Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Charles Van Damme
OK Christopher:

1) Output tabs of NetBeans IDE
1.1) Tomcat 7.0 :
Using CATALINA_BASE:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
Using CATALINA_HOME:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
Using CATALINA_TMPDIR: C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\temp
Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_22
Using CLASSPATH:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\bin\bootstrap.jar;C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\bin\tomcat-juli.jar
10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: C:\Program
Files\Java\jdk1.6.0_22\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\System32\Wbem;C:\Program
Files\Java\jdk1.6.0_22\bin;C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
10-jun-2011 15:14:11 org.apache.coyote.AbstractProtocolHandler init
INFO: Initializing ProtocolHandler [http-nio-443]
10-jun-2011 15:14:12 org.apache.coyote.AbstractProtocolHandler init
SEVERE: Failed to initialize end point associated with ProtocolHandler
[http-nio-443]
java.security.NoSuchAlgorithmException: RSA SSLContext not available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:478)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483)
at
org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:910)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
10-jun-2011 15:14:12 org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector
[Connector[org.apache.coyote.http11.Http11NioProtocol-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:912)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
Caused by: java.security.NoSuchAlgorithmException: RSA SSLContext not
available
at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:478)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483)
at
org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at

Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Pid
On 10/06/2011 14:25, Charles Van Damme wrote:
 java.security.NoSuchAlgorithmException: RSA SSLContext not available

It seems pretty clear that RSA isn't accepted by Java as a valid
algorithm.


p




signature.asc
Description: OpenPGP digital signature


Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Charles Van Damme
Dear Pid,

Yes, RSA fails, and I'm wondering why.
Meantime, in 'server.xml' (see my previous email sending, I changed RSA by
TLS. Only that.

Output tabs :
1.1) Tomcat 7.0 :
Using CATALINA_BASE:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
Using CATALINA_HOME:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
Using CATALINA_TMPDIR: C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\temp
Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_22
Using CLASSPATH:   C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\bin\bootstrap.jar;C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11\bin\tomcat-juli.jar
10-jun-2011 17:13:56 org.apache.catalina.core.AprLifecycleListener init
INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: C:\Program
Files\Java\jdk1.6.0_22\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\System32\Wbem;C:\Program
Files\Java\jdk1.6.0_22\bin;C:\Program Files\ApacheSoftwFound\Apache Tomcat
7.0.11
10-jun-2011 17:13:57 org.apache.coyote.AbstractProtocolHandler init
INFO: Initializing ProtocolHandler [http-nio-443]
10-jun-2011 17:13:57 org.apache.coyote.AbstractProtocolHandler init
SEVERE: Failed to initialize end point associated with ProtocolHandler
[http-nio-443]
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(KeyProtector.java:311)
at
sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121)
at
sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38)
at java.security.KeyStore.getKey(KeyStore.java:763)
at
com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.init(SunX509KeyManagerImpl.java:113)
at
com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48)
at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:568)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507)
at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:479)
at
org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483)
at
org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345)
at
org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:910)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
10-jun-2011 17:13:57 org.apache.catalina.core.StandardService initInternal
SEVERE: Failed to initialize connector
[Connector[org.apache.coyote.http11.Http11NioProtocol-443]]
org.apache.catalina.LifecycleException: Protocol handler initialization
failed
at
org.apache.catalina.connector.Connector.initInternal(Connector.java:912)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at
org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101)
at org.apache.catalina.startup.Catalina.load(Catalina.java:572)
at org.apache.catalina.startup.Catalina.load(Catalina.java:595)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430)
Caused by: java.security.UnrecoverableKeyException: Cannot recover key
at 

Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Sriram Narayanan
Charles, you are facing multiple problems here. One is with the RSA,
and the other is with starting Tomcat instances.

On Fri, Jun 10, 2011 at 8:48 PM, Charles Van Damme chava...@gmail.com wrote:

snip/

 At which moment does NetBeans start the Tomcat server ?
 If I operate a shutdown.bat and a startup.bat from start  Cmd , how does it
 interfere with the Tomcat server thread started up by NetBeans ?

Regardless of how you start Tomcat (batch file or within Netbeans), if
you start Tomcat with the default config and get it to bind to port
443, then the operating system will give it port 443.

If you now start another Tomcat instance, and get that too to bind to
port 443, then the OS will tell this second Tomcat that the port is
already in use.

This is why you see Starting of Tomcat failed, the server port 443 is
already in use.

