tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nate Rock" <nr...@infinitecampus.com>
Subject Tomcat 5.5.12- APR Connector - SSL configuration
Date Wed, 30 Nov 2005 21:03:56 GMT
Someone may have already posted this, but since I just joined the
mailing list, I figured it might help someone else if it hasn't already
been sent.

I am having trouble getting an HTTPS connection to my tomcat server
using the native APR connector under Tomcat 5.5.12. 

I am familiar with how to set up HTTPS connectors in 5.0.28 so I figured
it would be easy to set up in 5.5.12 using the APR connector, but I
think I am just missing something simple.

Under Tomcat 5.0.28 here is what we were using:

<Connector 	port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		scheme="https" 
		secure="true"
		clientAuth="false"
		sslProtocol="SSL" 
		keystoreFile="c:\certs\server\server.p12" 
		keystorePass="serverPassword" 
		keystoreType="PKCS12"
		/>

After reading the docs located at 

http://tomcat.apache.org/tomcat-5.5-doc/apr.html

I took a stab at using the existing server.p12 file and exported the
certificate in PEM encoding using Keystore Explorer 2.0 and saved it to
c:\certs\server\server.cer

When opening it in a text editor, I get the following which looks
correct.

-----BEGIN CERTIFICATE-----
MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBgTEZMBcGA1UEAxMQcm9j
a2hvd3NlLmljLm9yZzEYMBYGA1UEChMPSW5maW5pdGUgQ2FtcHVzMRMwEQYDVQQL
EwpIb3N0aW5nIENBMRQwEgYDVQQHEwtBcmRlbiBIaWxsczESMBAGA1UECBMJTWlu
bmVzb3RhMQswCQYDVQQGEwJVUzAeFw0wNTExMjkyMTQ1MTVaFw0wNjExMjQyMTQ1
MTVaMIGDMRkwFwYDVQQDExByb2NraG93c2UuaWMub3JnMRgwFgYDVQQKEw9JbmZp
bml0ZSBDYW1wdXMxFTATBgNVBAsTDFNpdGUgTWFuYWdlcjEUMBIGA1UEBxMLQXJk
ZW4gSGlsbHMxEjAQBgNVBAgTCU1pbm5lc290YTELMAkGA1UEBhMCVVMwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAKhU44dOUQAaHPokbNbcoFvQpleL4zCJ6xKH
C3nP0bQzB9XoXHNp/ec4EKOGhwfITbo8eEhAdXrAZNNEcH0BQYtd7QaT1GMqyJrV
bQbcNBBqJnu9N4l8jAfclKp+6kMy2V4i6PIJB2E1zxTgS9ourhg36NGc1RCbUazz
0ussu8nbAgMBAAGjLzAtMAwGA1UdEwQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAIGX1f3uCQgIpqa+rVJgZ2se
FRRTPbZ576jpTqJtPlAARPCqBw2uM5tG36FV+dW9kVeWG3Y1GafLgpFUD5j/nl2p
p47mUjYhQFqEzOkoW3WuNspKuDkd5TACn721vECdaUVTUEmpJ5XBb9Q710chv9ZO
v6h8ZTNOoU2cvqJV3MhC
-----END CERTIFICATE-----

I then added the following connector to my server.xml

<Connector port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		SSLCertificateFile="c:\certs\server\server.cer"
		/>

But when I try to connect to the server using https://server/ the
browser times out and I get a page cannot be found error.

Thinking that it needed the private key as well I exported the primary
key in PEM format and saved it to c:\certs\server\server.pem

When I open it in a text editor, I get the following which also looks
correct

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKhU44dOUQAaHPok
bNbcoFvQpleL4zCJ6xKHC3nP0bQzB9XoXHNp/ec4EKOGhwfITbo8eEhAdXrAZNNE
cH0BQYtd7QaT1GMqyJrVbQbcNBBqJnu9N4l8jAfclKp+6kMy2V4i6PIJB2E1zxTg
S9ourhg36NGc1RCbUazz0ussu8nbAgMBAAECgYB5M8YwIn/IJwU+RwPnISyFb5KV
7q9Cv8t2p63no29G5Id7ybbnkyWyWngAhlirjdoJgojI3UC5hdYTGHA2UbUyzRe6
Fm5y26opOBYYfyLwu3hvVjYoIyhTX+QNfCRFcKNrIBKecmGmh+YIZwGGlru/1zHn
fp4YmVodfJqEARRfIQJBANESeiK95X1EBXEwNIah3KuxvdJlMNc4oMLuCdLuGm7I
9ViBYI+3giiFKZjGvtwfeNHWyiU5s4PnnAOd48pJdHcCQQDOHWl+CkQ/OxRTrxI8
P+++Ucn35h/TsnVmTMfGYoiGYwYvx46rSZ3a++0TKwUDVn3KXEBzIMKslw61yiEU
fyK9AkEAwZf3amYms3iiBW5apPQKjx21pLW4pQG1suqSRDPgXAdPUBX04P9O0dCE
dQhLwS6PRNc8NX4ZoSF9EMhKHo0n/wJAcYnII7L6Fy6vKs3kqKW7pcYeEF2GqLHE
c97VqVV7yTNhJA60a2x49TkTRhzLfSQ21LLumbyxICtx4ff/MvA5rQJAYOc1Dqmp
kSl7vTrSeUuO4yRPi/R7ALRs6dqQQTtQ9egC1F+3sgIWb6rdJOBsdtEeFx0AGgfF
+p3VdiyrJl2h5Q==
-----END PRIVATE KEY-----

I then modified the following connector in my server.xml

<Connector port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		SSLCertificateFile="c:\certs\server\server.cer"
		SSLCertificateKeyFile="c:\certs\server\serverKey.key"
		SSLPassword="serverPassword"
		/>

I also tried putting a few of the other attributes in that are SSL
specific but it's still a no-go:

<Connector port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		scheme="https" 
		secure="true"
		SSLCertificateFile="c:\certs\server\server.cer"
		SSLCertificateKeyFile="c:\certs\server\serverKey.key"
		SSLPassword="serverPassword"
		/>

And

<Connector port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		secure="true"
		SSLCertificateFile="c:\certs\server\server.cer"
		SSLCertificateKeyFile="c:\certs\server\serverKey.key"
		SSLPassword="serverPassword"
		/>

And

<Connector port="443" 
		maxHttpHeaderSize="8192"
		maxThreads="150" 
		minSpareThreads="25" 
		maxSpareThreads="75"
		enableLookups="false" 
		disableUploadTimeout="true"
		acceptCount="100" 
		scheme="https" 
		SSLCertificateFile="c:\certs\server\server.cer"
		SSLCertificateKeyFile="c:\certs\server\serverKey.key"
		SSLPassword="serverPassword"
		/>

All to no avail =(

I figure someone has gotten this working =D any assistance would be
muchly appreciated!!!

*Note* the PEM encoding above is valid as is the password for the
private key. This information isn't being used in production and is a
certificate I generated for testing purposes so feel free to use it to
test anything out.

   -rOcK

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message