geronimo-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christian Svensson" <b...@cmd.nu>
Subject Re: Geronimo, keystores and SSL
Date Fri, 05 Dec 2008 13:59:48 GMT
Hello.

It's a correct assumption that I am using Jetty, I'm using 2.1.3 Geronimo w/
Jetty package from the website (running with Sun Java 1.6).
I think it's the 3:rd step I'm lacking behind at.

This is how I created my setup:

1. Create a new keystore 'plasma-ssl'
2. Create a new private key 'wildcard'
3. Now the text on "Available" says "trust only" or something like that, I
lock it and then unlock it in order for it to change to "1 key ready"
4. Then I configure my HTTPS connector to use the new keystore
5. Since the web server does not seem to do anything when I press "Shutdown"
in the console, I use Ctrl+C to kill it.
6. Start the server again
7. Message appears.

1 to 4 are applied using the web console.

Have I done the step "Unlock keystore 'mykeystore' and private-key 'mykey'
for availability." correctly?

Greetings,

On Fri, Dec 5, 2008 at 9:28 AM, Vamsavardhana Reddy <c1vamsi1c@gmail.com>wrote:

> Hi Christian,
>
> Once you create a new keystore, the keystore is not unlocked for
> availability automatically.  After creating the keystore and private key,
> you need unlock the keystore for availability.  The unlocked state for
> "availability" of the keystore is persistent. I assume that you are using
> Geronimo Jetty Server.  Here are the steps I tried with Geronimo Jetty 2.1.3
> and had no problem restarting the server.
> 1. Created a new keystore 'mykeystore'.
> 2. Created a private-key 'mykey'.
> 3. Unlock keystore 'mykeystore' and private-key 'mykey' for availability.
> 4. Edit HTTS web connector to use 'mykeystore'
> 5. Restart the server.
>
> 6. Unlock 'mykeystore' for editing.
> 7. Change password for 'mykey'.
> 8. Restart the server.
>
> The Geronimo Tomcat server does not use the keystoregbean for HTTPS and
> directly access the keystore files.  Also, "the keystore password and
> keypassword must be same" is applicable to G Tomcat server.
>
> Can you tell me the exact version of Geronimo server and the steps you are
> following that are resulting in the problem?
>
>
>
> On Tue, Dec 2, 2008 at 5:48 AM, Christian Svensson <blue@cmd.nu> wrote:
>
>> Hello!
>>
>> I've been trying for the better part of today getting keystores to
>> automatically unlock on startup - with very limited success.
>> Is there something that I should know about keystore password / key
>> password? Digging around some old mailing list threads said something about
>> key password must be equal to keystore password - any more of those gotchas?
>>
>> The problem is that I create (or change password on geronimo-default for
>> that matter) a new keystore, assign SSL to use the certificate and restart
>> the server:
>> org.apache.geronimo.management.geronimo.KeystoreIsLocked: Keystore
>> 'plasma-ssl' is locked; please use the keystore page in the admin console to
>> unlock it
>>         at
>> org.apache.geronimo.security.keystore.FileKeystoreManager.createSSLContext(FileKeystoreManager.java:343)
>>         at
>> org.apache.geronimo.jetty6.connector.GeronimoSelectChannelSSLListener.createSSLContext(GeronimoSelectChannelSSLListener.java:54)
>>
>>
>> Resetting the SSL connector to using geronimo-default / geronimo with
>> secret / secret as passwords makes it work again - but why on earth doesn't
>> Geronimo unlock my keystores on startup? I mean, it saves the password (or
>> something like it) in config.xml.
>>
>> Greetings,
>> --
>> Christian Svensson
>> Command Systems
>>
>
>
>
> --
> Vamsi
>



-- 
Christian Svensson
Command Systems

Mime
View raw message