Hi, List!
I have set up a SSL connection for my Tomcat 5.5.17 to a database connection
using SSL.
In my CATALINA_OPTS, there are some parameters to define where the store files
are. It is like this:
-Djavax.net.ssl.keyStore=<the keystore file>
-Djavax.net.ssl.keyStorePassword=<the password>
The JDBC driver works fine with the database in SSL.
Also I have set up an one-way https. So I have another keystore file in
/tomcat/conf/server-keystore2.jks
in my server.xml I set up like this:
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
It worked when I https://breakevilaxis.org
Then I finished all steps made by marc in the following link without any error
message,
http://marc.theaimsgroup.com/?l=tomcat-user&m=106293430225790&w=2
Now the server.xml is like this.
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
truststoreFile="d:\tomcat\conf\truststore-itcilo.jks"
truststorePass="changeit"
keystoreFile="d:\tomcat\conf\server-keystore2.jks"
keystorePass="changeit"
URIEncoding="utf-8" />
Also I made an entry in the tomcat-user.xml
<user username="Frank Peng" password="tomcat" roles="tomcat"/>
This is the Common Name I used when I create client's certificate with openssl.
When I import the santiago.p12 file into both IE and netscape, both says
successfully.
But in the IE, in the Certificate Informaton says, "The integrity of this
certificate cannot be guaranteed. The certificate may be corrupted or may have
been altered.
I also followed the step 4 and delete the TRUSTED word and saved ca.pem as
ca.crt and imported into browswer's root certficate authorities. There is
nothing wrong with this.
Now, when I hit https://breakevilaxis.org, it comes out the regular blank page.
"The page cannot be displayed"
On netscape, it says the connection was refused.
When I was creating the santiago.p12 file, I was asked to type an export
password. I used this password when I imported the p12 file into netscape. But
I did not ask this password when I imported this p12 into IE. But both IE and
Netscape cannot reach the web site.
Locally, when I created the tomcat server keystore, I used 192.168.0.90, which
is the server I am running, to be the CN and OU. Then on another computer I
typed https://192.168.0.90, it won't work. It works with http://192.168.0.90.
Somebody said, the CN and OU must match the domain name you type after the
https. But still it did not work.
Please help to figure out what is wrong.
Frank Peng.
