Re: My web application to use SSL (JSSE - RSA)
OK Christopher: 1) Output tabs of NetBeans IDE 1.1) Tomcat 7.0 : Using CATALINA_BASE: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 Using CATALINA_HOME: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 Using CATALINA_TMPDIR: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_22 Using CLASSPATH: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\bin\bootstrap.jar;C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\bin\tomcat-juli.jar 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_22\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\System32\Wbem;C:\Program Files\Java\jdk1.6.0_22\bin;C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 10-jun-2011 15:14:11 org.apache.coyote.AbstractProtocolHandler init INFO: Initializing ProtocolHandler [http-nio-443] 10-jun-2011 15:14:12 org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-nio-443] java.security.NoSuchAlgorithmException: RSA SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:478) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) 10-jun-2011 15:14:12 org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[org.apache.coyote.http11.Http11NioProtocol-443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:912) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Caused by: java.security.NoSuchAlgorithmException: RSA SSLContext not available at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:478) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at
Re: My web application to use SSL (JSSE - RSA)
On 10/06/2011 14:25, Charles Van Damme wrote: java.security.NoSuchAlgorithmException: RSA SSLContext not available It seems pretty clear that RSA isn't accepted by Java as a valid algorithm. p signature.asc Description: OpenPGP digital signature
Re: My web application to use SSL (JSSE - RSA)
Dear Pid, Yes, RSA fails, and I'm wondering why. Meantime, in 'server.xml' (see my previous email sending, I changed RSA by TLS. Only that. Output tabs : 1.1) Tomcat 7.0 : Using CATALINA_BASE: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 Using CATALINA_HOME: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 Using CATALINA_TMPDIR: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\temp Using JRE_HOME:C:\Program Files\Java\jdk1.6.0_22 Using CLASSPATH: C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\bin\bootstrap.jar;C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11\bin\tomcat-juli.jar 10-jun-2011 17:13:56 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: C:\Program Files\Java\jdk1.6.0_22\bin;.;C:\WINDOWS\Sun\Java\bin;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS;C:\WINDOWS\system32;C:\WINDOWS\System32\Wbem;C:\Program Files\Java\jdk1.6.0_22\bin;C:\Program Files\ApacheSoftwFound\Apache Tomcat 7.0.11 10-jun-2011 17:13:57 org.apache.coyote.AbstractProtocolHandler init INFO: Initializing ProtocolHandler [http-nio-443] 10-jun-2011 17:13:57 org.apache.coyote.AbstractProtocolHandler init SEVERE: Failed to initialize end point associated with ProtocolHandler [http-nio-443] java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:311) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:121) at sun.security.provider.JavaKeyStore$JKS.engineGetKey(JavaKeyStore.java:38) at java.security.KeyStore.getKey(KeyStore.java:763) at com.sun.net.ssl.internal.ssl.SunX509KeyManagerImpl.init(SunX509KeyManagerImpl.java:113) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl$SunX509.engineInit(KeyManagerFactoryImpl.java:48) at javax.net.ssl.KeyManagerFactory.init(KeyManagerFactory.java:239) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:568) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:507) at org.apache.tomcat.util.net.NioEndpoint.bind(NioEndpoint.java:479) at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:483) at org.apache.coyote.AbstractProtocolHandler.init(AbstractProtocolHandler.java:345) at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) at org.apache.catalina.connector.Connector.initInternal(Connector.java:910) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) 10-jun-2011 17:13:57 org.apache.catalina.core.StandardService initInternal SEVERE: Failed to initialize connector [Connector[org.apache.coyote.http11.Http11NioProtocol-443]] org.apache.catalina.LifecycleException: Protocol handler initialization failed at org.apache.catalina.connector.Connector.initInternal(Connector.java:912) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:101) at org.apache.catalina.startup.Catalina.load(Catalina.java:572) at org.apache.catalina.startup.Catalina.load(Catalina.java:595) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:597) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:262) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:430) Caused by: java.security.UnrecoverableKeyException: Cannot recover key at
Re: My web application to use SSL (JSSE - RSA)
