tomcat6 and https
Hi there, I'm trying to use tomcat with URL https. My application is running well and i can use it via http. Now i trying to configure tomcat to use https. I'm running 6.0.20 (debian package revision -dfsg1-1). Il the server.xml i have the following connectors. My first connector (http) : Connector port=8080 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false redirectPort=8443 acceptCount=100 URIEncoding=UTF-8 / My second connector (https) : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=conf/keystore keystorePass=changeit clientAuth=false sslProtocol=TLS / About tomcat i'm a realy newbie, so i read severals documents from tomcat website. I understood that tomcat can be connected to apache. My Debian host looks to use Coyotte and not apache. My host already use a self signed certificate with apache. So i used this certificate named myserver.pem in the command : $ keytool -import -noprompt -v -storepass changeit -keystore $CATALINA_BASE/conf/keystore -alias tomcat -file myserver.pem But when i restart tomcat, i get the following message in tomcat logs : 09-Feb-2010 11:00:03 org.apache.coyote.http11.Http11Protocol start SEVERE: Error starting endpoint java.io.IOException: jsse.invalid_ssl_conf ... Caused by: javax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. I don't unerstand what i did wrong. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https
2010/2/9 Fabien COMBERNOUS fcombern...@kezia.com: My second connector (https) : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=conf/keystore keystorePass=changeit clientAuth=false sslProtocol=TLS / Try to specify keystoreFile=${catalina.base}/conf/keystore keyAlias=tomcat Note, that the SSL Howto document has Troubleshooting section: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Troubleshooting HTTP Connector configuration reference: http://tomcat.apache.org/tomcat-6.0-doc/config/http.html Best regards, Konstantin Kolinko - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https
Konstantin Kolinko wrote: 2010/2/9 Fabien COMBERNOUS fcombern...@kezia.com: My second connector (https) : Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true keystoreFile=conf/keystore keystorePass=changeit clientAuth=false sslProtocol=TLS / Try to specify keystoreFile=${catalina.base}/conf/keystore keyAlias=tomcat I already tried to specify an absolute path. But nothing is different. I didn't use keyAlias. With this keyAlias added, now i get the following message : java.io.IOException: Alias name tomcat does not identify a key entry But, keytool can list tomcat : keytool -list -keystore /etc/tomcat6/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, 09-Feb-2010, trustedCertEntry, Certificate fingerprint (MD5): 25:4D:A9:FB:10:99:19:8F:71:0C:27:42:A4:6C:F2:76 Note, that the SSL Howto document has Troubleshooting section: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html#Troubleshooting Yes and at the end of this part it said If you are still having problems, a good source of information is the TOMCAT-USER mailing list. It is why i'm writing here :) Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https
On 09/02/2010 14:06, Fabien COMBERNOUS wrote: keytool -list -keystore /etc/tomcat6/keystore Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, 09-Feb-2010, trustedCertEntry, Certificate fingerprint (MD5): 25:4D:A9:FB:10:99:19:8F:71:0C:27:42:A4:6C:F2:76 You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https
Mark Thomas wrote: You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Hum ... i can export my cert and key to pkcs12. tomcat documents says it is possible to use pkcs12. pkcs12 stores private keys with accompanying public key certificates. So i don't have to use external tools like you suggest. Isn't it ? -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https
On 09/02/2010 15:31, Fabien COMBERNOUS wrote: Mark Thomas wrote: You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Hum ... i can export my cert and key to pkcs12. tomcat documents says it is possible to use pkcs12. pkcs12 stores private keys with accompanying public key certificates. All correct. So i don't have to use external tools like you suggest. Isn't it ? Yes you do. Keytool doesn't support importing private keys. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https [solved]
Fabien COMBERNOUS wrote: Mark Thomas wrote: You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Hum ... i can export my cert and key to pkcs12. tomcat documents says it is possible to use pkcs12. pkcs12 stores private keys with accompanying public key certificates. So i don't have to use external tools like you suggest. Isn't it ? I did this and with pkcs12 all is running well. Don't forget to set keystoreType=PKCS12, default is JKS. Thank you for your help. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https [solved]
On 09/02/2010 16:01, Fabien COMBERNOUS wrote: Fabien COMBERNOUS wrote: Mark Thomas wrote: You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Hum ... i can export my cert and key to pkcs12. tomcat documents says it is possible to use pkcs12. pkcs12 stores private keys with accompanying public key certificates. So i don't have to use external tools like you suggest. Isn't it ? I did this and with pkcs12 all is running well. Don't forget to set keystoreType=PKCS12, default is JKS. Thank you for your help. Great. Looks like keytool has been updated. That is good news. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: tomcat6 and https [solved]
Mark Thomas wrote: On 09/02/2010 16:01, Fabien COMBERNOUS wrote: Fabien COMBERNOUS wrote: Mark Thomas wrote: You imported the certificate but not the key. Your can't import the key via the command line. You need to use something like this: http://www.agentbob.info/agentbob/79-AB.html?branch=1language=1 Hum ... i can export my cert and key to pkcs12. tomcat documents says it is possible to use pkcs12. pkcs12 stores private keys with accompanying public key certificates. So i don't have to use external tools like you suggest. Isn't it ? I did this and with pkcs12 all is running well. Don't forget to set keystoreType=PKCS12, default is JKS. Thank you for your help. Great. Looks like keytool has been updated. That is good news. I didn't used keytool but only openssl. I converted my certificate used by apache and the private key into pkcs12. Then tomcat can directly use pkcs12 if you set the keystoreType value to PKCS12. -- *Fabien COMBERNOUS* /unix system engineer/ www.kezia.com http://www.kezia.com/ *Tel: +33 (0) 467 992 986* Kezia Group - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org