tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert J. Sanford, Jr." <rsanf...@trefs.com>
Subject Installing IIS Certificates in Tomcat?
Date Fri, 08 Aug 2003 22:10:41 GMT
I'm running Tomcat inside of jboss-3.2.1_tomcat-4.1.24 but I think the issue
will be the same independent of that. The platform is Win2K SP3. The plan is
to use Tomcat's HTTP server instead of IIS with the AJP ISAPI connector.
Since all requests are being handled by servlets with no static content why
even get IIS involved? Anyway...

I attempted to take an existing certificate whose request was generated by
IIS and import it into a keystore and use that as the basis for my SSL
crypto. When I attempted to connect via IE the connection failed (a site not
found error) and the exception tree at the bottom of this message was
generated. I spent a lot of time reading the JBoss SSL docs, reading the
Tomcat SSL docs, searching the Tomcat and JBoss archives, playing with my
configuration, trying to figure out what ciphers were installed, making sure
that the CA certificate (for testing we use an internal CA) was imported
into the keystore, etc., etc., etc. None of it worked. Everything resulted
in the exception chain below or something similar.

Finally I just decided to go through the instructions for generating a new
local key, a new certificate request, get the certificate from my internal
certificate authority and import everything into a new keystore. It worked
with a minor warning saying that the machine name on the certificate did not
match the actual machine name. I'm not sure how to resolve that immediately
but I don't see that as a major issue right now since this is only for
testing purposes.

My big questions are:
1) Is there any way that I can import an
   existing certificate that was generated
   based on a request originated in IIS
   into my keystore and have that be
   accepted by Tomcat?
2) Or, do I have to go to my IT manager
   and tell him that he needs to go to
   Verisign and get additional
   certificates for IP addresses that
   we already have certificates for?
3) Or, should I just use IIS and the
   existing certificates to front Tomcat?

Many thanks for the assist!

rjsjr

2003-08-07 14:22:55,919 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint]
Handshake failed
javax.net.ssl.SSLHandshakeException: no cipher suites in common
at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor
y.java:290)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:619)
at java.lang.Thread.run(Thread.java:536)

2003-08-07 14:22:55,939 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint]
Handshake failed
javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello
at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor
y.java:290)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:619)
at java.lang.Thread.run(Thread.java:536)


Mime
View raw message