Charles, you are facing multiple problems here. One is with the RSA, and the other is with starting Tomcat instances. On Fri, Jun 10, 2011 at 8:48 PM, Charles Van Damme chava...@gmail.com wrote: snip/ At which moment does NetBeans start the Tomcat server ? If I operate a shutdown.bat and a startup.bat from start Cmd , how does it interfere with the Tomcat server thread started up by NetBeans ? Regardless of how you start Tomcat (batch file or within Netbeans), if you start Tomcat with the default config and get it to bind to port 443, then the operating system will give it port 443. If you now start another Tomcat instance, and get that too to bind to port 443, then the OS will tell this second Tomcat that the port is already in use. This is why you see Starting of Tomcat failed, the server port 443 is already in use. You need to run exactly one Tomcat instance on port 443 for now. As you get more familiar with Tomcat, you'll be able to do interesting things like work with SSL on ports other than 443 (and there by run multiple Tomcat instances serving SSL, etc). Thanks. Chavadam -- Sriram -- == Belenix: www.belenix.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: My web application to use SSL (JSSE - RSA)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles, On 6/10/2011 9:25 AM, Charles Van Damme wrote: 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [...] FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that Connector configuration for an APR connector using SSL is completely different if you choose to go this route. If you are not going to be using APR, you can disable the APR lifecycle listener because you aren't using it. java.security.NoSuchAlgorithmException: RSA SSLContext not available As Pid points out, it's pretty obvious that RSA is not a valid algorithm in this situation: at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490) So, it's an SSL configuration problem. Let's look at your SSL Connector: !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 maxThreads=150 scheme=https secure=true SSLEnabled=true keystoreFile=C:/Documents and Settings/Papa/.keystore keystorePass=changeit clientAuth=false sslProtocol=RSA / SO, you have sslProtocol=RSA... seems like a good place to look. If you check the Connector documentation, you can see that there are only a few recognized protocols you can choose. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Note that protocol refers to the protocol used for SSL, not for any specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat documentation does not list all the available protocols, nor should it: the protocols available to you are determined by JVM support. The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to documentation for standard names (which takes you through several hops to) here: http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext Those are the valid ssl protocol names you can choose. If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit downward): http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames Just look for stuff like SSL_DH_DSS_blah_blah_blah. Of course, support for a certain algorithm might not be available in your environment. It's best to find out what your JVM supports and use that. I wrote a short bit of code a while back to determine the supported algorithms and the default cipher suite for an SSLSocketFactory. I'll try to dig it up and post it. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / If you aren't using AJP, then disable the extra connector. Hoping you are not overwhelmed. Anything else ? You had other errors in the log file. After you get SSL working properly, stop Tomcat, delete all your logs and re-launch it. Anything that looks like an error should be investigated and fixed. Feel free to come back to the list for help on those additional issues: just remember start a new thread if you do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0 =fu8H -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: My web application to use SSL (JSSE - RSA)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
All,
On 6/10/2011 3:59 PM, Christopher Schultz wrote:
It's best to find out what your JVM supports and use that.
I wrote a short bit of code a while back to determine the supported
algorithms and the default cipher suite for an SSLSocketFactory.
As promised, see below. No warranty. Free license. Attributions appreciated.
- -chris
package com.chadis.tools.security;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.TreeMap;
import java.security.Provider;
import java.security.Security;
import javax.net.ssl.SSLServerSocketFactory;
public class SSLInfo
{
public static void main(String[] args)
throws Exception
{
boolean enumeratedProviders = (null != args 0 args.length);
// Get SSL protocol info
String providerName = null;
Provider providers[];
if(enumeratedProviders)
{
providers = new Provider[args.length];
for(int i = 0; i args.length; i++)
providers[i] = Security.getProvider(args[i]);
} else {
providers = Security.getProviders();
}
System.out.println(Supported SSL Protocols:);
boolean foundProtocol = false;
for(int i = 0; i providers.length; i++)
{
Provider p = providers[i];
// Skip any providers that don't actually exist
if(null == p) continue;
ArrayList keys = new ArrayList(p.keySet());
Collections.sort(keys);
for(Iterator j = keys.iterator(); j.hasNext(); )
{
String key = (String)j.next();
if(key.startsWith(SSLContext.)
