Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Well, using a keystore created on my WinDoze box, and FTP'd to the 400 definitely works: Port 8443 came right up. But that still leaves open the question of why on earth keytool fails to create valid keystores on the 400, whether run from QShell or QP2Term. Inquiring minds want to know. BTW: Like any other developer distributing Java products, we have a keystore with the CA-signed certificate we use to sign JARs. Would that KS and certificate also work for SSL support on Tomcat? Or is it limited to JAR-signing? (Not that we would ever want to let that keystore, and its passwords, out of our hands!) -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Tim, On 1/9/12 6:32 PM, Tim Watts wrote: > Can you successfully run this command: > > keytool -list -keystore {path/to/your/keystore/file} -storepass > {passwd-in-server.xml} Good idea. > If so, perhaps it's a character encoding issue? Don't remember if > AS/400 uses EBCDIC as its default character set. Er, I'm pretty sure the keystore is a well-defined binary format that shouldn't be affected by character encoding issues. I'm no expert, though. Seems weird to hear that an FTP'd file works... that would imply that keytool on your AS/400 box is somehow broken -- but only for writes. Weird. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk8MnhMACgkQ9CaO5/Lv0PCkIwCfTjDnUk9Dme/VHO6Zy6KYqfBj f5gAoJSPYN24TmOE2MXyDSTBMHv2eTpB =31g4 -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
On Tue, 2012-01-10 at 09:35 -0800, James Lampert wrote: > Tim Watts wrote: > > That's a possibility if it's padding the passwords as well. I'm not an > > AS/400 expert by any means. Is /foo a preallocated file and if so could > > the problem be with the way it was allocated? > > The Java-400 list over at Midrange.com is also in on this (albeit not > this specific message). > > I tried putting the password, and some of the values, in single quotes, > and others in double quotes. No change in behavior: the confirmation > message fields were padded, and the quote marks were shown in them. > > Hmm. THIS is INTERESTING! > > If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL > there can read it. FASCINATING. > Ha! Presumably you FTP-ed in binary mode? Maybe that solves your original problem too. I know the big mainframe OSes can run Unix VMs which is what the bank where I used to work ran all their Java servers in. Perhaps AS/400 has something similar and would make your app easier to manage. Hope there's an AS/400 expert lurking on the list; I don't think I can offer much further help. If you do work it out on midrange.com maybe you could post your solution here too for others to learn from. Good Luck. > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: This is a digitally signed message part
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Tim Watts wrote: That's a possibility if it's padding the passwords as well. I'm not an AS/400 expert by any means. Is /foo a preallocated file and if so could the problem be with the way it was allocated? The Java-400 list over at Midrange.com is also in on this (albeit not this specific message). I tried putting the password, and some of the values, in single quotes, and others in double quotes. No change in behavior: the confirmation message fields were padded, and the quote marks were shown in them. Hmm. THIS is INTERESTING! If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL there can read it. FASCINATING. -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
On Mon, 2012-01-09 at 15:55 -0800, James Lampert wrote: > Tim Watts (from the Tomcat Users List) wrote: > > Can you successfully run this command: > > > > keytool -list -keystore {path/to/your/keystore/file} -storepass > > {passwd-in-server.xml} > > It gives the same error message. And yes, EBCDIC is the default encoding > for AS/400s. The attributes on /foo show that it has a CCSID of 819, > though, which (if my memory and the IBM docs are correct) is ASCII. > > Here's a QShell transcript from a test I ran specifically so that I > could post everything without betraying any passwords: > > >> keytool -genkey -alias foo -keyalg RSA -keystore /foo > > Enter keystore password: > >> bar > > What is your first and last name? > > [Unknown]: > >> James Lampert > > What is the name of your organizational unit? > > [Unknown]: > >> Development Lab > > What is the name of your organization? > > [Unknown]: > >> Touchtone Corporation > > What is the name of your City or Locality? > > [Unknown]: > >> Costa Mesa > > What is the name of your State or Province? > > [Unknown]: > >> California > > What is the two-letter country code for this unit? > > [Unknown]: > >> US > > Is CN="James Lampert > > > > > > > > ", OU="Development Lab > > > > > > > > ", O="Touchtone Corporation > > ", L="Costa Mesa > > > > > > > >", ST="California > > > > > > > >", C="US > > > > > > > > " correct? (type "yes" or "no") > > [no]: > >> yes > > > > Enter key password for : > > (RETURN if same as keystore password): > >> bar > > $ > > > >> keytool -list -keystore /foo -storepass bar > >> > > keytool error (likely untranslated): java.io.IOException: Keystore was > > tampered with, or password was incorrect > > $ > > > > Another thought occurred to me: Could the trailing blanks shown in the > confirmation message have anything to do with the problem? > That's a possibility if it's padding the passwords as well. I'm not an AS/400 expert by any means. Is /foo a preallocated file and if so could the problem be with the way it was allocated? Perhaps what's encrypted in the file was ASCII but the keystrokes in your shell (and chars in server.xml file) are EBCDIC? > -- > JHHL > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > signature.asc Description: This is a digitally signed message part
Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)
