you are implementing a certificate from a non-CA authrity you cannot build your KeyMaterial without knowing the full path of the CA-authority issued cert and the keyFile location and the jksPassword and the keyPass public KeyMaterial(File certsFile, File keyFile, char[] jksPass, char[] keyPass) throws GeneralSecurityException, IOException http://juliusdavies.ca/commons-ssl/javadocs/org/apache/commons/ssl/KeyMaterial.html#KeyMaterial%28java.io.File,%20java.io.File,%20char[],%20char[]%29 Martin __ Please do not alter or disrupt this email comunnication Subject: RE: Tomcat 6.0.24 SSL Setup issue Date: Wed, 24 Oct 2012 15:39:01 +0100 From: kumareshgopals...@phs.co.uk To: users@tomcat.apache.org CC: ma...@apache.org Hi Mark Thank you. You are right. It was my mistake as page takes more time to load. But when I shutdown Tomcat from command prompt C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\binshutdown I could see Apache Tomcat homepage in http://localhost:8080/ but not in https://localhost:8443/ Will I continue to see homepage in http://localhost:8080/ after tomcat shutdown? Regards Kumaresh Gopalsamy -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: 24 October 2012 15:27 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 24/10/2012 15:00, KumareshGopalsamy wrote: Hi Chris We are planning to setup JSSE keystore-based certificate configuration so I have removed tcnative-1.dll file in C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\bin path. Still no success, below are the error message There are no error messages in the logs quoted below. Mark I have attached server.xml in this. Error Message 24-Oct-2012 14:52:36 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performanc e in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_30\bin;C:\Windows\Sun\Java\bin;C:\Windows\system32 ;C:\Window s;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\Sys tem32\Wi ndowsPowerShell\v1.0\;C:\Program Files\Java\jdk1.6.0_30\bin;. 24-Oct-2012 14:52:36 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:38 org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:38 org.apache.catalina.startup.Catalina load INFO: Initialization processed in 2702 ms 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardService start INFO: Starting service Catalina 24-Oct-2012 14:52:38 org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.24 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor host-manager.xml 24-Oct-2012 14:52:38 org.apache.catalina.startup.HostConfig deployDescriptor INFO: Deploying configuration descriptor manager.xml 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory docs 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory examples 24-Oct-2012 14:52:39 org.apache.catalina.startup.HostConfig deployDirectory INFO: Deploying web application directory ROOT 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 24-Oct-2012 14:52:40 org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8443 24-Oct-2012 14:52:40 org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 24-Oct-2012 14:52:40 org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/32 config=null 24-Oct-2012 14:52:40 org.apache.catalina.startup.Catalina start INFO: Server startup in 1986 ms Thank you Regards Kumaresh Gopalsamy -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: 24 October 2012 14:42 To: Tomcat Users List Subject: Re: Tomcat 6.0.24 SSL Setup issue Kumaresh, On 10/24/12 6:38 AM, KumareshGopalsamy wrote: I have followed below steps to setup SSL Details Tomcat 6.0.24 Windows server 2008 R2 Datacenter Since you are using SSL, I suspect you are interested in protecting your data. You should seriously upgrade to the latest Tomcat 6.0.36, as there are known vulnerabilities with your version: http://tomcat.apache.org/security-6.html Connector port
Re: Tomcat 6.0.24 SSL Setup issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Kumaresh, On 10/24/12 10:39 AM, KumareshGopalsamy wrote: But when I shutdown Tomcat from command prompt C:\apache-tomcat-6.0.24-windows-x64\apache-tomcat-6.0.24\binshutdown I could see Apache Tomcat homepage in http://localhost:8080/ but not in https://localhost:8443/ Will I continue to see homepage in http://localhost:8080/ after tomcat shutdown? That depends: do you have more than one server process running? Try using netstat to see what process is listening on port 8080. If you have been changing your configuration around and starting and stopping Tomcat, you might have forgotten to stop it one time and then fixed the config so you did this: 1. Start Tomcat A a. HTTP connector comes up on port 8080 b. HTTPS connector fails to initialize (bad cert config) 2. Start Tomcat B a. HTTP connector fails to bind to port 8080 (Tomcat A is bound) b. HTTPS connector comes up on port 8443 3. Stop Tomcat a. Tomcat B stops b. Tomcat A remains running In this situation, Tomcat A is still running on port 8080. Make sure that everything has stopped and repeat your tests -- with a clean logs/ directory. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlCIO7cACgkQ9CaO5/Lv0PASSQCgs3QaEGpBpygyIplXR4B5pgBR SLsAn0fPbrnhojNQg8Fx9P0W94kp0wgd =ki1W -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7.0.5 SSL setup issue
I'm unable to setup SSL with Tomcat 7 on a Linux VM .. The error is as below - Please advise *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: CN=Credit Suisse Internal CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=auredi, DC=net *** ServerHelloDone http-8443-exec-1, WRITE: SSLv3 Handshake, length = 3428 http-8443-exec-1, received EOFException: error http-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake http-8443-exec-1, SEND SSLv3 ALERT: fatal, description = handshake_failure http-8443-exec-1, WRITE: SSLv3 Alert, length = 2 http-8443-exec-1, called closeSocket() http-8443-exec-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake http-8443-exec-1, called close() http-8443-exec-1, called closeInternal(true) catalina.out Thanks Nibu === Please access the attached hyperlink for an important electronic communications disclaimer: http://www.credit-suisse.com/legal/en/disclaimer_email_ib.html === - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.5 SSL setup issue
