Torleif wrote:
By "default place" I mean /home/user/.keystore
/home/user/.keystore? That's strange. Is it maybe
/home/tomcat/.keystore? Or you have a user "user" on your system? Under
what user did you create .keystore file?
If I choose a different password and modify "server.xml" accordingly it does
not work.
Did you choose the same password for bot keystore AND certificate, as
pointed in the Tomcat docs?
maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
-keyalg RSA -keystore /home/user/.keystore
-storepass mypassword" ) ??
No, that is not the source of the problem.
I am ok with using "changeit" as password if this is no security risk. No one
has access to my computer, but can they get access through https if they know
the "changeit" password?
Well, anyone could access to you webapps (not to the entire file system)
regardless of the keystore password.
I also have a mailserver on the same ip "citadel" witch uses "webcit" for
webmail.
The ports on my mailserver and Tomcat are different.
Then you can use different certificates.
Regards,
Ognjen
Thanks again for all help!!
Torleif
Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic"
<ogn...@etf.bg.ac.rs> Subject: Re: tomcat https
Torleif wrote:
I am trying to set up tomcat to use https.
I used "keytool -genkey -alias tomcat -keyalg RSA"
If I use "changeit" as password for keystore everything works ok.
If I use a different password it does not work.
I have modified "server.xml" with keystorePass="newpassword"
My .keystore is located in default place.
It could help if you tell us what Tomcat version, OS and version are you
using and what is "default place".
.keystore file should be on the home directory of the user running
Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
Settings\ognjen\" on Windows XP.
Also note: "Finally, you will be prompted for the key password, which is
the password specifically for this Certificate (as opposed to any other
Certificates stored in the same keystore file). You MUST use the same
password here as was used for the keystore password itself. (Currently,
the keytool prompt will tell you that pressing the ENTER key does this
for you automatically.)" (tomcat SSL docs)
If I use "changeit" as password, will this be a security risk since this
is a widely known password?
The way I see it, the security risk is not too big. .keystore file will
most probably have the same access rights as your server.xml where the
keystore password is stored in cleartext. So, if the unauthorized user
is able to access .keystore file it will also be able to access the
server.xml, and read the keystore password.
However, if your configuration, backup strategy, or anything else
introduces the possibility for unauthorized person to access only the
.keystore file (and not server.xml) - or you are simply paranoid - you
should change the default password.
Also I run a mailserver with https web interface.
Can I use a different https certificate in tomcat or must it be the same
as my mailserver?
It really depends of your configuration.
Are both webmail and Tomcat on the same port? Do you run webmail
application under Tomcat or not? Do you use httpd or not? Do you have
more than one IP address available for the server?
If you use two servers, two different IP addresses OR two different
ports on the same IP address, you can have different certificates. In
other cases, you can't.
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