You need to run exactly one Tomcat instance on port 443 for now. As
you get more familiar with Tomcat, you'll be able to do interesting
things like work with SSL on ports other than 443 (and there by run
multiple Tomcat instances serving SSL, etc).


 Thanks.
 Chavadam



-- Sriram

-- 
==
Belenix: www.belenix.org

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles,

On 6/10/2011 9:25 AM, Charles Van Damme wrote:
 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init
 INFO: The APR based Apache Tomcat Native library which allows optimal
 performance in production environments was not found on the
 java.library.path: [...]

FWIW, that's just an INFO message, but if you are going to be using SSL,
you might want to go ahead and install the APR library: your performance
will improve measurably. Note that Connector configuration for an APR
connector using SSL is completely different if you choose to go this route.

If you are not going to be using APR, you can disable the APR lifecycle
listener because you aren't using it.

 java.security.NoSuchAlgorithmException: RSA SSLContext not available

As Pid points out, it's pretty obvious that RSA is not a valid
algorithm in this situation:

 at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
 at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490)

So, it's an SSL configuration problem. Let's look at your SSL Connector:

 !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port
 443 --
 Connector protocol=org.apache.coyote.http11.Http11NioProtocol
 port=443
maxThreads=150 scheme=https secure=true
 SSLEnabled=true
keystoreFile=C:/Documents and Settings/Papa/.keystore
 keystorePass=changeit
clientAuth=false sslProtocol=RSA /

SO, you have sslProtocol=RSA... seems like a good place to look. If
you check the Connector documentation, you can see that there are only
a few recognized protocols you can choose.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Note that protocol refers to the protocol used for SSL, not for any
specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
documentation does not list all the available protocols, nor should it:
the protocols available to you are determined by JVM support.

The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
documentation for standard names (which takes you through several hops
to) here:
http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext

Those are the valid ssl protocol names you can choose.

If you want use only ciphers that use the RSA algorithm (which is really
limiting, IMO), you can look up their names here (after scrolling a bit
downward):

http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames

Just look for stuff like SSL_DH_DSS_blah_blah_blah.

Of course, support for a certain algorithm might not be available in
your environment. It's best to find out what your JVM supports and use that.

I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory. I'll
try to dig it up and post it.

 !-- Define an AJP 1.3 Connector on port 8009 --
 Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /

If you aren't using AJP, then disable the extra connector.

 Hoping you are not overwhelmed. Anything else ?

You had other errors in the log file. After you get SSL working
properly, stop Tomcat, delete all your logs and re-launch it. Anything
that looks like an error should be investigated and fixed.

Feel free to come back to the list for help on those additional issues:
just remember start a new thread if you do.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt
rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0
=fu8H
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

All,

On 6/10/2011 3:59 PM, Christopher Schultz wrote:
 It's best to find out what your JVM supports and use that.
 
 I wrote a short bit of code a while back to determine the supported
 algorithms and the default cipher suite for an SSLSocketFactory.

As promised, see below. No warranty. Free license. Attributions appreciated.

- -chris

package com.chadis.tools.security;

import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;

import java.security.Provider;
import java.security.Security;

import javax.net.ssl.SSLServerSocketFactory;

public class SSLInfo
{
public static void main(String[] args)
throws Exception
{
boolean enumeratedProviders = (null != args  0  args.length);

// Get SSL protocol info
String providerName = null;
Provider providers[];
if(enumeratedProviders)
{
providers = new Provider[args.length];
for(int i = 0; i  args.length; i++)
providers[i] = Security.getProvider(args[i]);

} else {
providers = Security.getProviders();
}

System.out.println(Supported SSL Protocols:);
boolean foundProtocol = false;

for(int i = 0; i  providers.length; i++)
{
Provider p = providers[i];

// Skip any providers that don't actually exist
if(null == p) continue;

ArrayList keys = new ArrayList(p.keySet());
Collections.sort(keys);
for(Iterator j = keys.iterator(); j.hasNext(); )
{
String key = (String)j.next();

if(key.startsWith(SSLContext.)
!SSLContext.Default.equals(key))
{
foundProtocol |= true;
System.out.print(  );
System.out.print(key.substring(SSLContext..length()));
System.out.print( ();
System.out.print(p.getName());
System.out.println());
}
}
}

if(!foundProtocol)
if(enumeratedProviders)
System.out.println( ! No SSL protocols supported by any
requested provider);
else
System.out.println( ! No SSL protocols supported by any
provider);

// Get cipher suite info
SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();

