Return-Path: 
 <users-return-136540-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org>
Delivered-To: apmail-tomcat-users-archive@www.apache.org
Received: (qmail 12670 invoked from network); 30 Nov 2005 21:05:06 -0000
Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199)
  by minotaur.apache.org with SMTP; 30 Nov 2005 21:05:06 -0000
Received: (qmail 30595 invoked by uid 500); 30 Nov 2005 21:04:52 -0000
Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org
Received: (qmail 30576 invoked by uid 500); 30 Nov 2005 21:04:52 -0000
Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:users-help@tomcat.apache.org>
List-Unsubscribe: <mailto:users-unsubscribe@tomcat.apache.org>
List-Post: <mailto:users@tomcat.apache.org>
List-Id: <users.tomcat.apache.org>
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Delivered-To: mailing list users@tomcat.apache.org
Received: (qmail 30558 invoked by uid 99); 30 Nov 2005 21:04:51 -0000
Received: from asf.osuosl.org (HELO asf.osuosl.org) (140.211.166.49)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Nov 2005 13:04:51 -0800
X-ASF-Spam-Status: No, hits=0.0 required=10.0
	tests=UPPERCASE_25_50
X-Spam-Check-By: apache.org
Received-SPF: pass (asf.osuosl.org: local policy)
Received: from [66.243.3.10] (HELO mail2.infinitecampus.org) (66.243.3.10)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 30 Nov 2005 13:06:21 -0800
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
Subject: Tomcat 5.5.12- APR Connector - SSL configuration
Date: Wed, 30 Nov 2005 15:03:56 -0600
Message-ID: <CB51C26005C5C348A309247B5FE870D1630FC7@mailer.ic.org>
From: "Nate Rock" <nrock@infinitecampus.com>
To: <users@tomcat.apache.org>
X-Virus-Checked: Checked by ClamAV on apache.org
X-Spam-Rating: minotaur.apache.org 1.6.2 0/1000/N

Someone may have already posted this, but since I just joined the
mailing list, I figured it might help someone else if it hasn't already
been sent.

I am having trouble getting an HTTPS connection to my tomcat server
using the native APR connector under Tomcat 5.5.12.=20

I am familiar with how to set up HTTPS connectors in 5.0.28 so I figured
it would be easy to set up in 5.5.12 using the APR connector, but I
think I am just missing something simple.

Under Tomcat 5.0.28 here is what we were using:

<Connector 	port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		scheme=3D"https"=20
		secure=3D"true"
		clientAuth=3D"false"
		sslProtocol=3D"SSL"=20
		keystoreFile=3D"c:\certs\server\server.p12"=20
		keystorePass=3D"serverPassword"=20
		keystoreType=3D"PKCS12"
		/>

After reading the docs located at=20

http://tomcat.apache.org/tomcat-5.5-doc/apr.html

I took a stab at using the existing server.p12 file and exported the
certificate in PEM encoding using Keystore Explorer 2.0 and saved it to
c:\certs\server\server.cer

When opening it in a text editor, I get the following which looks
correct.

-----BEGIN CERTIFICATE-----
MIICqzCCAhSgAwIBAgIBAjANBgkqhkiG9w0BAQQFADCBgTEZMBcGA1UEAxMQcm9j
a2hvd3NlLmljLm9yZzEYMBYGA1UEChMPSW5maW5pdGUgQ2FtcHVzMRMwEQYDVQQL
EwpIb3N0aW5nIENBMRQwEgYDVQQHEwtBcmRlbiBIaWxsczESMBAGA1UECBMJTWlu
bmVzb3RhMQswCQYDVQQGEwJVUzAeFw0wNTExMjkyMTQ1MTVaFw0wNjExMjQyMTQ1
MTVaMIGDMRkwFwYDVQQDExByb2NraG93c2UuaWMub3JnMRgwFgYDVQQKEw9JbmZp
bml0ZSBDYW1wdXMxFTATBgNVBAsTDFNpdGUgTWFuYWdlcjEUMBIGA1UEBxMLQXJk
ZW4gSGlsbHMxEjAQBgNVBAgTCU1pbm5lc290YTELMAkGA1UEBhMCVVMwgZ8wDQYJ
KoZIhvcNAQEBBQADgY0AMIGJAoGBAKhU44dOUQAaHPokbNbcoFvQpleL4zCJ6xKH
C3nP0bQzB9XoXHNp/ec4EKOGhwfITbo8eEhAdXrAZNNEcH0BQYtd7QaT1GMqyJrV
bQbcNBBqJnu9N4l8jAfclKp+6kMy2V4i6PIJB2E1zxTgS9ourhg36NGc1RCbUazz
0ussu8nbAgMBAAGjLzAtMAwGA1UdEwQFMAMBAQAwHQYDVR0lBBYwFAYIKwYBBQUH
AwIGCCsGAQUFBwMBMA0GCSqGSIb3DQEBBAUAA4GBAIGX1f3uCQgIpqa+rVJgZ2se
FRRTPbZ576jpTqJtPlAARPCqBw2uM5tG36FV+dW9kVeWG3Y1GafLgpFUD5j/nl2p
p47mUjYhQFqEzOkoW3WuNspKuDkd5TACn721vECdaUVTUEmpJ5XBb9Q710chv9ZO
v6h8ZTNOoU2cvqJV3MhC
-----END CERTIFICATE-----