Thomas, Nibu wrote: I'm unable to setup SSL with Tomcat 7 on a Linux VM .. The error is as below - Please advise *** CertificateRequest Cert Types: RSA, DSS Cert Authorities: CN=Credit Suisse Internal CA, CN=AIA, CN=Public Key Services, CN=Services, CN=Configuration, DC=auredi, DC=net *** ServerHelloDone http-8443-exec-1, WRITE: SSLv3 Handshake, length = 3428 http-8443-exec-1, received EOFException: error http-8443-exec-1, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake http-8443-exec-1, SEND SSLv3 ALERT: fatal, description = handshake_failure http-8443-exec-1, WRITE: SSLv3 Alert, length = 2 http-8443-exec-1, called closeSocket() http-8443-exec-1, IOException in getSession(): javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake http-8443-exec-1, called close() http-8443-exec-1, called closeInternal(true) I think you really need to consult the following : 1) http://www.lmgtfy.com/?q=setup+SSL+with+Tomcat+7 2) http://catb.org/~esr/faqs/smart-questions.html - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7.0.5 SSL setup issue
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Nibu, On 12/19/11 3:46 AM, Thomas, Nibu wrote: I'm unable to setup SSL with Tomcat 7 on a Linux VM .. If you're really running 7.0.5, then nobody is going to help you. That was a beta version of Tomcat released over 2 years ago. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7vqCUACgkQ9CaO5/Lv0PDpLQCffQI4Tb4Slda19+aG9fuYLfY2 AsMAnRGs4wVt2eUXT9Q0r/m4ChdT56Um =rYY4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
FW: SSL setup for tomcat 7.0.10 using a CA cert
I have been trying to install a certificate on a Tomcat 7.0.10 on a Windows 64 bit 2008 server and getting this error. Error Message DerInputStream.getLength(): lengthTag=109, too big. 2011-05-07 21:19:08 Commons Daemon procrun stderr initialized May 7, 2011 9:19:09 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Tomcat 7.0\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\apache-ant-1.8.2\bin\;C:\Program Files\Java\jdk1.6.0_25\bin\;C:\OpenSSL-Win32\bin\ May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init INFO: Initializing ProtocolHandler [http-bio-8443] May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:409) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:308) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:561) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:451) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:159) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:365) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) May 7, 2011 9:19:10 PM org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:912) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at
RE: SSL setup for tomcat 7.0.10 using a CA cert
Chip- take all the 32bit folders off the PATH best to SET CLASSPATH= download the 64bit windoze version of Tomcat7 from http://tomcat.apache.org/download-70.cgi reconfigure and let us know if there any further issues Martin Gainty __ Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen wir keine Haftung fuer den Inhalt uebernehmen. Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune responsabilité pour le contenu fourni. From: chipper7...@hotmail.com To: users@tomcat.apache.org Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert Date: Sun, 8 May 2011 08:09:12 -0400 I have been trying to install a certificate on a Tomcat 7.0.10 on a Windows 64 bit 2008 server and getting this error. Error Message DerInputStream.getLength(): lengthTag=109, too big. 2011-05-07 21:19:08 Commons Daemon procrun stderr initialized May 7, 2011 9:19:09 PM org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: D:\Tomcat 7.0\bin;.;C:\Windows\Sun\Java\bin;C:\Windows\system32;C:\Windows;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;D:\apache-ant-1.8.2\bin\;C:\Program Files\Java\jdk1.6.0_25\bin\;C:\OpenSSL-Win32\bin\ May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init INFO: Initializing ProtocolHandler [http-bio-8443] May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. at sun.security.util.DerInputStream.getLength(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at sun.security.util.DerValue.init(Unknown Source) at com.sun.net.ssl.internal.pkcs12.PKCS12KeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(Unknown Source) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:409) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:308) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:561) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:451) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:159) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:365) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101
RE: SSL setup for tomcat 7.0.10 using a CA cert
From: Martin Gainty [mailto:mgai...@hotmail.com] Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert take all the 32bit folders off the PATH best to SET CLASSPATH= download the 64bit windoze version of Tomcat7 from http://tomcat.apache.org/download-70.cgi All of the above is completely irrelevant, as usual. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