String[] defaultCiphers = ssf.getDefaultCipherSuites();
String[] availableCiphers = ssf.getSupportedCipherSuites();

TreeMap ciphers = new TreeMap();

for(int i=0; iavailableCiphers.length; ++i )
ciphers.put(availableCiphers[i], Boolean.FALSE);

for(int i=0; idefaultCiphers.length; ++i )
ciphers.put(defaultCiphers[i], Boolean.TRUE);

System.out.println(Default\tCipher Name);

for(Iterator i = ciphers.entrySet().iterator(); i.hasNext(); ) {
Map.Entry cipher=(Map.Entry)i.next();

if(Boolean.TRUE.equals(cipher.getValue()))
System.out.print('*');
else
System.out.print(' ');

System.out.print('\t');
System.out.println(cipher.getKey());
}
}
}
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yfN8ACgkQ9CaO5/Lv0PCLdwCffjuhJ/EznrfRr3EqfGHijSyK
GtQAnAnWSmk8g8luGF73lPWWXdrTssc+
=0/80
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Patrick Flaherty

Hi,

Is APR/native Connector dramatically faster then Java Nio Blocking  
Connector or is it marginal ?


I'd love faster SSL but all my keys and certs are java based  
(keytool). Will APR ever support Java SSL ?


I find Java keytool to be reasonably easy to use. Is OpenSSL as easy  
to use ?


Thanks for any input.

Pat

On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:


-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles,

On 6/10/2011 9:25 AM, Charles Van Damme wrote:
10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener  
init

INFO: The APR based Apache Tomcat Native library which allows optimal
performance in production environments was not found on the
java.library.path: [...]


FWIW, that's just an INFO message, but if you are going to be using  
SSL,
you might want to go ahead and install the APR library: your  
performance
will improve measurably. Note that Connector configuration for an  
APR
connector using SSL is completely different if you choose to go  
this route.


If you are not going to be using APR, you can disable the APR  
lifecycle

listener because you aren't using it.


java.security.NoSuchAlgorithmException: RSA SSLContext not available


As Pid points out, it's pretty obvious that RSA is not a valid
algorithm in this situation:


at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext 
(JSSESocketFactory.java:490)


So, it's an SSL configuration problem. Let's look at your SSL  
Connector:


!-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector  
on port

443 --
Connector protocol=org.apache.coyote.http11.Http11NioProtocol
port=443
   maxThreads=150 scheme=https secure=true
SSLEnabled=true
   keystoreFile=C:/Documents and Settings/ 
Papa/.keystore

keystorePass=changeit
   clientAuth=false sslProtocol=RSA /


SO, you have sslProtocol=RSA... seems like a good place to look. If
you check the Connector documentation, you can see that there are  
only

a few recognized protocols you can choose.

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Note that protocol refers to the protocol used for SSL, not for any
specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
documentation does not list all the available protocols, nor should  
it:

the protocols available to you are determined by JVM support.

The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
documentation for standard names (which takes you through several  
hops

to) here:
http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
StandardNames.html#SSLContext


Those are the valid ssl protocol names you can choose.

If you want use only ciphers that use the RSA algorithm (which is  
really
limiting, IMO), you can look up their names here (after scrolling a  
bit

downward):

http://download.oracle.com/javase/6/docs/technotes/guides/security/ 
StandardNames.html#jssenames


Just look for stuff like SSL_DH_DSS_blah_blah_blah.

Of course, support for a certain algorithm might not be available in
your environment. It's best to find out what your JVM supports and  
use that.


I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory. I'll
try to dig it up and post it.


!-- Define an AJP 1.3 Connector on port 8009 --
Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /


If you aren't using AJP, then disable the extra connector.


Hoping you are not overwhelmed. Anything else ?


You had other errors in the log file. After you get SSL working
properly, stop Tomcat, delete all your logs and re-launch it. Anything
that looks like an error should be investigated and fixed.

Feel free to come back to the list for help on those additional  
issues:

just remember start a new thread if you do.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt
rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0
=fu8H
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Patrick Flaherty

Rampage Systems Inc.
411 Waverley Oaks Rd.   
Suite 138
Waltham, MA. 02452-8405
781-891-9400 x239   







-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Pid
On 10/06/2011 21:29, Patrick Flaherty wrote:
 Hi,
 
 Is APR/native Connector dramatically faster then Java Nio Blocking
 Connector or is it marginal ?

APR+SSL is a little faster, if I remember correctly, Chris?