!SSLContext.Default.equals(key))
{
foundProtocol |= true;
System.out.print( );
System.out.print(key.substring(SSLContext..length()));
System.out.print( ();
System.out.print(p.getName());
System.out.println());
}
}
}
if(!foundProtocol)
if(enumeratedProviders)
System.out.println( ! No SSL protocols supported by any
requested provider);
else
System.out.println( ! No SSL protocols supported by any
provider);
// Get cipher suite info
SSLServerSocketFactory ssf =
(SSLServerSocketFactory)SSLServerSocketFactory.getDefault();
String[] defaultCiphers = ssf.getDefaultCipherSuites();
String[] availableCiphers = ssf.getSupportedCipherSuites();
TreeMap ciphers = new TreeMap();
for(int i=0; iavailableCiphers.length; ++i )
ciphers.put(availableCiphers[i], Boolean.FALSE);
for(int i=0; idefaultCiphers.length; ++i )
ciphers.put(defaultCiphers[i], Boolean.TRUE);
System.out.println(Default\tCipher Name);
for(Iterator i = ciphers.entrySet().iterator(); i.hasNext(); ) {
Map.Entry cipher=(Map.Entry)i.next();
if(Boolean.TRUE.equals(cipher.getValue()))
System.out.print('*');
else
System.out.print(' ');
System.out.print('\t');
System.out.println(cipher.getKey());
}
}
}
-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk3yfN8ACgkQ9CaO5/Lv0PCLdwCffjuhJ/EznrfRr3EqfGHijSyK
GtQAnAnWSmk8g8luGF73lPWWXdrTssc+
=0/80
-END PGP SIGNATURE-
-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
Re: My web application to use SSL (JSSE - RSA)
Hi, Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ? I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ? Thanks for any input. Pat On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles, On 6/10/2011 9:25 AM, Charles Van Damme wrote: 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [...] FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that Connector configuration for an APR connector using SSL is completely different if you choose to go this route. If you are not going to be using APR, you can disable the APR lifecycle listener because you aren't using it. java.security.NoSuchAlgorithmException: RSA SSLContext not available As Pid points out, it's pretty obvious that RSA is not a valid algorithm in this situation: at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext (JSSESocketFactory.java:490) So, it's an SSL configuration problem. Let's look at your SSL Connector: !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 maxThreads=150 scheme=https secure=true SSLEnabled=true keystoreFile=C:/Documents and Settings/ Papa/.keystore keystorePass=changeit clientAuth=false sslProtocol=RSA / SO, you have sslProtocol=RSA... seems like a good place to look. If you check the Connector documentation, you can see that there are only a few recognized protocols you can choose. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Note that protocol refers to the protocol used for SSL, not for any specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat documentation does not list all the available protocols, nor should it: the protocols available to you are determined by JVM support. The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to documentation for standard names (which takes you through several hops to) here: http://download.oracle.com/javase/6/docs/technotes/guides/security/ StandardNames.html#SSLContext Those are the valid ssl protocol names you can choose. If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit downward): http://download.oracle.com/javase/6/docs/technotes/guides/security/ StandardNames.html#jssenames Just look for stuff like SSL_DH_DSS_blah_blah_blah. Of course, support for a certain algorithm might not be available in your environment. It's best to find out what your JVM supports and use that. I wrote a short bit of code a while back to determine the supported algorithms and the default cipher suite for an SSLSocketFactory. I'll try to dig it up and post it. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / If you aren't using AJP, then disable the extra connector. Hoping you are not overwhelmed. Anything else ? You had other errors in the log file. After you get SSL working properly, stop Tomcat, delete all your logs and re-launch it. Anything that looks like an error should be investigated and fixed. Feel free to come back to the list for help on those additional issues: just remember start a new thread if you do. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yd5IACgkQ9CaO5/Lv0PCSwQCggfhTML/aJwMtBlw1pVJ+mJIt rg8AoJOrh9amZcTCiLFrXjZQtFRGQbd0 =fu8H -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Patrick Flaherty Rampage Systems Inc. 411 Waverley Oaks Rd. Suite 138 Waltham, MA. 02452-8405 781-891-9400 x239 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: My web application to use SSL (JSSE - RSA)