From: chip chipper [mailto:chipper7...@hotmail.com] Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a Connector. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. Ditto for liveDeploy on a Host. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. Ditto for debug on a Context. Looks like you have grabbed an ancient server.xml and tried to use it with Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide and set what you need properly. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. My understanding of this is that there is an ASN.1 encoding error. The length is bigger than expected. Can you examine the certificates using keytool and see what it thinks of them? keytool ... -keystore mykeystore openssl ... -out keystore.tomcat keytool ... -keystore tomcat.keystore I count three different keystore names here; which are we to believe? Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:/cert/my.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ And a fourth keystore name here. Also, what you have above does not correspond with the maxSpareThreads error message displayed in the log. Either you're confusing everyone by reporting one set of log entries along with an unrelated config, or you're not running the config you think you are. It would be useful if you posted your entire server.xml file, with comments removed. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=off / You can't run APR with JSSE handling the SSL negotiation, so turning SSLEngine off is not useful. Besides, you don't appear to have the tcnative-1.dll installed, and you've forced use of the BIO connector, so changing the AprLifeCycleListener is ineffective. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: SSL setup for tomcat 7.0.10 using a CA cert
Chuck The tomcat keystore was the wrong file. Thanks for the hint. I had a tomcat.keystore and a keystore.tomcat. Better naming would have avoided the embarrassment of using a user-group. Thanks for the assistance and your time Chip From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sun, 8 May 2011 10:08:23 -0500 Subject: RE: SSL setup for tomcat 7.0.10 using a CA cert From: chip chipper [mailto:chipper7...@hotmail.com] Subject: FW: SSL setup for tomcat 7.0.10 using a CA cert May 7, 2011 9:19:09 PM org.apache.catalina.startup.SetAllPropertiesRule begin WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property 'maxSpareThreads' to '75' did not find a matching property. Read the Tomcat 7 doc - there is no maxSpareThreads attribute for a Connector. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host} Setting property 'liveDeploy' to 'false' did not find a matching property. Ditto for liveDeploy on a Host. May 7, 2011 9:19:09 PM org.apache.tomcat.util.digester.SetPropertiesRule begin WARNING: [SetPropertiesRule]{Server/Service/Engine/Host/Context} Setting property 'debug' to '1' did not find a matching property. Ditto for debug on a Context. Looks like you have grabbed an ancient server.xml and tried to use it with Tomcat 7 - you simply can't do that. Read the Tomcat 7 configuration guide and set what you need properly. May 7, 2011 9:19:10 PM org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-bio-8443] java.io.IOException: DerInputStream.getLength(): lengthTag=109, too big. My understanding of this is that there is an ASN.1 encoding error. The length is bigger than expected. Can you examine the certificates using keytool and see what it thinks of them? keytool ... -keystore mykeystore openssl ... -out keystore.tomcat keytool ... -keystore tomcat.keystore I count three different keystore names here; which are we to believe? Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 maxThreads=200 scheme=https secure=true SSLEnabled=true keystoreFile=C:/cert/my.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ And a fourth keystore name here. Also, what you have above does not correspond with the maxSpareThreads error message displayed in the log. Either you're confusing everyone by reporting one set of log entries along with an unrelated config, or you're not running the config you think you are. It would be useful if you posted your entire server.xml file, with comments removed. Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=off / You can't run APR with JSSE handling the SSL negotiation, so turning SSLEngine off is not useful. Besides, you don't appear to have the tcnative-1.dll installed, and you've forced use of the BIO connector, so changing the AprLifeCycleListener is ineffective. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
ssl setup in tomcat
Hi , I am planning to setup secure connection in our environment which consist of apache webserver, tomcat ( two instances running on the same machine) which talks to a third party application maintained by third party vendor. I have ssl.crt and ssl.key files in apache, in tomcat i have ca trust store and jks file. Please let me what Tomcat certificates should be shared to apache and what needs to be shared with third party application. If it is public key pls let me know the keytool command to pull the public key. thanks in advance Hemanth
Re: ssl setup in tomcat
On 20/10/2010 12:44, Hemanth Gundlapudi wrote: Hi , I am planning to setup secure connection in our environment which consist of apache webserver, tomcat ( two instances running on the same machine) which talks to a third party application maintained by third party vendor. What are your exact HTTPD, Tomcat versions? How are you planning to configure the connection between HTTPD and Tomcat? I have ssl.crt and ssl.key files in apache, in tomcat i have ca trust store and jks file. Please let me what Tomcat certificates should be shared to apache and what needs to be shared with third party application. If it is public key pls let me know the keytool command to pull the public key. Your question is unclear, can you please rephrase it? p thanks in advance Hemanth 0x62590808.asc Description: application/pgp-keys signature.asc Description: OpenPGP digital signature
Re: Two-way SSL setup as Tomcat as a client
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Steve, On 8/7/2010 6:24 PM, Steve Johnson wrote: I can confirm that the Apache HTTPClient module is a good way to go. In fact, it works with zero configuration. You simply give it a normal 'https' URL, and it does the right thing automagically. I'm sure YF will need /some/ configuration: it looks like he's trying to use client SSL certificates, which definitely need to be configured before the SSL connection is established. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxgGpoACgkQ9CaO5/Lv0PCimwCgw6+CP9izZQ0AhkydoesH55mA YKwAn1s7DEWWmfjToE2CiMYtbdRPzOU8 =XZn8 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Two-way SSL setup as Tomcat as a client