 I'd love faster SSL but all my keys and certs are java based (keytool).
 Will APR ever support Java SSL ?

No.

 I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to
 use ?

Yes.


p

 Thanks for any input.
 
 Pat
 
 On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:
 
 Charles,
 
 On 6/10/2011 9:25 AM, Charles Van Damme wrote:
 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init
 INFO: The APR based Apache Tomcat Native library which allows optimal
 performance in production environments was not found on the
 java.library.path: [...]
 
 FWIW, that's just an INFO message, but if you are going to be using SSL,
 you might want to go ahead and install the APR library: your performance
 will improve measurably. Note that Connector configuration for an APR
 connector using SSL is completely different if you choose to go this
 route.
 
 If you are not going to be using APR, you can disable the APR lifecycle
 listener because you aren't using it.
 
 java.security.NoSuchAlgorithmException: RSA SSLContext not available
 
 As Pid points out, it's pretty obvious that RSA is not a valid
 algorithm in this situation:
 
 at sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
 at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490)

 
 So, it's an SSL configuration problem. Let's look at your SSL
 Connector:
 
 !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on
 port
 443 --
 Connector protocol=org.apache.coyote.http11.Http11NioProtocol
 port=443
maxThreads=150 scheme=https secure=true
 SSLEnabled=true
keystoreFile=C:/Documents and Settings/Papa/.keystore
 keystorePass=changeit
clientAuth=false sslProtocol=RSA /
 
 SO, you have sslProtocol=RSA... seems like a good place to look. If
 you check the Connector documentation, you can see that there are only
 a few recognized protocols you can choose.
 
 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 
 Note that protocol refers to the protocol used for SSL, not for any
 specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat
 documentation does not list all the available protocols, nor should it:
 the protocols available to you are determined by JVM support.
 
 The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to
 documentation for standard names (which takes you through several hops
 to) here:
 http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext
 
 
 Those are the valid ssl protocol names you can choose.
 
 If you want use only ciphers that use the RSA algorithm (which is really
 limiting, IMO), you can look up their names here (after scrolling a bit
 downward):
 
 http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames
 
 
 Just look for stuff like SSL_DH_DSS_blah_blah_blah.
 
 Of course, support for a certain algorithm might not be available in
 your environment. It's best to find out what your JVM supports and use
 that.
 
 I wrote a short bit of code a while back to determine the supported
 algorithms and the default cipher suite for an SSLSocketFactory. I'll
 try to dig it up and post it.
 
 !-- Define an AJP 1.3 Connector on port 8009 --
 Connector port=8009 protocol=AJP/1.3 redirectPort=8443 /
 
 If you aren't using AJP, then disable the extra connector.
 
 Hoping you are not overwhelmed. Anything else ?
 
 You had other errors in the log file. After you get SSL working
 properly, stop Tomcat, delete all your logs and re-launch it. Anything
 that looks like an error should be investigated and fixed.
 
 Feel free to come back to the list for help on those additional issues:
 just remember start a new thread if you do.
 
 -chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org


 Patrick Flaherty   

 Rampage Systems Inc.   
 411 Waverley Oaks Rd.   
 Suite 138
 Waltham, MA. 02452-8405
 781-891-9400 x239   







 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





signature.asc
Description: OpenPGP digital signature


Re: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Pid,

On 6/10/2011 4:37 PM, Pid wrote:
 On 10/06/2011 21:29, Patrick Flaherty wrote:
 Hi,

 Is APR/native Connector dramatically faster then Java Nio Blocking
 Connector or is it marginal ?
 
 APR+SSL is a little faster, if I remember correctly, Chris?

I haven't benchmarked SSL configurations, only cleartext HTTP. Both the
APR and NIO connectors were /way/ faster than the BIO connector with
serving static content.

 I'd love faster SSL but all my keys and certs are java based (keytool).
 Will APR ever support Java SSL ?
 
 No.

Converting certs between formats is pretty trivial.

 I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to
 use ?
 
 Yes.

You don't even have to use OpenSSL for anything directly. I like the
APR/SSL configuration better because you don't have to muck-around with
keytool, certificate stores, etc... you just have plain-old PEM files,
just like Apache httpd uses (APR is httpd code, so there you go).