On 10/06/2011 21:29, Patrick Flaherty wrote: Hi, Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? APR+SSL is a little faster, if I remember correctly, Chris? I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ? No. I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ? Yes. p Thanks for any input. Pat On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote: Charles, On 6/10/2011 9:25 AM, Charles Van Damme wrote: 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [...] FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that Connector configuration for an APR connector using SSL is completely different if you choose to go this route. If you are not going to be using APR, you can disable the APR lifecycle listener because you aren't using it. java.security.NoSuchAlgorithmException: RSA SSLContext not available As Pid points out, it's pretty obvious that RSA is not a valid algorithm in this situation: at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext(JSSESocketFactory.java:490) So, it's an SSL configuration problem. Let's look at your SSL Connector: !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 maxThreads=150 scheme=https secure=true SSLEnabled=true keystoreFile=C:/Documents and Settings/Papa/.keystore keystorePass=changeit clientAuth=false sslProtocol=RSA / SO, you have sslProtocol=RSA... seems like a good place to look. If you check the Connector documentation, you can see that there are only a few recognized protocols you can choose. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Note that protocol refers to the protocol used for SSL, not for any specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat documentation does not list all the available protocols, nor should it: the protocols available to you are determined by JVM support. The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to documentation for standard names (which takes you through several hops to) here: http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#SSLContext Those are the valid ssl protocol names you can choose. If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit downward): http://download.oracle.com/javase/6/docs/technotes/guides/security/StandardNames.html#jssenames Just look for stuff like SSL_DH_DSS_blah_blah_blah. Of course, support for a certain algorithm might not be available in your environment. It's best to find out what your JVM supports and use that. I wrote a short bit of code a while back to determine the supported algorithms and the default cipher suite for an SSLSocketFactory. I'll try to dig it up and post it. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / If you aren't using AJP, then disable the extra connector. Hoping you are not overwhelmed. Anything else ? You had other errors in the log file. After you get SSL working properly, stop Tomcat, delete all your logs and re-launch it. Anything that looks like an error should be investigated and fixed. Feel free to come back to the list for help on those additional issues: just remember start a new thread if you do. -chris - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Patrick Flaherty Rampage Systems Inc. 411 Waverley Oaks Rd. Suite 138 Waltham, MA. 02452-8405 781-891-9400 x239 - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org signature.asc Description: OpenPGP digital signature
Re: My web application to use SSL (JSSE - RSA)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Pid, On 6/10/2011 4:37 PM, Pid wrote: On 10/06/2011 21:29, Patrick Flaherty wrote: Hi, Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? APR+SSL is a little faster, if I remember correctly, Chris? I haven't benchmarked SSL configurations, only cleartext HTTP. Both the APR and NIO connectors were /way/ faster than the BIO connector with serving static content. I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ? No. Converting certs between formats is pretty trivial. I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ? Yes. You don't even have to use OpenSSL for anything directly. I like the APR/SSL configuration better because you don't have to muck-around with keytool, certificate stores, etc... you just have plain-old PEM files, just like Apache httpd uses (APR is httpd code, so there you go). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3yglMACgkQ9CaO5/Lv0PCRUgCfW0po4Z/BusvAOq9sQOV4QQ5n 4TMAoJeptHzms7bw8/IvQUcW7KURZxuc =XB/x -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: My web application to use SSL (JSSE - RSA)