Hi P, Thanks for response. I am refering two way SSL not just one way. In two way SSL, tomcat not only needs to trust server's root CA also it needs to pass its signed certificate to the server so server can recognize it. My experience for setting up Webshpere as 2 ways SSL client, it did take some configuration in webshpere side. Do anyone have similiar experience? Thanks, YF. From: p...@pidster.com Date: Fri, 6 Aug 2010 14:24:32 +0100 Subject: Re: Two-way SSL setup as Tomcat as a client To: users@tomcat.apache.org On 6 Aug 2010, at 13:12, yifeng wu yifen...@hotmail.com wrote: Hi, I am trying to make a call from Tomcat to another application server (Websphere) and the communication channel is secured with two-way SSL. I have been searching on the net for hours and cannot find the information about how to setup tomcat as a SSL client (there’re plenty for setting up tomcat as a server for two-way SSL). Tomcat doesn't need configuring as an SSL client, your application does. That would be why there's nothing online about it. p Can anyone share the information if you happen to know how? Thanks, YF - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Two-way SSL setup as Tomcat as a client
From: yifeng wu [mailto:yifen...@hotmail.com] Subject: RE: Two-way SSL setup as Tomcat as a client I am refering two way SSL not just one way. Irrelevant; Pid's statement still stands: it's your webapp, not Tomcat, that is trying to communicate with an external server. Tomcat plays no role is such a connection, it's entirely up to your webapp. There is nothing in Tomcat to configure for this, since Tomcat is not involved. You'll need to use the secure connection capabilities of the JRE or a 3rd-party library of your choice to do the negotiation. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Two-way SSL setup as Tomcat as a client
I see. I guess I will look into using apache httpclient or some other library (any recommendation?). Webshpere actually takes care of outbound SSL connection by configuration (no extra coding) that's why I got confused. Thanks for input, Chuck. YF From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sat, 7 Aug 2010 11:22:41 -0500 Subject: RE: Two-way SSL setup as Tomcat as a client From: yifeng wu [mailto:yifen...@hotmail.com] Subject: RE: Two-way SSL setup as Tomcat as a client I am refering two way SSL not just one way. Irrelevant; Pid's statement still stands: it's your webapp, not Tomcat, that is trying to communicate with an external server. Tomcat plays no role is such a connection, it's entirely up to your webapp. There is nothing in Tomcat to configure for this, since Tomcat is not involved. You'll need to use the secure connection capabilities of the JRE or a 3rd-party library of your choice to do the negotiation. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Two-way SSL setup as Tomcat as a client
I can confirm that the Apache HTTPClient module is a good way to go. In fact, it works with zero configuration. You simply give it a normal 'https' URL, and it does the right thing automagically. It may be that you have to do some configuration of your JDK and environment to have SSL capabilities available to HTTPClient, but I don't think so. I don't remember ever doing that on my dev box, and I know for a fact that my use of HTTPClient allows HTTPS URLs with no additional fuss. HTTPClient is an excellent library in general, as is most of the apache stuff. Have fun! S On 8/7/2010 3:13 PM, yifeng wu wrote: I see. I guess I will look into using apache httpclient or some other library (any recommendation?). Webshpere actually takes care of outbound SSL connection by configuration (no extra coding) that's why I got confused. Thanks for input, Chuck. YF From: chuck.caldar...@unisys.com To: users@tomcat.apache.org Date: Sat, 7 Aug 2010 11:22:41 -0500 Subject: RE: Two-way SSL setup as Tomcat as a client From: yifeng wu [mailto:yifen...@hotmail.com] Subject: RE: Two-way SSL setup as Tomcat as a client I am refering two way SSL not just one way. Irrelevant; Pid's statement still stands: it's your webapp, not Tomcat, that is trying to communicate with an external server. Tomcat plays no role is such a connection, it's entirely up to your webapp. There is nothing in Tomcat to configure for this, since Tomcat is not involved. You'll need to use the secure connection capabilities of the JRE or a 3rd-party library of your choice to do the negotiation. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Two-way SSL setup as Tomcat as a client
Hi, I am trying to make a call from Tomcat to another application server (Websphere) and the communication channel is secured with two-way SSL. I have been searching on the net for hours and cannot find the information about how to setup tomcat as a SSL client (there’re plenty for setting up tomcat as a server for two-way SSL). Can anyone share the information if you happen to know how? Thanks, YF
Re: Two-way SSL setup as Tomcat as a client
On 6 Aug 2010, at 13:12, yifeng wu yifen...@hotmail.com wrote: Hi, I am trying to make a call from Tomcat to another application server (Websphere) and the communication channel is secured with two-way SSL. I have been searching on the net for hours and cannot find the information about how to setup tomcat as a SSL client (there’re plenty for setting up tomcat as a server for two-way SSL). Tomcat doesn't need configuring as an SSL client, your application does. That would be why there's nothing online about it. p Can anyone share the information if you happen to know how? Thanks, YF - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
SSL setup question