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3yglMACgkQ9CaO5/Lv0PCRUgCfW0po4Z/BusvAOq9sQOV4QQ5n
4TMAoJeptHzms7bw8/IvQUcW7KURZxuc
=XB/x
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: My web application to use SSL (JSSE - RSA)

2011-06-10 Thread Adamus, Steven J.
We switched from JSSE to the APR and OpenSSL about 6 months.  We
converted all existing keys and certs to the format required by OpenSSL.
It was not hard.  Some people say it can't be done, but they're wrong.
After 6 months with openSSL, I say it's easier to use than JSSE.  We use
not only server-side certs, we also require client certificate
authentication and perform certificate revocation checking. 

-Original Message-
From: users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org
[mailto:users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org]
On Behalf Of Pid
Sent: Friday, June 10, 2011 1:37 PM
To: Tomcat Users List
Subject: Re: My web application to use SSL (JSSE - RSA)

On 10/06/2011 21:29, Patrick Flaherty wrote:
 Hi,
 
 Is APR/native Connector dramatically faster then Java Nio Blocking 
 Connector or is it marginal ?

APR+SSL is a little faster, if I remember correctly, Chris?

 I'd love faster SSL but all my keys and certs are java based
(keytool).
 Will APR ever support Java SSL ?

No.

 I find Java keytool to be reasonably easy to use. Is OpenSSL as easy 
 to use ?

Yes.


p

 Thanks for any input.
 
 Pat
 
 On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote:
 
 Charles,
 
 On 6/10/2011 9:25 AM, Charles Van Damme wrote:
 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener 
 init
 INFO: The APR based Apache Tomcat Native library which allows 
 optimal performance in production environments was not found on the
 java.library.path: [...]
 
 FWIW, that's just an INFO message, but if you are going to be using 
 SSL, you might want to go ahead and install the APR library: your 
 performance will improve measurably. Note that Connector 
 configuration for an APR connector using SSL is completely different 
 if you choose to go this route.
 
 If you are not going to be using APR, you can disable the APR 
 lifecycle listener because you aren't using it.
 
 java.security.NoSuchAlgorithmException: RSA SSLContext not 
 available
 
 As Pid points out, it's pretty obvious that RSA is not a valid 
 algorithm in this situation:
 
 at
sun.security.jca.GetInstance.getInstance(GetInstance.java:142)
 at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125)
 at
 org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(
 JSSESocketFactory.java:490)

 
 So, it's an SSL configuration problem. Let's look at your SSL
 Connector:
 
 !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector 
 on port
 443 --
 Connector
protocol=org.apache.coyote.http11.Http11NioProtocol
 port=443
maxThreads=150 scheme=https secure=true
 SSLEnabled=true
keystoreFile=C:/Documents and
Settings/Papa/.keystore
 keystorePass=changeit
clientAuth=false sslProtocol=RSA /
 
 SO, you have sslProtocol=RSA... seems like a good place to look. If 
 you check the Connector documentation, you can see that there are 
 only a few recognized protocols you can choose.
 
 http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
 
 Note that protocol refers to the protocol used for SSL, not for any 
 specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat

 documentation does not list all the available protocols, nor should
it:
 the protocols available to you are determined by JVM support.
 
 The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to 
 documentation for standard names (which takes you through several 
 hops
 to) here:
 http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta
 ndardNames.html#SSLContext
 
 
 Those are the valid ssl protocol names you can choose.
 
 If you want use only ciphers that use the RSA algorithm (which is 
 really limiting, IMO), you can look up their names here (after 
 scrolling a bit
 downward):
 
 http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta
 ndardNames.html#jssenames
 
 
 Just look for stuff like SSL_DH_DSS_blah_blah_blah.
 
 Of course, support for a certain algorithm might not be available in 
 your environment. It's best to find out what your JVM supports and use

 that.
 
 I wrote a short bit of code a while back to determine the supported 
 algorithms and the default cipher suite for an SSLSocketFactory. I'll 
 try to dig it up and post it.
 
 !-- Define an AJP 1.3 Connector on port 8009 --
 Connector port=8009 protocol=AJP/1.3 redirectPort=8443 
 /
 
 If you aren't using AJP, then disable the extra connector.
 
 Hoping you are not overwhelmed. Anything else ?
 
 You had other errors in the log file. After you get SSL working 
 properly, stop Tomcat, delete all your logs and re-launch it. Anything

 that looks like an error should be investigated and fixed.
 
 Feel free to come back to the list for help on those additional
issues:
 just remember start a new thread if you do.
 
