Re: Problems with SSL-enabled Tomcat 5.5

Thu, 30 Aug 2007 08:12:55 -0700 

Hello Filip,
thanks a lot for all your support. No, that's something I already tried. When importing the Verisign root cert in my cacerts file and then importing the signed cert in my keystore, he seems to be able to build a certificate chain because I am no longet being asked whether I would like to trust the certificate. However when using that keystore then in Tomcat (which only contains my signed cert) I am getting the second error ("No available certificate or key 
corresponds to the SSL cipher suites which are enabled.").


Any more ideas?

Bye,
Seb


----- Original Message ----- 
From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



looks like the keyAlias="root" is not taking into effect, as the container 
complains for not finding one named "tomcat"


could be that it just looks for tomcat alias to be existent.

this is what I would try next, import the same certificate using the 
"tomcat" alias, leave the "root" alias in there.


Filip

Werner Schalk wrote:

Hello,


setting keyAlias="root" did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is unable 
to find
my alias in the keystore file (if I specify a keyAlias) or there appears 
to be a problem with the SSL ciphers or certificate itself (if I don't 
specify a

keyAlias).


The two error message I am getting when attempting to start Tomcat are 
(see further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry

at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)


2/without keyAlias directive:
java.net.SocketException: SSL handshake

errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)



Any more ideas? Is the problem maybe caused because I am creating a new 
keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.


----- Original Message ----- From: "Filip Hanik - Dev Lists" 
<[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias="root" in server.xml

Werner Schalk wrote:

Hello,


I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a 
Sun Solaris 10 (Sparc) but it turns out that this appears not to be an 
easy task.
Hopefully you guys can shed some light on this. Basically I do have a 
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with the 
SSL ciphers or certificate itself. Hopefully somebody knows what to do, 
this

is giving me a headache for many hours now.


Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the 
Certificate"), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:


$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX

Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
Inc.", O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:


$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore


3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"

              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"

              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
/>

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war

Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510

Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry

       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)
       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
       at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
       at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
       at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
       at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
       at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

       at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

       at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
       at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

       at java.lang.reflect.Method.invoke(Method.java:585)

       at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
       at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)



However my keystore DOES contain my two keys (Verisign's key as well as 
my SSL cert):


# keytool -list --keystore wstest -v
Enter keystore password:  XXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Aug 29, 2007
Entry type: trustedCertEntry


Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
Inc.", O=VeriSign Trust Network


[...]

*******************************************
*******************************************

Alias name: tomcat
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: CN=myhostname, ...

[...]

*******************************************
*******************************************


Here is the first problem: Why does my alias "tomcat" not identify a 
key entry in the keystore? It does exist, doesn't it?



5) Now to get around this problem, I removed the "keyAlias" directive 
from the Tomcat config which now like like this:


<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"

              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"

              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS"
/>

6) Then I restarted Tomcat and here is what I get in the logs:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]


java.net.SocketException: SSL handshake 
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.



       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
       at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)
       at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

       at java.lang.Thread.run(Thread.java:595)

Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
acceptSocket

WARNING: Reinitializing ServerSocket

Another problem. Any ideas?


7) Then I tried to change the sslProtocol to SSL (rather than TLS) but 
that didn't change anything. The file permissions of the certs are 
okay,

they are all world-readable.


So guys any ideas on how to solve this? Has anyone ever encountered 
this problem? I searched on Google but I really was unable to

find a proper solution.

Any input is greatly appreciated. Thank you very much.

Best regards,
Werner.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED] 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to