Tim Watts (from the Tomcat Users List) wrote: Can you successfully run this command: keytool -list -keystore {path/to/your/keystore/file} -storepass {passwd-in-server.xml} It gives the same error message. And yes, EBCDIC is the default encoding for AS/400s. The attributes on /foo show that it has a CCSID of 819, though, which (if my memory and the IBM docs are correct) is ASCII. Here's a QShell transcript from a test I ran specifically so that I could post everything without betraying any passwords: keytool -genkey -alias foo -keyalg RSA -keystore /foo Enter keystore password: bar What is your first and last name? [Unknown]: James Lampert What is the name of your organizational unit? [Unknown]: Development Lab What is the name of your organization? [Unknown]: Touchtone Corporation What is the name of your City or Locality? [Unknown]: Costa Mesa What is the name of your State or Province? [Unknown]: California What is the two-letter country code for this unit? [Unknown]: US Is CN="James Lampert ", OU="Development Lab ", O="Touchtone Corporation ", L="Costa Mesa ", ST="California ", C="US " correct? (type "yes" or "no") [no]: yes Enter key password for : (RETURN if same as keystore password): bar $ keytool -list -keystore /foo -storepass bar keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect $ Another thought occurred to me: Could the trailing blanks shown in the confirmation message have anything to do with the problem? -- JHHL - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 7 SSL activation on AS/400?
Can you successfully run this command: keytool -list -keystore {path/to/your/keystore/file} -storepass {passwd-in-server.xml} If so, perhaps it's a character encoding issue? Don't remember if AS/400 uses EBCDIC as its default character set. On Mon, 2012-01-09 at 14:42 -0800, James Lampert wrote: > I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1). > > Tomcat itself runs nicely, but following the instructions on > http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html > I am consistently getting: > > SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] > > > > Throwable occurred: org.apache.catalina.LifecycleException: Failed to > > initialize component [Connector[HTTP/1.1-8443]] > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) > > > > at > > org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > > at > > org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:573) > > > > at org.apache.catalina.startup.Catalina.load(Catalina.java:598) > > > > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > > > > at > > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) > > > > at > > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) > > > > at java.lang.reflect.Method.invoke(Method.java:611) > > > > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) > > > > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) > > > > Caused by: org.apache.catalina.LifecycleException: Protocol handler > > initialization failed > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:939) > > > > at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) > > > > ... 12 more > > > > Caused by: java.io.IOException: Keystore was tampered with, or password was > > incorrect > > at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) > > > > at java.security.KeyStore.load(KeyStore.java:414) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) > > > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) > > > > at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) > > > > at > > org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) > > > > at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) > > > > at > > org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) > > > > at > > org.apache.catalina.connector.Connector.initInternal(Connector.java:937) > > > > ... 13 more > > > > Caused by: java.security.UnrecoverableKeyException: Password verification > > failed > > ... 26 more > > > > I've tried it with the default keystore name, location, and passwords; > I've tried it with an explicit name, location,
Re: Tomcat 7 SSL activation on AS/400?
>> >> Caused by: java.io.IOException: Keystore was tampered with, or password >> was incorrect Well, I don't know what is the problem. I followed these steps and it worked : http://blog.frankel.ch/ssl-your-tomcat-7 Other option is HTTP Connector in your server.xml is incorrectly configured - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat 7 SSL activation on AS/400?
I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1). Tomcat itself runs nicely, but following the instructions on http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html I am consistently getting: SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) at org.apache.catalina.startup.Catalina.load(Catalina.java:573) at org.apache.catalina.startup.Catalina.load(Catalina.java:598) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) at java.lang.reflect.Method.invoke(Method.java:611) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449) Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:939) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) ... 12 more Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) at java.security.KeyStore.load(KeyStore.java:414) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158) at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:937) ... 13 more Caused by: java.security.UnrecoverableKeyException: Password verification failed ... 26 more I've tried it with the default keystore name, location, and passwords; I've tried it with an explicit name, location, and both key and keystore paswords. The above exceptions are thrown consistently, except for one occasion when the keystore simply didn't exist where expected. -- James H. H. Lampert - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org