I then added the following connector to my server.xml

<Connector port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		SSLCertificateFile=3D"c:\certs\server\server.cer"
		/>

But when I try to connect to the server using https://server/ the
browser times out and I get a page cannot be found error.

Thinking that it needed the private key as well I exported the primary
key in PEM format and saved it to c:\certs\server\server.pem

When I open it in a text editor, I get the following which also looks
correct

-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAKhU44dOUQAaHPok
bNbcoFvQpleL4zCJ6xKHC3nP0bQzB9XoXHNp/ec4EKOGhwfITbo8eEhAdXrAZNNE
cH0BQYtd7QaT1GMqyJrVbQbcNBBqJnu9N4l8jAfclKp+6kMy2V4i6PIJB2E1zxTg
S9ourhg36NGc1RCbUazz0ussu8nbAgMBAAECgYB5M8YwIn/IJwU+RwPnISyFb5KV
7q9Cv8t2p63no29G5Id7ybbnkyWyWngAhlirjdoJgojI3UC5hdYTGHA2UbUyzRe6
Fm5y26opOBYYfyLwu3hvVjYoIyhTX+QNfCRFcKNrIBKecmGmh+YIZwGGlru/1zHn
fp4YmVodfJqEARRfIQJBANESeiK95X1EBXEwNIah3KuxvdJlMNc4oMLuCdLuGm7I
9ViBYI+3giiFKZjGvtwfeNHWyiU5s4PnnAOd48pJdHcCQQDOHWl+CkQ/OxRTrxI8
P+++Ucn35h/TsnVmTMfGYoiGYwYvx46rSZ3a++0TKwUDVn3KXEBzIMKslw61yiEU
fyK9AkEAwZf3amYms3iiBW5apPQKjx21pLW4pQG1suqSRDPgXAdPUBX04P9O0dCE
dQhLwS6PRNc8NX4ZoSF9EMhKHo0n/wJAcYnII7L6Fy6vKs3kqKW7pcYeEF2GqLHE
c97VqVV7yTNhJA60a2x49TkTRhzLfSQ21LLumbyxICtx4ff/MvA5rQJAYOc1Dqmp
kSl7vTrSeUuO4yRPi/R7ALRs6dqQQTtQ9egC1F+3sgIWb6rdJOBsdtEeFx0AGgfF
+p3VdiyrJl2h5Q=3D=3D
-----END PRIVATE KEY-----

I then modified the following connector in my server.xml

<Connector port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		SSLCertificateFile=3D"c:\certs\server\server.cer"
		SSLCertificateKeyFile=3D"c:\certs\server\serverKey.key"
		SSLPassword=3D"serverPassword"
		/>

I also tried putting a few of the other attributes in that are SSL
specific but it's still a no-go:

<Connector port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		scheme=3D"https"=20
		secure=3D"true"
		SSLCertificateFile=3D"c:\certs\server\server.cer"
		SSLCertificateKeyFile=3D"c:\certs\server\serverKey.key"
		SSLPassword=3D"serverPassword"
		/>

And

<Connector port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		secure=3D"true"
		SSLCertificateFile=3D"c:\certs\server\server.cer"
		SSLCertificateKeyFile=3D"c:\certs\server\serverKey.key"
		SSLPassword=3D"serverPassword"
		/>

And

<Connector port=3D"443"=20
		maxHttpHeaderSize=3D"8192"
		maxThreads=3D"150"=20
		minSpareThreads=3D"25"=20
		maxSpareThreads=3D"75"
		enableLookups=3D"false"=20
		disableUploadTimeout=3D"true"
		acceptCount=3D"100"=20
		scheme=3D"https"=20
		SSLCertificateFile=3D"c:\certs\server\server.cer"
		SSLCertificateKeyFile=3D"c:\certs\server\serverKey.key"
		SSLPassword=3D"serverPassword"
		/>

All to no avail =3D(

I figure someone has gotten this working =3DD any assistance would be
muchly appreciated!!!

*Note* the PEM encoding above is valid as is the password for the
private key. This information isn't being used in production and is a
certificate I generated for testing purposes so feel free to use it to
test anything out.

   -rOcK

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org