I'm having a problem setting up SSL with Tomcat. The situation is this: I have a system running IBM's Netcool/Portal software. We added SSL to the Portal a while back. I created a certificate for the machine. However, Netcool/Portal does not create a keystore file - you simply copy the certificate as a text file into a specific directory and it works from there. Netcool/Portal has its own version of the JDK. Now, on the same machine, I have installed a current JDK (v1.6) and my own installation of Tomcat (v6.0.16). Runs just fine on port 8080. I want to add SSL capability to the Tomcat setup so I can talk to it using https. I created a keystore file using the certificate we generated for Netcool, as follows: keytool -importcert -v -trustcacerts -alias tomcat -keystore path_to_keystore/keystore.kdb -file /opt/netcool/portal/path_to_cert/server.crt Then, keytool -list -keystore ./keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Nov 20, 2008, trustedCertEntry, Certificate fingerprint (MD5): 11:87:A8:7C:BB:55:AC:68:46:34:4F:45:7D:62:9C:AF So I have a keystore. I set up the tomcat server.xml file: Connector port=7443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false keystoreFile=/usr/path_to_keystore/keystore.kdb keystorePass=password sslProtocol=TLS / And when I start Tomcat, I get an infinite loop in the log file that looks like: Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 886 ms Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 Nov 20, 2008 1:40:18 PM com.sun.faces.config.ConfigureListener contextInitialize d INFO: Initializing Sun's JavaServer Faces implementation (1.2_04-b20-p03) for co ntext '/NCAdmin' Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.ContextListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.SessionListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed I'm not an SSL expert, so I'm not sure where to look. Am I missing an intermediate certificate somewhere? Or have I configured the keystore incorrectly? I'd appreciate any pointers or suggestions for getting this running. Thanks very much, nbc NAME: Neil B. Cohen (Verisign Inc.) PHONE: 703-948-4471 DOMAIN: [EMAIL PROTECTED]
Re: SSL setup question
the infinite loop is fixed in 6.0.18, the system will still not start, since the JVM you're running with doesn't support the type of cipher that you're keystore is trying to use search http://tomcat.markmail.org for the same error, it's been answered before Filip Neil B. Cohen wrote: I'm having a problem setting up SSL with Tomcat. The situation is this: I have a system running IBM's Netcool/Portal software. We added SSL to the Portal a while back. I created a certificate for the machine. However, Netcool/Portal does not create a keystore file - you simply copy the certificate as a text file into a specific directory and it works from there. Netcool/Portal has its own version of the JDK. Now, on the same machine, I have installed a current JDK (v1.6) and my own installation of Tomcat (v6.0.16). Runs just fine on port 8080. I want to add SSL capability to the Tomcat setup so I can talk to it using https. I created a keystore file using the certificate we generated for Netcool, as follows: keytool -importcert -v -trustcacerts -alias tomcat -keystore path_to_keystore/keystore.kdb -file /opt/netcool/portal/path_to_cert/server.crt Then, keytool -list -keystore ./keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Nov 20, 2008, trustedCertEntry, Certificate fingerprint (MD5): 11:87:A8:7C:BB:55:AC:68:46:34:4F:45:7D:62:9C:AF So I have a keystore. I set up the tomcat server.xml file: Connector port=7443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false keystoreFile=/usr/path_to_keystore/keystore.kdb keystorePass=password sslProtocol=TLS / And when I start Tomcat, I get an infinite loop in the log file that looks like: Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 886 ms Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 Nov 20, 2008 1:40:18 PM com.sun.faces.config.ConfigureListener contextInitialize d INFO: Initializing Sun's JavaServer Faces implementation (1.2_04-b20-p03) for co ntext '/NCAdmin' Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.ContextListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.SessionListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed I'm not an SSL expert, so I'm not
Re: SSL setup help
The entry keystoreFile=${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore is almost certainly wrong. For this to work, you would have to start Tomcat with the weird entry -D/usr/local/jre1.6.0_06/bin/keystore.key=/path/to/my/keystore/keys. Tomcat does variable substitution when parsing the various config xml files based on System properties when it sees something like ${variable}. (This is a Tomcat-specific feature, so you can't count on porting it to another container). Michael A. Tucker [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to setup SSL on a web app that I have running on a server. I created my keystore.key file and then uncommented this section in my server.xml file: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS Now when I go to https://localhost:8443/ I get failed to connect page load error. I think I'm not doing something wrong in the server.xml file, but I'm not sure what. I already have another program running on 443 so could that interfere? I also don't know what APR means in the SSL doc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJEbv2iSj9VAB3NO8RAkyLAJ0ZhVqiOz0cKuZILoYMYQTjojD8awCfXjHY pI7vAxr3JZan3Mq87uzrhMU= =8iED -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL setup help
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to setup SSL on a web app that I have running on a server. I created my keystore.key file and then uncommented this section in my server.xml file: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS Now when I go to https://localhost:8443/ I get failed to connect page load error. I think I'm not doing something wrong in the server.xml file, but I'm not sure what. I already have another program running on 443 so could that interfere? I also don't know what APR means in the SSL doc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJEbv2iSj9VAB3NO8RAkyLAJ0ZhVqiOz0cKuZILoYMYQTjojD8awCfXjHY pI7vAxr3JZan3Mq87uzrhMU= =8iED -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: SSL setup help
