tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "QUERTEMONT Christophe" <cquertem...@offshoretek.com>
Subject RE: Tomcat + SSL + IO Taglib
Date Wed, 21 Aug 2002 11:29:02 GMT
Great, thanks a lot for your help !!!

-----Original Message-----
From: Andreas Mohrig [mailto:andreas.mohrig@cadooz.de] 
Sent: mercredi 21 août 2002 12:28
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


First of all, since you are trying to get a resource from the server
itself, it might be completely sufficient to use http instead of https,
i.e. the url

http://localhost:8080//Cache?newsServer=moreover_news&newsFeedName

should work (assuming standard configuration). You won't have to bother
with ssl then, which should be acceptable, because the data in questiong
will be send over the server's loopback interface only (and therefor
should not be in danger of beeing monitored, as long as your server
hasn't been hacked).

If you still want to use ssl, though, there is quite a long way to go:

It seems you have tomcat configured to accept ssl at port 8443, and now
you want to get something from it from within a jsp page with this url:

https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName

In order for this to succeed, the code executing your jsp will act quite
similar to a normal webbrowser and attempts to connect to the server
given in the url (which could as well be any other server reachable over
your network). What follows is a ssl-handshake: The server presents it's
certificate and a key to encrypt the datatransfer is exchanged. This key
is normally signed by some CA (certificate authority, like Thawte or
verisign) so that the client can trust that no one just pretends to be
who he says to be (e.g. a bank or something like this) and can decide
upon that if he wants to transfer confidential information (like a
credit card number for example) to this server. 

I'm sure you have seen warnings from your browser when these
certificates are not perfectly ok, when they have expired or are not
issued for the right server(-name). Your browser will ask if you wish to
accept this and continue to connect nevertheless. (What do you see if
you enter the above URL into your browser, with "localhost" replaced by
whatever address your server is reachable at).

This is what happens to your jsp-code too, because your selfgenerated
server-key (which you created with "keytool -genkey -alias tomcat
-keyalg RSA", -genkey creates a key, not a keystore) is not signed by
anyone trusted by normal java distributions. But instead of giving the
opportunity to accept this nevertheless, the process fails, because
there is noone there to interactively give his ok.

This is all the background I can give you in realtively short time,
since the process to sign such a key and to import the certificate is
quite complex (if you do not want to spend money for someone officially
signing your key). And I'm afraid I don't know how to accept such
certificates nevertheless.

If you need advice on how to become your own CA, how to sign your key
and import the CA's key into your keystore, I could provide you with
some notes, but don't expect this will be easy.

greetings

Andreas Mohrig
-----Original Message-----
From: QUERTEMONT Christophe [mailto:cquertemont@offshoretek.com]
Sent: Wednesday, August 21, 2002 12:02 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


Thanks for your quick answer !

But I have never work with SSL before, so I am getting a little
confused. 
How can I get a certificate for my server ? The only thing I have done
so far is creating a keystore (keytool -genkey -alias tomcat -keyalg
RSA).

Every thing works fine except for the taglibs ?

-----Original Message-----
From: Andreas Mohrig [mailto:andreas.mohrig@cadooz.de] 
Sent: mercredi 21 août 2002 11:52
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost",
i.e. the name which is set in the certificate. Java is really picky
about the certificates it trusts.

By the way: This has nothing to do with client authentification, since
your server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-----Original Message-----
From: Andreas Mohrig [mailto:andreas.mohrig@cadooz.de]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't
know itself under this name ("localhost"). You have to import your
server certificate (or the certificate of the CA that signed it) with
keytool into your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-----Original Message-----
From: QUERTEMONT Christophe [mailto:cquertemont@offshoretek.com]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>
<io:request url="<%=url%>"/>
...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message