tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andreas Mohrig <andreas.moh...@cadooz.de>
Subject RE: Tomcat + SSL + IO Taglib
Date Wed, 21 Aug 2002 10:28:14 GMT
First of all, since you are trying to get a resource from the server itself,
it might be completely sufficient to use http instead of https, i.e. the url

http://localhost:8080//Cache?newsServer=moreover_news&newsFeedName

should work (assuming standard configuration). You won't have to bother with
ssl then, which should be acceptable, because the data in questiong will be
send over the server's loopback interface only (and therefor should not be
in danger of beeing monitored, as long as your server hasn't been hacked).

If you still want to use ssl, though, there is quite a long way to go:

It seems you have tomcat configured to accept ssl at port 8443, and now you
want to get something from it from within a jsp page with this url:

https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName

In order for this to succeed, the code executing your jsp will act quite
similar to a normal webbrowser and attempts to connect to the server given
in the url (which could as well be any other server reachable over your
network). What follows is a ssl-handshake: The server presents it's
certificate and a key to encrypt the datatransfer is exchanged. This key is
normally signed by some CA (certificate authority, like Thawte or verisign)
so that the client can trust that no one just pretends to be who he says to
be (e.g. a bank or something like this) and can decide upon that if he wants
to transfer confidential information (like a credit card number for example)
to this server. 

I'm sure you have seen warnings from your browser when these certificates
are not perfectly ok, when they have expired or are not issued for the right
server(-name). Your browser will ask if you wish to accept this and continue
to connect nevertheless. (What do you see if you enter the above URL into
your browser, with "localhost" replaced by whatever address your server is
reachable at).

This is what happens to your jsp-code too, because your selfgenerated
server-key (which you created with "keytool -genkey -alias tomcat -keyalg
RSA", -genkey creates a key, not a keystore) is not signed by anyone trusted
by normal java distributions. But instead of giving the opportunity to
accept this nevertheless, the process fails, because there is noone there to
interactively give his ok.

This is all the background I can give you in realtively short time, since
the process to sign such a key and to import the certificate is quite
complex (if you do not want to spend money for someone officially signing
your key). And I'm afraid I don't know how to accept such certificates
nevertheless.

If you need advice on how to become your own CA, how to sign your key and
import the CA's key into your keystore, I could provide you with some notes,
but don't expect this will be easy.

greetings

Andreas Mohrig
-----Original Message-----
From: QUERTEMONT Christophe [mailto:cquertemont@offshoretek.com]
Sent: Wednesday, August 21, 2002 12:02 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


Thanks for your quick answer !

But I have never work with SSL before, so I am getting a little
confused. 
How can I get a certificate for my server ? The only thing I have done
so far is creating a keystore (keytool -genkey -alias tomcat -keyalg
RSA).

Every thing works fine except for the taglibs ?

-----Original Message-----
From: Andreas Mohrig [mailto:andreas.mohrig@cadooz.de] 
Sent: mercredi 21 août 2002 11:52
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost",
i.e. the name which is set in the certificate. Java is really picky
about the certificates it trusts.

By the way: This has nothing to do with client authentification, since
your server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-----Original Message-----
From: Andreas Mohrig [mailto:andreas.mohrig@cadooz.de]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't
know itself under this name ("localhost"). You have to import your
server certificate (or the certificate of the CA that signed it) with
keytool into your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-----Original Message-----
From: QUERTEMONT Christophe [mailto:cquertemont@offshoretek.com]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>
<io:request url="<%=url%>"/>
...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>



--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@jakarta.apache.org>

--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message