 -chris

-
To unsubscribe, e-mail: users-unsubscr

Re: My web application to use SSL (JSSE - RSA)

2011-06-09 Thread Christopher Schultz
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Charles,

On 6/8/2011 3:03 PM, Charles Van Damme wrote:
 1) I'm trying first with JSSE. Please see !-- Connectors ... in my
 server.xml file.

Attachments stripped again. Please copy/paste into the message.

 2) How can I prevent my NetBeans IDE to start a Tomcat server ?
 To run and stop Tomcat separately, I figure that you mean start  Cmd 
 C:\Program Files\apache-tomcat-7.0.11\bin\startup.bat and shutdown.bat

That is generally the proper way to start and stop Tomcat.

 3) What do I have to do to avoid that it grumbles when I try to use RSA ?

Can you post your log files from after an unsuccessful startup? Remember
that attaching them might not work well (though plain-text does tend to
get through).

There are many things that can go wrong when configuring SSL. We will
need to see your configuration and the actual error you get in order to
help diagnose.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk3w9GsACgkQ9CaO5/Lv0PBv8gCfVWGz7PygOoAsqzQt/PLBvHIj
5iwAn1S1+V6q02LmPskk8VCyg0ZSxkbJ
=sJdR
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



RE: My web application to use SSL (JSSE - RSA)

2011-06-08 Thread Caldarale, Charles R
 From: Charles Van Damme [mailto:chava...@gmail.com] 
 Subject: My web application to use SSL (JSSE - RSA)

 I'm trying to get my first applic using SSL started. I read 
 therefor SSL Configuration HOW-TO n times.

Including the part about there being *two* SSL mechanisms?  Which one are you 
actually using, APR or pure Java?

 When I compile and run my 'Test1' applic inside the IDE

When diagnosing problems, simplify the environment as much as possible: get the 
IDE out of the picture.  Go ahead and build your webapp with the IDE, but run 
Tomcat separately.  IDEs have a nasty habit of using their own configurations 
for servers, ignoring what you think you've got set.

 Pls, see a copy of my 'Tomcat 7.0' output window in the attached 
 WordPad file (8-jun-2011 18:05:11 Tomcat issue.rtf).

Stripped, thankfully.  (See below about viruses.)

 Why doesn't Apache Tomcat use a usual forum application on a 
 website for all his support questions ?

Because forums are crap.

 My mailbox is getting quickly much too full ...

Learn where the delete key is.

 No provision for Quote neither Code inserts ...

Or viruses.  Messages are all in plain text.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY 
MATERIAL and is thus for use only by the intended recipient. If you received 
this in error, please contact the sender and delete the e-mail and its 
attachments from all computers.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org



Re: My web application to use SSL (JSSE - RSA)

2011-06-08 Thread Charles Van Damme
Dear,

1) I'm trying first with JSSE. Please see !-- Connectors ... in my
server.xml file.

2) How can I prevent my NetBeans IDE to start a Tomcat server ?
To run and stop Tomcat separately, I figure that you mean start  Cmd 
C:\Program Files\apache-tomcat-7.0.11\bin\startup.bat and shutdown.bat

3) What do I have to do to avoid that it grumbles when I try to use RSA ?

Thanks
Ch


On Wed, Jun 8, 2011 at 7:05 PM, Caldarale, Charles R 
chuck.caldar...@unisys.com wrote:

  From: Charles Van Damme [mailto:chava...@gmail.com]
  Subject: My web application to use SSL (JSSE - RSA)

  I'm trying to get my first applic using SSL started. I read
  therefor SSL Configuration HOW-TO n times.

 Including the part about there being *two* SSL mechanisms?  Which one are
 you actually using, APR or pure Java?

  When I compile and run my 'Test1' applic inside the IDE

 When diagnosing problems, simplify the environment as much as possible: get
 the IDE out of the picture.  Go ahead and build your webapp with the IDE,
 but run Tomcat separately.  IDEs have a nasty habit of using their own
 configurations for servers, ignoring what you think you've got set.

  Pls, see a copy of my 'Tomcat 7.0' output window in the attached
  WordPad file (8-jun-2011 18:05:11 Tomcat issue.rtf).

 Stripped, thankfully.  (See below about viruses.)

  Why doesn't Apache Tomcat use a usual forum application on a
  website for all his support questions ?

 Because forums are crap.

  My mailbox is getting quickly much too full ...

 Learn where the delete key is.

  No provision for Quote neither Code inserts ...

 Or viruses.  Messages are all in plain text.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you received
 this in error, please contact the sender and delete the e-mail and its
 attachments from all computers.


 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org