tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From stev sutherland <stephenj...@yahoo.com>
Subject About "Direct SSL" with Tomcat as Stand Alone web Server for tomcat SSL experts
Date Fri, 28 Feb 2003 18:14:39 GMT
Hello Tomcat SSL Experts

============================
I read the official documentation on using Tomcat with
SSL Support 

I decided to use your "Direct SSL" solution since we
are running Tomcat 3.2.3 as a stand alone product.
I was wondering if you know about a related bug in
which sometimes (a 1:15 ratio) the page comes up "not
found". 

I noticed this problem happens only after I implement
the "Direct SSL" solution (which involves recompiling
webserver.jar with ANT for SSL support ).

Do know what this problem might be related to?

This problem occurs at a 1:15 ratio when we access the
server via both https and http

(My guess is  a - webserver.jar bug resulting from my
recompilation of webserver.jar with ANT for security
support.  But I could be wrong  )

 -------------------------------
By the way here are the full set of instructions that
we used to implement the SSL solution with Tomcat
after recompiling the webserver.jar file with ANT .
-----------------------------------
DIRECTIONS FOR SETTING UP SSL WITH TOMCAT/PORTAL
===================================================

PREPARE THE PORTAL SERVER
---------------------------

1. ADD SECURITY JAR FILES TO TOMCAT LIB DIRECTORY
-----------------------------------------------
first put the following jar files in C:\Program
Files\folder1\folder2\tomcat\lib
-- jcert.jar 
-- jnet.jar
-- jsse.jar 
-- webserver.jar 

also place these files in %JAVA_HOME%\jre\lib\ext

Add %JAVA_HOME%\jre\lib\ext\jsse.jar to the CLASSPATH
env variable

You can download the first three security jar files
from the java web site. 
webserver.jar is special because we had to re-compile
this jar file using ANT and the 3 jar files. 
As a result of using ANT, webserver.jar now has
special security options that makes SSL possible. 
We can simply send you our webserver.jar file so that
you will not have to rebuild it with ANT. 


2. PREPARE SERVER.XML 
-------------------------------
Go to C:\Program
Files\folder1\folder2\tomcat\conf\server.xml and
uncomment the server.xml options as seen below.

        <Connector
className="org.apache.tomcat.service.PoolTcpConnector">
            <Parameter name="handler"
value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
            <Parameter name="port" value="8443"/>
            <Parameter name="socketFactory"
value="org.apache.tomcat.net.SSLSocketFactory" />
	    <Parameter name="keystore" value="<THE FILE
CREATED FOR YOUR KEYSTORE>" />
	    <Parameter name="keypass" value="changeit"/>
	    <Parameter name="clientAuth" value="false"/>

        </Connector>

3. ADD JSSE, JNET, JCERT.JAR FILE TO TOMCAT CLASSPATH
------------------------------------------------------
SET
TOMCAT_JAR=%TOMCAT_LIB%\jasper.jar;%TOMCAT_LIB%\servlet.jar;%TOMCAT_LIB%\webserver.jar;%TOMCAT_LIB%\jsse.jar;%TOMCAT_LIB%\jnet.jar;%TOMCAT_LIB%\jcert.jar


4. ADD THE SECURITY PROVIDER TO THE JAVA.SECURITY
PROPERTIES FILE
--------------------------------------------------------------------

 Edit %JAVA_HOME%/jre/lib/security/java.security
 Add:

security.provider.2=com.sun.net.ssl.internal.ssl.Provider


5. PREPARE YOUR CSR WHICH YOU WILL SEND 
----------------------------------------
	* Generate key: 
	* Use the attached cmd file genkey
	genkey <keystore Name>

	* Generate CSR: 
	certgen <keystore Name>

THIS IS WHAT THE DOS OUTPUT SHOULD LOOK LIKE  

C:\>keytool -genkey -alias alias<keystore Name>
-keysize 1024 -validity 365 -keyalg RSA -keystore
c:\<keystore Name>
Enter keystore password:  changeit
What is your first and last name?
  [Unknown]:  <Fully qualified name of your server>
What is the name of your organizational unit?
  [Unknown]:  <Use your keystore name>
What is the name of your organization?
  [Unknown]:  XXXXXXX
What is the name of your City or Locality?
  [Unknown]:  XXXXXXXX
What is the name of your State or Province?
  [Unknown]:  <DO NOT ABBREIVIATE YOUR STATE OR
PROVINCE OR VERISIGN WILL REJECT IT>
What is the two-letter country code for this unit?
  [Unknown]:  XX
Is <CN=portalssl.learningideas.com, OU=learningideas,
O=learningideas, L=new york, ST=new
york, C=US> correct?
  [no]:  y

Enter key password for <keystore Name>
        (RETURN if same as keystore password): 
changeit

C:\>keytool -certreq -alias alias<keystore Name> -file
c:\<keystore Name>.csr -keystore <keystore Name>
Enter keystore password:  changeit



6. GET THE SECURE SERVER ID FROM VERISIGN
------------------------------------------
You will need to get a Secure Server ID from Verisign
which you can get free for 14 days.
STEP #1: Go to https://www.verisign.com/
STEP #2: Click on "Get SSL Site Security >>"
STEP #3: You will see a box entitled "Enable
e-commerce with Commerce Site Services"
STEP #4: Click Try 

STEP #5: Fill out the form with your name, company
name etc.  