We switched from JSSE to the APR and OpenSSL about 6 months. We converted all existing keys and certs to the format required by OpenSSL. It was not hard. Some people say it can't be done, but they're wrong. After 6 months with openSSL, I say it's easier to use than JSSE. We use not only server-side certs, we also require client certificate authentication and perform certificate revocation checking. -Original Message- From: users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org [mailto:users-return-225336-STEVEN.J.ADAMUS=saic@tomcat.apache.org] On Behalf Of Pid Sent: Friday, June 10, 2011 1:37 PM To: Tomcat Users List Subject: Re: My web application to use SSL (JSSE - RSA) On 10/06/2011 21:29, Patrick Flaherty wrote: Hi, Is APR/native Connector dramatically faster then Java Nio Blocking Connector or is it marginal ? APR+SSL is a little faster, if I remember correctly, Chris? I'd love faster SSL but all my keys and certs are java based (keytool). Will APR ever support Java SSL ? No. I find Java keytool to be reasonably easy to use. Is OpenSSL as easy to use ? Yes. p Thanks for any input. Pat On Jun 10, 2011, at 3:59 PM, Christopher Schultz wrote: Charles, On 6/10/2011 9:25 AM, Charles Van Damme wrote: 10-jun-2011 15:14:11 org.apache.catalina.core.AprLifecycleListener init INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path: [...] FWIW, that's just an INFO message, but if you are going to be using SSL, you might want to go ahead and install the APR library: your performance will improve measurably. Note that Connector configuration for an APR connector using SSL is completely different if you choose to go this route. If you are not going to be using APR, you can disable the APR lifecycle listener because you aren't using it. java.security.NoSuchAlgorithmException: RSA SSLContext not available As Pid points out, it's pretty obvious that RSA is not a valid algorithm in this situation: at sun.security.jca.GetInstance.getInstance(GetInstance.java:142) at javax.net.ssl.SSLContext.getInstance(SSLContext.java:125) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSSLContext( JSSESocketFactory.java:490) So, it's an SSL configuration problem. Let's look at your SSL Connector: !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=443 maxThreads=150 scheme=https secure=true SSLEnabled=true keystoreFile=C:/Documents and Settings/Papa/.keystore keystorePass=changeit clientAuth=false sslProtocol=RSA / SO, you have sslProtocol=RSA... seems like a good place to look. If you check the Connector documentation, you can see that there are only a few recognized protocols you can choose. http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support Note that protocol refers to the protocol used for SSL, not for any specific cipher, key exchange strategy, etc. Unfortunately, the Tomcat documentation does not list all the available protocols, nor should it: the protocols available to you are determined by JVM support. The Javadoc for javax.net.ssl.SSLContext.getInstance has a pointer to documentation for standard names (which takes you through several hops to) here: http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta ndardNames.html#SSLContext Those are the valid ssl protocol names you can choose. If you want use only ciphers that use the RSA algorithm (which is really limiting, IMO), you can look up their names here (after scrolling a bit downward): http://download.oracle.com/javase/6/docs/technotes/guides/security/Sta ndardNames.html#jssenames Just look for stuff like SSL_DH_DSS_blah_blah_blah. Of course, support for a certain algorithm might not be available in your environment. It's best to find out what your JVM supports and use that. I wrote a short bit of code a while back to determine the supported algorithms and the default cipher suite for an SSLSocketFactory. I'll try to dig it up and post it. !-- Define an AJP 1.3 Connector on port 8009 -- Connector port=8009 protocol=AJP/1.3 redirectPort=8443 / If you aren't using AJP, then disable the extra connector. Hoping you are not overwhelmed. Anything else ? You had other errors in the log file. After you get SSL working properly, stop Tomcat, delete all your logs and re-launch it. Anything that looks like an error should be investigated and fixed. Feel free to come back to the list for help on those additional issues: just remember start a new thread if you do. -chris - To unsubscribe, e-mail: users-unsubscr