Hi, To configure tomcat using SSL on Windows I use: multi-host tomcat ssl on windows download and install java 1.5 jdk set JAVA_HOME to the root of the JDK directory add JAVA_HOME\bin to the path install Visual C++ 2008 redistributable download and install openssl http://www.openssl.org -- related --binaries (at the top) place the files in c:\program files\openssl set OPENSSL_HOME to c:\program files\openssl add OPENSSL_HOME\bin to the path search for an openssl.cnf on google download and install tomcat download tomcat and extract to c:\program files\apache software foundation\tomcat set CATALINE_HOME to c:\program files\apache software foundation\tomcat download tomcat native and extract to CATALINA_HOME\bin add CATALINA_HOME\bin to the path set CLASSPATH to .;%CATALINA_HOME%\libservlet-api.jar;%CATALINA_HOME%\lib\jsp-api.jar cd %CATALINA_HOME\conf mkdir ssl cd ssl genrsa -aes256 -out key.pem 8192 Enter pass phrase for key.pem: proactix req -new -key key.pem -sha1 -x509 -out cert.pem Connector protocol=org.apache.coyote.http11.Http11AprProtocol port=443 enableLookups=true disableUploadTimeout=true acceptCount=100 maxThreads=200 scheme=https secure=true SSLEnabled=true SSLCertificateFile=${catalina.home}/conf/ssl/cert.pem SSLCertificateKeyFile=${catalina.home}/conf/ssl/key.pem SSLPassword=proactix sslProtocol=TLSv1/ The same should be similar on Linux Regards, Serge Fonville On Wed, Nov 5, 2008 at 4:29 PM, Michael A. Tucker [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I'm trying to setup SSL on a web app that I have running on a server. I created my keystore.key file and then uncommented this section in my server.xml file: Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=${/usr/local/jre1.6.0_06/bin/keystore.key}/.keystore keystorePass=changeit clientAuth=false sslProtocol=TLS Now when I go to https://localhost:8443/ I get failed to connect page load error. I think I'm not doing something wrong in the server.xml file, but I'm not sure what. I already have another program running on 443 so could that interfere? I also don't know what APR means in the SSL doc. -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.6 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJEbv2iSj9VAB3NO8RAkyLAJ0ZhVqiOz0cKuZILoYMYQTjojD8awCfXjHY pI7vAxr3JZan3Mq87uzrhMU= =8iED -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat 5.0.28 and SSL setup
If you are still looking for a solution: There is a mismatch in your informations: you wrote, the keystore file would be located in your home directory but in the connector properties the keystore is referenced to be located at /user/machine/.keystore: are you aware of this difference? Johann - Original Message - From: Tami Corn [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Saturday, January 05, 2008 3:10 PM Subject: tomcat 5.0.28 and SSL setup My problem: Port 8443 won't open. But I can see port 8080. Running Tomcat 5.0.28 on Mac OS 10.4.11 (no firewall yet). I'm not using a self-assigned cert. I created a CSR request, got my certs and have imported my certs in the following order using Terminal. Everything I have researched says they have to be installed in a particular order or the will not work.: root - AddTrustExternalCARoot.crt inter - UTNAddTrustServer_CA.crt chain - NetworkSolutions_CA.crt tomcat - mydomain.com.crt (My keystore is located my user's home directory along with a folder that has the certs in it.) If I printcerts in Terminal, they look good to me compared to documentation and examples online. (howeverI'm a newbie.) I have uncommented the connector port in the server.xml config. Connector port=8443 maxThreads=100 minSpareThreads=5 maxSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=/Users/machine/.keystore keystorePass=... / Tomcat Log shows: 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@8e7b84') 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@4f53eb') 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@e6b82') 2008-01-05 07:25:56 StandardContext[/servlets-examples] SessionListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@8e45a8') 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@7f3202') 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@ac5c8b') 2008-01-05 07:25:56 StandardContext[/jsp-examples]SessionListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: contextDestroyed() 2008-01-05 07:29:44 StandardContext[/balancer]Exception starting filter BalancerFilter java.lang.NoClassDefFoundError: org/apache/commons/digester/Digester at org.apache.webapp.balancer.RulesParser.createDigester (RulesParser.java:65) at org.apache.webapp.balancer.RulesParser.init(RulesParser.java:43) at org.apache.webapp.balancer.BalancerFilter.init (BalancerFilter.java:79) at org.apache.catalina.core.ApplicationFilterConfig.getFilter (ApplicationFilterConfig.java:225) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef (ApplicationFilterConfig.java:308) at org.apache.catalina.core.ApplicationFilterConfig.init (ApplicationFilterConfig.java:79) at org.apache.catalina.core.StandardContext.filterStart (StandardContext.java:3698) at org.apache.catalina.core.StandardContext.start (StandardContext.java:4349) at org.apache.catalina.core.ContainerBase.addChildInternal (ContainerBase.java:823) at org.apache.catalina.core.ContainerBase.addChild (ContainerBase.java:807) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java: 595) at org.apache.catalina.core.StandardHostDeployer.install (StandardHostDeployer.java:277) at org.apache.catalina.core.StandardHost.install(StandardHost.java:832) at org.apache.catalina.startup.HostConfig.deployDirectories (HostConfig.java:701) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java: 432) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:983) at org.apache.catalina.startup.HostConfig.lifecycleEvent (HostConfig.java:349) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent (LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java: 1091) at org.apache.catalina.core.StandardHost.start(StandardHost.java:789) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java: 1083) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java: 478) at org.apache.catalina.core.StandardService.start (StandardService.java:480) at org.apache.catalina.core.StandardServer.start
