RE: help needed - keytool import of CA certs

Mon, 12 Apr 2004 17:48:34 -0700 

Have you tried the tc4 "org.apache.catalina.net.SSLServerSocketFactory"
<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
     address="${jboss.bind.address}" port = "8753" scheme = "https"
     secure = "true" enableLookups= "true">
        
     <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
        keystoreFile="${jboss.server.home.dir}/conf/hostname.keystore"
        keystorePass="secret"
        clientAuth="false"
        protocol = "TLS"/>
</Connector>
 

The other thing, what does the keystore look like:
keytool -list -v -keystore hostname.keystore

I am not 100% sure if tomcat requires the cert to be inside of an alias
of 'tomcat', that is how the tutorials, and how I've implemented ours.

It's not difficult to copy to another alias
Keytool -keyclone -alias <current alias> -dest tomcat

-----Original Message-----
From: Robert Hall [mailto:[EMAIL PROTECTED] 
Sent: Monday, April 12, 2004 8:32 PM
To: Tomcat Users List
Subject: Re: help needed - keytool import of CA certs

JBoss has Tomcat embedded and it uses jboss-service.xml instead of 
Tomcat's server.xml.
The <Connector> element:

<Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
     address="${jboss.bind.address}" port = "8753" scheme = "https"
     secure = "true" enableLookups= "true">
     <Factory className = 
"org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
           
SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation"
 
keystoreFile="${jboss.server.home.dir}/conf/hostname.keystore"
           keystorePass="secret"
           clientAuth="false"
           protocol = "TLS"/>
</Connector>

Thanks,
Robert

D'Alessandro, Arthur wrote:

>I'm not too familiar with Jboss, is it within tomcat?  If so, what does
>your server.xml connector snippplet look like? 
>
>-----Original Message-----
>From: Robert Hall [mailto:[EMAIL PROTECTED] 
>Sent: Monday, April 12, 2004 8:06 PM
>To: Tomcat Users List
>Subject: Re: help needed - keytool import of CA certs
>
>Arthur,
>
>Thanks for the reply.  Yes, the hostname.crt file is a signed
>certificate.
>I've tried importing both with and without the -trustcacerts parameter,
>the imports are successful, but I get the following exception in
>JBoss-3.2.3/Tomcat-4.1.29:
>
>16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: 
>ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: 
>java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
>
>No available certificate
>corresponds to the SSL cipher suites which are enabled.
>java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException:
>
>No available certificate
>corresponds to the SSL cipher suites which are enabled.
>        at 
>org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock
e
>tFactory.java:152)
>        at 
>org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint
.
>java:387)
>        at 
>org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5
6
>9)
>        at 
>org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
l
>.java:677)
>        at java.lang.Thread.run(Thread.java:536)
>
>Thanks,
>Robert
>
>D'Alessandro, Arthur wrote:
>
>  
>
>>Robert,
>>First thing, tomcat looks for the users home folder of whom is running
>>tomcat for .keystore, if this is not available, or you wish to move
the
>>keystore, you can state so in the Connector within server.xml
>>
>>Another thing, the password defaults to 'changeit', if you wish to
have
>>an alternative password, you will need to specify again within the
>>connector element.
>>
>>Third, you appear to be using the trustcacerts, is the cert you
specify
>>in hostname.crt the CA root cert (local CA) or the signed certificate?
>>>From your description, I assume it is the signed valid cert from
>>Verisign.
>>
>>Off the top of my head, I don't remember the need for the
>>'-trustcacerts'
>>
>>This is a good site that may help as well:
>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
>>
>>
>>-----Original Message-----
>>From: Robert Hall [mailto:[EMAIL PROTECTED] 
>>Sent: Monday, April 12, 2004 6:56 PM
>>To: Tomcat Users List
>>Subject: help needed - keytool import of CA certs
>>
>>I've been floundering for too many hours/days having ventured into the
>>java/keytool/keystore/CAcert realm for the first time to produce a
>>CA signed certificate for JBoss/Tomcat.
>>
>>We have a Verisign/RSA cert, hostname.crt that produces the following
>>when
>>imported using 'keytool':
>>
>>$ keytool -import -trustcacerts -file hostname.crt -keystore 
>>hostname.keystore
>>Enter keystore password:  secret
>>Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O="University of 
>>California, Berkeley", L=Berkeley, ST=California, C=US
>>Issuer: OU=Secure Server Certification Authority, O="RSA Data
Security,
>>    
>>
>
>  
>
>>Inc.", C=US
>>Serial number: 63ba7416f9d061ad65db8b61554bd8c3
>>Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59
PDT
>>2004
>>Certificate fingerprints:
>>        MD5:  05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B
>>        SHA1:
>>B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A
>>Trust this certificate? [no]:  yes
>>Certificate was added to keystore
>>
>>And if you're still reading, some questions:
>>
>>1. Should the "Trust this certificate?" prompt appear if a
>>    
>>
>corresponding
>  
>
>>CA cert entry
>>   exists in $JAVA_HOME/jre/lib/security/cacerts ?
>>
>>2.  Is it necessary to go through the CSR (Certificate Signing
Request)
>>    
>>
>
>  
>
>>process when
>>    you already have a server cert file?
>>
>>3. What else is needed in addition to an existing server cert file if 
>>you don't have to go
>>   through the CSR process?
>>
>>Thanks,
>>Robert
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: [EMAIL PROTECTED]
>>For additional commands, e-mail: [EMAIL PROTECTED]
>>
>>
>> 
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, e-mail: [EMAIL PROTECTED]
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to