STEP #6: Click Continue

STEP #7: Following the Instructions. 
             STEP 1 of 5 ask you to Generate a CSR for
that machine.
		You may have generated the CSR in the previous step.
  

STEP#8: Copy and paste your CSR contents into the
textarea that they provide.
Your CSR will be stored in your root directory.
Example:  C:\>STEPHENSCSR3.csr

They will email you the Test Server ID aka certificate
in 1 hour. You will use it in the next step. 

STEP#9: Download the browser certificate
(getcacert.cer) file from the emailed faq hyperlink.

STEP#10: You will install this in the test browsers
AND the keystore that you created above.

INSTALLING IT INTO THE BROWSER
-------------------------------- 
The reason that you install the certificate 
(getcacert.cer)  into browser is so that you can view
your trial SSL encrypted web page.

1. To install it, just right click on the big E for
internet explorer.
2. left click on properties
3. click the Content Tab
4. click the certificates button
5. click the trusted root certificate authority tab.
6. click import button below.
7. click next browse to getcacert.cer which you just
downloaded
you will have to change the file types drop down menu
to .509 to view .cer


STEP#11 IMPORT YOUR CERTIFICATE INTO THE KEYSTORE
----------------------------------------------------
At the bottom of the email that you received from
verisign you will see the certificate. 
It looks like this 

-----BEGIN CERTIFICATE-----
MIIDSjCCAvSgAwIBAgIQeATS9bW/1b4FJ2rgbNvsfjANBgkqhkiG9w0BAQUFADCBqTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExURC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25seS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTIzMDAwMDAwWhcNMDMwMjA2MjM1OTU5WjCBiTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCG5ldyB5b3JrMREwDwYDVQQHFAhuZXcgeW9yazEWMBQGA1UEChQNbGVhcm5pbmdpZGVhczEWMBQGA1UECxQNbGVhcm5pbmdpZGVhczEkMCIGA1UEAxQbcG9ydGFsc3NsLmxlYXJuaW5naWRlYXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6FBSo7sX+NnlJ8+MhfDrx8bxya0MG+fFj1ckw94m/wZ5f2R36MVLlTkIclw67H9rjt9I08QV0F6lvc/pFKejBA1/r3Mn/JKDajqWBQspbO7OUA+Ax2x9EZVv+ryFceyAaMqoKIAPBESlDbMVtNMP/MVhpk5GWK4OXN0BN7nO9ywIDAQABo4HRMIHOAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdDQS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADQQDEnPe/ULuSvm6ytN1xF6TZWzeVrJrVz76HdDLuU6ttZYLrDoreeQrqwloSqQEH/D8rLhnxBHU6hO/GvS0VNFcW
-----END CERTIFICATE-----

1. COPY AND PASTE IT INTO A NOTE PADE FILE Called for
example learningideas.cer

2. YOU WILL HAVE TO EDIT IT FOR IT TO WORK WITH
TOMCAT********************
CHANGE THE BEGIN AND END MARKERS TO LOOK LIKE THIS.
AND Put 2 carriage returns at the end of the file.

-----BEGIN PKCS#7-----
MIIDUDCCAvqgAwIBAgIQMuN1e9aKSRVovPLjBWqUzjANBgkqhkiG9w0BAQUFADCBqTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExURC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25seS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTIzMDAwMDAwWhcNMDMwMjA2MjM1OTU5WjCBjzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCG5ldyB5b3JrMREwDwYDVQQHFAhuZXcgeW9yazEZMBcGA1UEChQQbGVhcm5pbmdpZGVhczEyMzEZMBcGA1UECxQQbGVhcm5pbmdpZGVhczEyMzEkMCIGA1UEAxQbcG9ydGFsc3NsLmxlYXJuaW5naWRlYXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkgnChNApD6/0+/I4Gryyx/8I67RBNnBKjzvPVVzBvF1pCM2uMjmzc+7/aQTKYz9KzDdtkoxfw08mjW61hMoQzjpig2rmRxrYcsuezOKob5pMOG3XAzRXDP/0TVkoQfRjSVcGhmCaS8P5mDuEXd/Cx3TYqX4M6XD3kkc/s62dXDQIDAQABo4HRMIHOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdDQS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBQUHAwIwDQYJKoZIhvcNAQEFBQADQQCWp0pNmZTkhngjfh7N3JULBc3imtTM0hrDCwch+knYfYK/wulSqNgk5U8yIaDCC3QpmYvNHr16ZiVrWdx/ERgp
-----END PKCS#7-----

3. put the modificed certificate file in the root -
Name it C:/certificatetomcat<keystore Name>.cer so the
batch file will work 

keyimp <keystore Name>


POSSIBLE ERRORS
----------------
If you tried to copy and save the certificate into a
wordpad, you would have added lot's of characters to
the file making the certificate no longer valid. 

SOLUTION
-----------
Please re-copy the text from your verisign email and
save it in notepad. 
 
======================================================


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message