tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ken Anderson ...@pacific.net>
Subject Re: Tomcat SSL Setup
Date Wed, 18 Dec 2002 23:23:04 GMT


Justin L. Spies wrote:
> Ken,
> Thanks for the hints.  Since they (Apache/Tomcat) are running on the
> same system at this point, that won't be an issue.  Could you point me
> the direction of some documentation that would help me get this setup?
> I've setup mod_jk with standard Apache before and it has been straight
> forward.  I am assuming that Apache handles the encryption/decryption
> and passes the requests off to Tomcat via the connector AFTER it
> decrypts the request--is this correct?

That is correct.

I have only set up ssl with mod_webapp, and it's just a matter of adding 
duplicate WebAppDeploy statements to the ssl <Virtualhost 
xx.xx.xx.xx:443> section in httpd.conf

I'd assume it's the same with mod_jk, since the autogenerated 
mod_jk.conf contains the non-ssl virtualhost section, you'd just need to 
mirror that with an ssl virtualhost section in the file by adding a 
duplicate <Host hostname:443> Section to server.xml for the ssl 
virtualhost. There may be gotchas to this that I'm not aware of with jk, 
since I have not used it with apache & ssl before.

You'd also probably want to disable the coyote connector on port 8080 in 
server.xml too.

Ken


> Sincerely,
> Pantek Incorporated
> Justin L. Spies
> 
> URI: http://www.pantek.com
> Ph   440.519.1802
> Fax  440.248.5274
> Cell 440.336.3317
> 
> 
> -----Original Message-----
> From: Ken Anderson [mailto:ka@pacific.net] 
> Sent: Wednesday, December 18, 2002 4:51 PM
> To: Tomcat Users List
> Subject: Re: Tomcat SSL Setup
> 
> 
> Have you considered the advantages of using one of the apache connectors
> 
> instead of tomcat standalone for SSL support?
> 
> I fought with Tomcat ssl support a couple years ago, and was unable to 
> get it to work. I'm sure the support is there now, but ssl support is 
> transparent if you use mod_jk or mod_webapp with Apache, and it's 
> easier, since you already have all the cerificates in place.
> 
> The downside is that the connection between apache and tomcat is NOT 
> encrypted, so if you are running TC and Apache on different servers, 
> this might be an issue.
> 
> Ken A.
> 
> 
> Justin L. Spies wrote:
> 
>>One piece of information I forgot to mention:
>>	O/S:     Red Hat Linux 7.2
>>	Apache:  Custom Compiled 1.3.26
>>	Tomcat:  4.0.4 RPM installation
>>	JSDK:	   j2sdk1.4.0_01
>>
>>Thanks again.
>>
>>Justin L. Spies
>>
>>
>>-----Original Message-----
>>From: Justin L. Spies [mailto:jspies@pantek.com]
>>Sent: Wednesday, December 18, 2002 2:43 PM
>>To: tomcat-user@jakarta.apache.org
>>Subject: Tomcat SSL Setup
>>
>>
>>Hello all,
>>I've been working on getting SSL configured for Tomcat and seem to be 
>>having a small problem.  I must be mistyping something because the 
>>only thing I get back from Netscape 7.0 is:
>>	"Netscape 7.0 and www.mydomain.com cannot communicate securely 
>>because they have no common encryption algorithms."
>>
>>Here is what I have done so far:
>>
>>1.	I changed /etc/tomcat4/server.xml and uncommented the following:
>>
>>    <Connector 
>>className="org.apache.catalina.connector.http.HttpConnector"
>>               port="8443" minProcessors="5" maxProcessors="75"
>>               enableLookups="true"
>>               acceptCount="10" debug="0" scheme="https"
> 
> secure="true">
> 
>>      <Factory 
>>className="org.apache.catalina.net.SSLServerSocketFactory"
>>               clientAuth="false" 
>>keystoreFile="keystores/mydomain.keystore" keystorePass="xxxxxxxx" 
>>protocol="TLS"/>
>>    </Connector>
>>
>>2.	I ran the following commands to import the Verisign key:
>>	/usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \
>>	  -keystore /var/tomcat4/keystores/mydomain.keystore  \
>>	  -trustcacerts -file /etc/verisign.key
>>
>>3.	I ran the following commands to import a previously created SSL
>>certificate
>>	/usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \
>>	  -keystore /var/tomcat4/keystores/mydomain.keystore  \
>>	  -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer
>>
>>4.	In /etc/tomcat4/server.xml, I noticed the following:
>>         * Download and install JSSE 1.0.2 or later, and put the JAR 
>>files
>>           into "$JAVA_HOME/jre/lib/ext".
>> 
>>	I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following:
>>		ln -s $JAVA_HOME/jre/lib/jsse.jar
> 
> $JAVA_HOME/jre/lib/ext/jsse.jar
> 
>>5.	I then restarted Tomcat and tried the following URL:
>>	http://www.mydomain.com:8080/examples/servlets/index.hml
>>
>>	This was a test simply to make sure Tomcat started properly.  In
> 
> this 
> 
>>it worked fine.
>>
>>6.	I then restarted Tomcat and tried the following URL:
>>	https://www.mydomain.com:8443/examples/servlets/index.html
>>
>>	This test failed with the above error message.
>>
>>
>>Does anyone have any ideas?  Oh, and BTW, I can visit 
>>https://www.mydomain.com/index.html and the home page for the site 
>>comes up in SSL mode without a problem, so I know that the SSL 
>>certificate, under Apache, is working fine.
>>
>>Thanks,
>>Justin L. Spies
>>
>>
>>
>>--
>>To unsubscribe, e-mail: 
>><mailto:tomcat-user-unsubscribe@jakarta.apache.org>
>>For additional commands, e-mail: 
>><mailto:tomcat-user-help@jakarta.apache.org>
>>
>>
>>
>>--
>>To unsubscribe, e-mail:
> 
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> 
>>For additional commands, e-mail: 
>><mailto:tomcat-user-help@jakarta.apache.org>
>>
>>
>>
> 
> 
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> 
> --
> To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
> For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>
> 
> 
> 


--
To unsubscribe, e-mail:   <mailto:tomcat-user-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@jakarta.apache.org>


Mime
View raw message