Re: My web application to use SSL (JSSE - RSA)
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Charles, On 6/8/2011 3:03 PM, Charles Van Damme wrote: 1) I'm trying first with JSSE. Please see !-- Connectors ... in my server.xml file. Attachments stripped again. Please copy/paste into the message. 2) How can I prevent my NetBeans IDE to start a Tomcat server ? To run and stop Tomcat separately, I figure that you mean start Cmd C:\Program Files\apache-tomcat-7.0.11\bin\startup.bat and shutdown.bat That is generally the proper way to start and stop Tomcat. 3) What do I have to do to avoid that it grumbles when I try to use RSA ? Can you post your log files from after an unsuccessful startup? Remember that attaching them might not work well (though plain-text does tend to get through). There are many things that can go wrong when configuring SSL. We will need to see your configuration and the actual error you get in order to help diagnose. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk3w9GsACgkQ9CaO5/Lv0PBv8gCfVWGz7PygOoAsqzQt/PLBvHIj 5iwAn1S1+V6q02LmPskk8VCyg0ZSxkbJ =sJdR -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: My web application to use SSL (JSSE - RSA)
From: Charles Van Damme [mailto:chava...@gmail.com] Subject: My web application to use SSL (JSSE - RSA) I'm trying to get my first applic using SSL started. I read therefor SSL Configuration HOW-TO n times. Including the part about there being *two* SSL mechanisms? Which one are you actually using, APR or pure Java? When I compile and run my 'Test1' applic inside the IDE When diagnosing problems, simplify the environment as much as possible: get the IDE out of the picture. Go ahead and build your webapp with the IDE, but run Tomcat separately. IDEs have a nasty habit of using their own configurations for servers, ignoring what you think you've got set. Pls, see a copy of my 'Tomcat 7.0' output window in the attached WordPad file (8-jun-2011 18:05:11 Tomcat issue.rtf). Stripped, thankfully. (See below about viruses.) Why doesn't Apache Tomcat use a usual forum application on a website for all his support questions ? Because forums are crap. My mailbox is getting quickly much too full ... Learn where the delete key is. No provision for Quote neither Code inserts ... Or viruses. Messages are all in plain text. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: My web application to use SSL (JSSE - RSA)
Dear, 1) I'm trying first with JSSE. Please see !-- Connectors ... in my server.xml file. 2) How can I prevent my NetBeans IDE to start a Tomcat server ? To run and stop Tomcat separately, I figure that you mean start Cmd C:\Program Files\apache-tomcat-7.0.11\bin\startup.bat and shutdown.bat 3) What do I have to do to avoid that it grumbles when I try to use RSA ? Thanks Ch On Wed, Jun 8, 2011 at 7:05 PM, Caldarale, Charles R chuck.caldar...@unisys.com wrote: From: Charles Van Damme [mailto:chava...@gmail.com] Subject: My web application to use SSL (JSSE - RSA) I'm trying to get my first applic using SSL started. I read therefor SSL Configuration HOW-TO n times. Including the part about there being *two* SSL mechanisms? Which one are you actually using, APR or pure Java? When I compile and run my 'Test1' applic inside the IDE When diagnosing problems, simplify the environment as much as possible: get the IDE out of the picture. Go ahead and build your webapp with the IDE, but run Tomcat separately. IDEs have a nasty habit of using their own configurations for servers, ignoring what you think you've got set. Pls, see a copy of my 'Tomcat 7.0' output window in the attached WordPad file (8-jun-2011 18:05:11 Tomcat issue.rtf). Stripped, thankfully. (See below about viruses.) Why doesn't Apache Tomcat use a usual forum application on a website for all his support questions ? Because forums are crap. My mailbox is getting quickly much too full ... Learn where the delete key is. No provision for Quote neither Code inserts ... Or viruses. Messages are all in plain text. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
