tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Robert Hall <rfh...@berkeley.edu>
Subject Re: help needed - keytool import of CA certs
Date Tue, 13 Apr 2004 01:03:37 GMT
No, haven't tried it, but I will.
Thanks, again.

Robert

D'Alessandro, Arthur wrote:

>Have you tried the tc4 "org.apache.catalina.net.SSLServerSocketFactory"
><Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
>     address="${jboss.bind.address}" port = "8753" scheme = "https"
>     secure = "true" enableLookups= "true">
>	
>     <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
>     	keystoreFile="${jboss.server.home.dir}/conf/hostname.keystore"
>     	keystorePass="secret"
>     	clientAuth="false"
>     	protocol = "TLS"/>
></Connector>
> 
>
>The other thing, what does the keystore look like:
>keytool -list -v -keystore hostname.keystore
>
>I am not 100% sure if tomcat requires the cert to be inside of an alias
>of 'tomcat', that is how the tutorials, and how I've implemented ours.
>
>It's not difficult to copy to another alias
>Keytool -keyclone -alias <current alias> -dest tomcat
>
>-----Original Message-----
>From: Robert Hall [mailto:rfhall@berkeley.edu] 
>Sent: Monday, April 12, 2004 8:32 PM
>To: Tomcat Users List
>Subject: Re: help needed - keytool import of CA certs
>
>JBoss has Tomcat embedded and it uses jboss-service.xml instead of 
>Tomcat's server.xml.
>The <Connector> element:
>
><Connector className = "org.apache.coyote.tomcat4.CoyoteConnector"
>     address="${jboss.bind.address}" port = "8753" scheme = "https"
>     secure = "true" enableLookups= "true">
>     <Factory className = 
>"org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>           
>SSLImplementation="org.apache.tomcat.util.net.jsse.JSSEImplementation"
> 
>keystoreFile="${jboss.server.home.dir}/conf/hostname.keystore"
>           keystorePass="secret"
>           clientAuth="false"
>           protocol = "TLS"/>
></Connector>
>
>Thanks,
>Robert
>
>D'Alessandro, Arthur wrote:
>
>  
>
>>I'm not too familiar with Jboss, is it within tomcat?  If so, what does
>>your server.xml connector snippplet look like? 
>>
>>-----Original Message-----
>>From: Robert Hall [mailto:rfhall@berkeley.edu] 
>>Sent: Monday, April 12, 2004 8:06 PM
>>To: Tomcat Users List
>>Subject: Re: help needed - keytool import of CA certs
>>
>>Arthur,
>>
>>Thanks for the reply.  Yes, the hostname.crt file is a signed
>>certificate.
>>I've tried importing both with and without the -trustcacerts parameter,
>>the imports are successful, but I get the following exception in
>>JBoss-3.2.3/Tomcat-4.1.29:
>>
>>16:23:59,561 ERROR [PoolTcpEndpoint] Endpoint [SSL: 
>>ServerSocket[addr=/0.0.0.0,port=0,localport=8753]] ignored exception: 
>>java.net.SocketException: SSL handshake
>>    
>>
>errorjavax.net.ssl.SSLException:
>  
>
>>No available certificate
>>corresponds to the SSL cipher suites which are enabled.
>>java.net.SocketException: SSL handshake
>>    
>>
>errorjavax.net.ssl.SSLException:
>  
>
>>No available certificate
>>corresponds to the SSL cipher suites which are enabled.
>>       at 
>>org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESock
>>    
>>
>e
>  
>
>>tFactory.java:152)
>>       at 
>>org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint
>>    
>>
>.
>  
>
>>java:387)
>>       at 
>>org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:5
>>    
>>
>6
>  
>
>>9)
>>       at 
>>org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPoo
>>    
>>
>l
>  
>
>>.java:677)
>>       at java.lang.Thread.run(Thread.java:536)
>>
>>Thanks,
>>Robert
>>
>>D'Alessandro, Arthur wrote:
>>
>> 
>>
>>    
>>
>>>Robert,
>>>First thing, tomcat looks for the users home folder of whom is running
>>>tomcat for .keystore, if this is not available, or you wish to move
>>>      
>>>
>the
>  
>
>>>keystore, you can state so in the Connector within server.xml
>>>
>>>Another thing, the password defaults to 'changeit', if you wish to
>>>      
>>>
>have
>  
>
>>>an alternative password, you will need to specify again within the
>>>connector element.
>>>
>>>Third, you appear to be using the trustcacerts, is the cert you
>>>      
>>>
>specify
>  
>
>>>in hostname.crt the CA root cert (local CA) or the signed certificate?
>>>>>From your description, I assume it is the signed valid cert from
>>>Verisign.
>>>
>>>Off the top of my head, I don't remember the need for the
>>>'-trustcacerts'
>>>
>>>This is a good site that may help as well:
>>>http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html
>>>
>>>
>>>-----Original Message-----
>>>From: Robert Hall [mailto:rfhall@berkeley.edu] 
>>>Sent: Monday, April 12, 2004 6:56 PM
>>>To: Tomcat Users List
>>>Subject: help needed - keytool import of CA certs
>>>
>>>I've been floundering for too many hours/days having ventured into the
>>>java/keytool/keystore/CAcert realm for the first time to produce a
>>>CA signed certificate for JBoss/Tomcat.
>>>
>>>We have a Verisign/RSA cert, hostname.crt that produces the following
>>>when
>>>imported using 'keytool':
>>>
>>>$ keytool -import -trustcacerts -file hostname.crt -keystore 
>>>hostname.keystore
>>>Enter keystore password:  secret
>>>Owner: CN=hostname.berkeley.edu, OU=MY-ORG-UNIT, O="University of 
>>>California, Berkeley", L=Berkeley, ST=California, C=US
>>>Issuer: OU=Secure Server Certification Authority, O="RSA Data
>>>      
>>>
>Security,
>  
>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>Inc.", C=US
>>>Serial number: 63ba7416f9d061ad65db8b61554bd8c3
>>>Valid from: Wed Aug 13 17:00:00 PDT 2003 until: Fri Aug 13 16:59:59
>>>      
>>>
>PDT
>  
>
>>>2004
>>>Certificate fingerprints:
>>>       MD5:  05:A7:B1:17:6B:C2:0B:FA:9A:B9:80:22:6A:B0:96:6B
>>>       SHA1:
>>>B9:34:D0:58:C4:9C:01:CD:C1:05:D9:FD:C1:D1:45:43:E3:6C:17:1A
>>>Trust this certificate? [no]:  yes
>>>Certificate was added to keystore
>>>
>>>And if you're still reading, some questions:
>>>
>>>1. Should the "Trust this certificate?" prompt appear if a
>>>   
>>>
>>>      
>>>
>>corresponding
>> 
>>
>>    
>>
>>>CA cert entry
>>>  exists in $JAVA_HOME/jre/lib/security/cacerts ?
>>>
>>>2.  Is it necessary to go through the CSR (Certificate Signing
>>>      
>>>
>Request)
>  
>
>>>   
>>>
>>>      
>>>
>> 
>>
>>    
>>
>>>process when
>>>   you already have a server cert file?
>>>
>>>3. What else is needed in addition to an existing server cert file if 
>>>you don't have to go
>>>  through the CSR process?
>>>
>>>Thanks,
>>>Robert
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>---------------------------------------------------------------------
>>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>>
>>>
>>>
>>>
>>>   
>>>
>>>      
>>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>>
>>
>>---------------------------------------------------------------------
>>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>>
>>
>> 
>>
>>    
>>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
>
>
>  
>


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org


Mime
View raw message