tomcat 5.0.28 and SSL setup
My problem: Port 8443 won't open. But I can see port 8080. Running Tomcat 5.0.28 on Mac OS 10.4.11 (no firewall yet). I'm not using a self-assigned cert. I created a CSR request, got my certs and have imported my certs in the following order using Terminal. Everything I have researched says they have to be installed in a particular order or the will not work.: root - AddTrustExternalCARoot.crt inter - UTNAddTrustServer_CA.crt chain - NetworkSolutions_CA.crt tomcat - mydomain.com.crt (My keystore is located my user's home directory along with a folder that has the certs in it.) If I printcerts in Terminal, they look good to me compared to documentation and examples online. (howeverI'm a newbie.) I have uncommented the connector port in the server.xml config. Connector port=8443 maxThreads=100 minSpareThreads=5 maxSpareThreads=25 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=false sslProtocol=TLS keyAlias=tomcat keystoreFile=/Users/machine/.keystore keystorePass=... / Tomcat Log shows: 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@8e7b84') 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@4f53eb') 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: attributeReplaced ('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@e6b82') 2008-01-05 07:25:56 StandardContext[/servlets-examples] SessionListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/servlets-examples] ContextListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@8e45a8') 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@7f3202') 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: attributeReplaced('org.apache.catalina.WELCOME_FILES', '[Ljava.lang.String;@ac5c8b') 2008-01-05 07:25:56 StandardContext[/jsp-examples]SessionListener: contextDestroyed() 2008-01-05 07:25:56 StandardContext[/jsp-examples]ContextListener: contextDestroyed() 2008-01-05 07:29:44 StandardContext[/balancer]Exception starting filter BalancerFilter java.lang.NoClassDefFoundError: org/apache/commons/digester/Digester at org.apache.webapp.balancer.RulesParser.createDigester (RulesParser.java:65) at org.apache.webapp.balancer.RulesParser.init(RulesParser.java:43) at org.apache.webapp.balancer.BalancerFilter.init (BalancerFilter.java:79) at org.apache.catalina.core.ApplicationFilterConfig.getFilter (ApplicationFilterConfig.java:225) at org.apache.catalina.core.ApplicationFilterConfig.setFilterDef (ApplicationFilterConfig.java:308) at org.apache.catalina.core.ApplicationFilterConfig.init (ApplicationFilterConfig.java:79) at org.apache.catalina.core.StandardContext.filterStart (StandardContext.java:3698) at org.apache.catalina.core.StandardContext.start (StandardContext.java:4349) at org.apache.catalina.core.ContainerBase.addChildInternal (ContainerBase.java:823) at org.apache.catalina.core.ContainerBase.addChild (ContainerBase.java:807) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java: 595) at org.apache.catalina.core.StandardHostDeployer.install (StandardHostDeployer.java:277) at org.apache.catalina.core.StandardHost.install(StandardHost.java:832) at org.apache.catalina.startup.HostConfig.deployDirectories (HostConfig.java:701) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java: 432) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:983) at org.apache.catalina.startup.HostConfig.lifecycleEvent (HostConfig.java:349) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent (LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java: 1091) at org.apache.catalina.core.StandardHost.start(StandardHost.java:789) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java: 1083) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java: 478) at org.apache.catalina.core.StandardService.start (StandardService.java:480) at org.apache.catalina.core.StandardServer.start(StandardServer.java: 2313) at org.apache.catalina.startup.Catalina.start(Catalina.java:556) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke (NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke (DelegatingMethodAccessorImpl.java:25) at
Re: Tomcat 5.0.28 - SSL Setup
Lyallex, That worked! Thank you! I had copied and pasted from the TomCat SSL HowTo, but that didn't work... I appreciate your time! Now, on to other TomCat problems this server failure is killing me! -jeff Lyallex wrote: The first thing that strikes me is that you have not defined a connector for port 8443, here's one of mine (Tomcat 5.5.23) Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false keystoreFile=... sslProtocol=TLS / I think you probably need this because (at the very least) you have 'redirectPort=8443' in your non ssl Connector config Rgds Duncan On 7/26/07, Jeffrey C. Baldwin [EMAIL PROTECTED] wrote: Hello All, I'm in a bit of a pinch here. Just had an old Solaris server fail that housed our TomCat environment and now I'm trying to put the pieces back together on a new server. I have a few of the applications up and running.. but now I've run into an app that wants to run over ssl and I'm having a hard time getting it to work. Environment: Tomcat 5.0.28 running on CentOS 5 I am including my server.xml below. I have already generated my certificate after reading this document and put the cert into /usr/local/tomcat: http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html Can someone please advice me on how to get ssl up and running on port 8443? ?xml version='1.0' encoding='utf-8'? Server Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource auth=Container description=User database that can be updated and saved name=UserDatabase type=org.apache.catalina.UserDatabase/ ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8080 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Connector port=8009 protocol=AJP/1.3 protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=8443 /Connector Engine defaultHost=localhost name=Catalina Host name=localhost debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false / Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true / /Host Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm/ /Engine /Service /Server - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat 5.0.28 - SSL Setup
The first thing that strikes me is that you have not defined a connector for port 8443, here's one of mine (Tomcat 5.5.23) Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false keystoreFile=... sslProtocol=TLS / I think you probably need this because (at the very least) you have 'redirectPort=8443' in your non ssl Connector config Rgds Duncan On 7/26/07, Jeffrey C. Baldwin [EMAIL PROTECTED] wrote: Hello All, I'm in a bit of a pinch here. Just had an old Solaris server fail that housed our TomCat environment and now I'm trying to put the pieces back together on a new server. I have a few of the applications up and running.. but now I've run into an app that wants to run over ssl and I'm having a hard time getting it to work. Environment: Tomcat 5.0.28 running on CentOS 5 I am including my server.xml below. I have already generated my certificate after reading this document and put the cert into /usr/local/tomcat: http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html Can someone please advice me on how to get ssl up and running on port 8443? ?xml version='1.0' encoding='utf-8'? Server Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource auth=Container description=User database that can be updated and saved name=UserDatabase type=org.apache.catalina.UserDatabase/ ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8080 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Connector port=8009 protocol=AJP/1.3 protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=8443 /Connector Engine defaultHost=localhost name=Catalina Host name=localhost debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false / Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true / /Host Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm/ /Engine /Service /Server - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat 5.0.28 - SSL Setup
Hello All, I'm in a bit of a pinch here. Just had an old Solaris server fail that housed our TomCat environment and now I'm trying to put the pieces back together on a new server. I have a few of the applications up and running.. but now I've run into an app that wants to run over ssl and I'm having a hard time getting it to work. Environment: Tomcat 5.0.28 running on CentOS 5 I am including my server.xml below. I have already generated my certificate after reading this document and put the cert into /usr/local/tomcat: http://tomcat.apache.org/tomcat-5.0-doc/ssl-howto.html Can someone please advice me on how to get ssl up and running on port 8443? ?xml version='1.0' encoding='utf-8'? Server Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources Environment name=simpleValue type=java.lang.Integer value=30/ Resource auth=Container description=User database that can be updated and saved name=UserDatabase type=org.apache.catalina.UserDatabase/ ResourceParams name=UserDatabase parameter namefactory/name valueorg.apache.catalina.users.MemoryUserDatabaseFactory/value /parameter parameter namepathname/name valueconf/tomcat-users.xml/value /parameter /ResourceParams /GlobalNamingResources Service name=Catalina Connector acceptCount=100 connectionTimeout=2 disableUploadTimeout=true port=8080 redirectPort=8443 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 /Connector Connector port=8009 protocol=AJP/1.3 protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler redirectPort=8443 /Connector Engine defaultHost=localhost name=Catalina Host name=localhost debug=0 appBase=webapps unpackWARs=true autoDeploy=true xmlValidation=false xmlNamespaceAware=false Valve className=org.apache.catalina.valves.AccessLogValve directory=logs prefix=localhost_access_log. suffix=.txt pattern=common resolveHosts=false / Logger className=org.apache.catalina.logger.FileLogger directory=logs prefix=localhost_log. suffix=.txt timestamp=true / /Host Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Realm className=org.apache.catalina.realm.UserDatabaseRealm/ /Engine /Service /Server - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL Setup From Site
After creating a new Host, I now want to set up SSL on it. Following the docs I did the following: 1) create keystore E:\Tomcat\bin\DEVKEYkeytool -genkey -alias tomcat -keyalg RSA -keystore E:/Tomc at/bin/DEVKEY/devKeystore answered questions. 2) made sure passwords were same. (changeit) 3) uncomment out the Connector port=443 minProcessors=5 maxProcessors=75 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true keystoreFile=E:/Tomcat/bin/DEVKEY/devKeystore keystorePass=changeit clientAuth=false sslProtocol=TLS/ // added above keystore location. 4) restarted tomcat, but I do not get ssl? http://devsite (still happy) https://devsite (canot connect) I am running all local here, no external hassles. Now while reading the docs for nth time, I am wondering if I need to create a certificate or not? It is hard to tell as they roll into discussing openSSL or verisign/Thawte. Anyway, If I am missing a step here, please let me know, Sincerely - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]