On Mon, 21 Oct 2002, Dave Patton wrote:
> Ok that sounds good then. My understanding is that it uses the keystore
> set in the server.xml file.
Where in server.xml is that set? I couldn't find any mention of a keystore.
> Are you send ing the request to the right
> port?
Yes, the URL is set in one of the <init-parameter> tags in web.xml.
> I didnt see anything in your code below specifying which port to
> hit. I also found this reference online and may be something to try.
>
> Export the certificate into a .cer file. (With internet explorer, goto
> tools->internet options->content->certificates, and you can export
> them). Once you have the .cer file, you need to place it in a store that
> java can use...
I don't have IE on my redhat 7 server, so I tried this
keytool -export -alias tomcat -file /var/tomcat4/webapps/docutrak/.cer
this created a .cer file in the main directory of my application.
> In my case, the only certificate I wanted trusted was the one I provided
> in the .cer file, so using keytool (provided with java), I imported the
> certificate to a new store:
>
> keytool -import -alias <insert alias here> -file <insert .cer filename>
> -keystore <storename here>
Here is the output when I did this:
----
[root@rho docutrak]# keytool -import -alias tomcat -file .cer -keystore tomcat
Enter keystore password: changeit
Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesa, ST=AZ, C=US
Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesa, ST=AZ, C=US
Serial number: 3d9c7da3
Valid from: Thu Oct 03 10:25:55 MST 2002 until: Wed Jan 01 10:25:55 MST 2003
Certificate fingerprints:
MD5: D5:1B:9C:F0:04:0C:60:20:6B:7C:77:CE:62:CA:E8:ED
SHA1: 75:C2:10:66:A3:65:3B:97:5E:7E:EE:4F:E5:67:AE:EC:DD:71:87:07
Trust this certificate? [no]: y
Certificate was added to keystore
---
which seemed to be just as it should. After I did this, there was a
file named tomcat in my main directory.
>
>
> If you are using a new store name, it should create a file in the
> current directory with the <storename> you entered. Now, to make the
> trustManager look in this store during initialization with your
> application, you can need to set the javax.net.ssl.trustStore and
> javax.net.ssl.trustStorePassword properties (either during runtime, or
> at the command prompt)
>
> At the command prompt, it'd look like this:
>
> java -Djavax.net.ssl.trustStore=<storename>
> -Djavax.net.ssl.trustStorePassword=<password>
Since this was a servlet, I wasn't sure how to pass in command line
parameters, so I added this code to my servlet just before trying to
make the connection:
System.setProperty("javax.net.ssl.trustStore","/var/tomcat4/webapps/docutrak/tomcat");
System.setProperty("javax.net.ssl.trustStorePassword","changeit");
does that have the same affect as the -d command line parameter?
After doing all this, I executed my servlet from the browser with
the same result:
javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
>
> Hope that helps. Please let me know if it does.
>
>
> Dave Patton
>
> On Mon, 2002-10-21 at 11:30, [EMAIL PROTECTED] wrote:
> > I generated a .keystore file for tomcat using
> > keytool -genkey -alias tomcat -keyalg RSA
> >
> > this file was placed in /root/.keystore, the user home directory.
> > I have used this .keystore to sign JAR files succesfully. Also, I
> > have succesfully made an SSL connection TO tomcat from a web browser,
> > I just can't seem to connect from tomcat.
> >
> > When Tomcat or JSSE tries to make a SSL connection, where does it
> > look for the certificates? do I need to make another keystore file and
> > place it somewhere else?
> >
> >
> > --Monte Glenn Gardner
> >
> >
> > On Mon, 21 Oct 2002, Dave Patton wrote:
> >
> > > Have you generated all your certificates for an ssl connection? If not
> > > that will be the problem. If you have, make sure that Tomcat can find
> > > the certificates in question. The Tomcat docs have a good piece on
> > > hooking up SSL I followed it without a hitch.
> > >
> > > Dave Patton
> > >
> > > On Mon, 2002-10-21 at 10:34, [EMAIL PROTECTED] wrote:
> > > > I have a Java Servlet running on Tomcat 4.1.12.
> > > > At some point, this Servlet needs to send data to another Servlet which is
> > > > right now on the same web-server, but in the future, it will be on a different
> > > > web-server, also running Tomcat. I have installed the JSSE jar files in the
> > > > JAVA_HOME/jre/ext/lib directory, and I can download web pages from Tomcat
> > > > using https URL's.
> > > >
> > > > So, I open a URLConnection:
> > > > try
> > > > {
> > > > URL servletURL = new
> > > > URL(getServletConfig().getInitParameter("printServletURL"));
> > > >
> > > > URLConnection con = servletURL.openConnection();
> > > >
> > > > con.setUseCaches(false);
> > > > con.setRequestProperty("CONTENT_TYPE","application/octet-stream");
> > > > con.setDoInput(true);
> > > > con.setDoOutput(true);
> > > > .........
> > > >
> > > >
> > > > When I run the servlet, I get the following Exception
> > > > SEVERE: Handshake failed
> > > > javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
> > > >
> > > >
> > > > So, how does one get a Java Servlet on Tomcat to act as an SSL client, and
> > > > connect to another SSL server?
> > > >
> > > >
> > > > --Monte Glenn Gardner
> > > >
> > > >
> > > >
> > > > --
> > > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > > > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
> > >
> > >
> > > ___________________________
> > > David H. Patton
> > > C.O.S.
> > > [EMAIL PROTECTED]
> > > x4727 - desk
> > > (202) 276-8998 - pcs
> > >
> > >
> > >
> > >
> > > --
> > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
> > >
> > >
> >
> >
> > --
> > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
>
>
> ___________________________
> David H. Patton
> C.O.S.
> [EMAIL PROTECTED]
> x4727 - desk
> (202) 276-8998 - pcs
>
>
>
>
> --
> To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
>
>
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
