Re: Tomcat SSL Setup

Wed, 18 Dec 2002 15:25:52 -0800 


Justin L. Spies wrote:

Ken,
Thanks for the hints.  Since they (Apache/Tomcat) are running on the
same system at this point, that won't be an issue.  Could you point me
the direction of some documentation that would help me get this setup?
I've setup mod_jk with standard Apache before and it has been straight
forward.  I am assuming that Apache handles the encryption/decryption
and passes the requests off to Tomcat via the connector AFTER it
decrypts the request--is this correct?
That is correct.

I have only set up ssl with mod_webapp, and it's just a matter of adding duplicate WebAppDeploy statements to the ssl <Virtualhost xx.xx.xx.xx:443> section in httpd.conf

I'd assume it's the same with mod_jk, since the autogenerated mod_jk.conf contains the non-ssl virtualhost section, you'd just need to mirror that with an ssl virtualhost section in the file by adding a duplicate <Host hostname:443> Section to server.xml for the ssl virtualhost. There may be gotchas to this that I'm not aware of with jk, since I have not used it with apache & ssl before.

You'd also probably want to disable the coyote connector on port 8080 in server.xml too.

Ken


Sincerely,
Pantek Incorporated
Justin L. Spies

URI: http://www.pantek.com
Ph 440.519.1802
Fax 440.248.5274
Cell 440.336.3317


-----Original Message-----
From: Ken Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 4:51 PM
To: Tomcat Users List
Subject: Re: Tomcat SSL Setup


Have you considered the advantages of using one of the apache connectors

instead of tomcat standalone for SSL support?

I fought with Tomcat ssl support a couple years ago, and was unable to get it to work. I'm sure the support is there now, but ssl support is transparent if you use mod_jk or mod_webapp with Apache, and it's easier, since you already have all the cerificates in place.

The downside is that the connection between apache and tomcat is NOT encrypted, so if you are running TC and Apache on different servers, this might be an issue.

Ken A.


Justin L. Spies wrote:

One piece of information I forgot to mention:
O/S: Red Hat Linux 7.2
Apache: Custom Compiled 1.3.26
Tomcat: 4.0.4 RPM installation
JSDK: j2sdk1.4.0_01

Thanks again.

Justin L. Spies


-----Original Message-----
From: Justin L. Spies [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, December 18, 2002 2:43 PM
To: [EMAIL PROTECTED]
Subject: Tomcat SSL Setup


Hello all,
I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is:
"Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms."

Here is what I have done so far:

1. I changed /etc/tomcat4/server.xml and uncommented the following:

<Connector className="org.apache.catalina.connector.http.HttpConnector"
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true"
acceptCount="10" debug="0" scheme="https"
secure="true">
<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
clientAuth="false" keystoreFile="keystores/mydomain.keystore" keystorePass="xxxxxxxx" protocol="TLS"/>
</Connector>

2. I ran the following commands to import the Verisign key:
/usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \
-keystore /var/tomcat4/keystores/mydomain.keystore \
-trustcacerts -file /etc/verisign.key

3. I ran the following commands to import a previously created SSL
certificate
/usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \
-keystore /var/tomcat4/keystores/mydomain.keystore \
-trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer

4. In /etc/tomcat4/server.xml, I noticed the following:
* Download and install JSSE 1.0.2 or later, and put the JAR files
into "$JAVA_HOME/jre/lib/ext".

I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following:
ln -s $JAVA_HOME/jre/lib/jsse.jar
$JAVA_HOME/jre/lib/ext/jsse.jar


5.	I then restarted Tomcat and tried the following URL:
	http://www.mydomain.com:8080/examples/servlets/index.hml

	This was a test simply to make sure Tomcat started properly.  In
this
it worked fine.

6. I then restarted Tomcat and tried the following URL:
https://www.mydomain.com:8443/examples/servlets/index.html

This test failed with the above error message.


Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine.

Thanks,
Justin L. Spies



--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>




--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>





--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to