Re: Problems with SSL-enabled Tomcat 5.5

[Filip Hanik - Dev Lists]

looks like the keyAlias="root" is not taking into effect, as the 
container complains for not finding one named "tomcat"

could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the 
"tomcat" alias, leave the "root" alias in there.

Filip

Werner Schalk wrote:
Hello,

setting keyAlias="root" did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is 
unable to find
my alias in the keystore file (if I specify a keyAlias) or there 
appears to be a problem with the SSL ciphers or certificate itself (if 
I don't specify a
keyAlias).

The two error message I am getting when attempting to start Tomcat are 
(see further below):

1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 


2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 


Any more ideas? Is the problem maybe caused because I am creating a 
new keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?

Thank you. Any input is greatly appreciated.

Bye,
Werner.

----- Original Message ----- From: "Filip Hanik - Dev Lists" 
<[EMAIL PROTECTED]>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


did you set
keyAlias="root" in server.xml

Werner Schalk wrote:
Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on 
a Sun Solaris 10 (Sparc) but it turns out that this appears not to 
be an easy task.
Hopefully you guys can shed some light on this. Basically I do have 
a Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with 
the SSL ciphers or certificate itself. Hopefully somebody knows what 
to do, this
is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing 
the Certificate"), please
note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt
Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU="VeriSign, Inc.", O=VeriSign Trust Network

[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt
Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:

<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"
              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"
              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
/>

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 

       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 

       at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 

       at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
       at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
       at 
org.apache.catalina.core.StandardService.start(StandardService.java:459) 

       at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
       at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
       at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

       at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 

       at java.lang.reflect.Method.invoke(Method.java:585)
       at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
       at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

However my keystore DOES contain my two keys (Verisign's key as well 
as my SSL cert):

# keytool -list --keystore wstest -v
Enter keystore password:  XXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU="VeriSign, Inc.", O=VeriSign Trust Network

[...]

*******************************************
*******************************************

Alias name: tomcat
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: CN=myhostname, ...

[...]

*******************************************
*******************************************

Here is the first problem: Why does my alias "tomcat" not identify a 
key entry in the keystore? It does exist, doesn't it?

5) Now to get around this problem, I removed the "keyAlias" 
directive from the Tomcat config which now like like this:

<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"
              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"
              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS"
/>

6) Then I restarted Tomcat and here is what I get in the logs:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

java.net.SocketException: SSL handshake 
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.

       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) 

       at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) 

       at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) 

       at java.lang.Thread.run(Thread.java:595)
Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
acceptSocket
WARNING: Reinitializing ServerSocket

Another problem. Any ideas?

7) Then I tried to change the sslProtocol to SSL (rather than TLS) 
but that didn't change anything. The file permissions of the certs 
are okay,
they are all world-readable.

So guys any ideas on how to solve this? Has anyone ever encountered 
this problem? I searched on Google but I really was unable to
find a proper solution.

Any input is greatly appreciated. Thank you very much.

Best regards,
Werner.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]





---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]