tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Werner Schalk" <werner_sch...@gmx.de>
Subject Problems with SSL-enabled Tomcat 5.5
Date Wed, 29 Aug 2007 19:24:25 GMT
Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun 
Solaris 10 (Sparc) but it turns out that this appears not to be an easy 
task.
Hopefully you guys can shed some light on this. Basically I do have a 
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the config, I 
do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with the SSL 
ciphers or certificate itself. Hopefully somebody knows what to do, this
is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the 
Certificate"), please
note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt
Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, 
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", 
O=VeriSign Trust Network

[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt
Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new keystore 
and SSL cert:

<Connector port="8443" maxHttpHeaderSize="16384"
               address="myhostname" enableLookups="false"
               disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"
               scheme="https" secure="true" clientAuth="false"
               compression="8192"
               compressableMimeType="text/javascript,text/css"
               keystoreFile="/usr/local/tomcat/conf/wstest"
               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
/>

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
        at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
        at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
        at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
        at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
        at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
        at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
        at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
        at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
        at java.lang.reflect.Method.invoke(Method.java:585)
        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

However my keystore DOES contain my two keys (Verisign's key as well as my 
SSL cert):

# keytool -list --keystore wstest -v
Enter keystore password:  XXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, 
OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", 
O=VeriSign Trust Network

[...]

*******************************************
*******************************************

Alias name: tomcat
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: CN=myhostname, ...

[...]

*******************************************
*******************************************

Here is the first problem: Why does my alias "tomcat" not identify a key 
entry in the keystore? It does exist, doesn't it?

5) Now to get around this problem, I removed the "keyAlias" directive from 
the Tomcat config which now like like this:

<Connector port="8443" maxHttpHeaderSize="16384"
               address="myhostname" enableLookups="false"
               disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"
               scheme="https" secure="true" clientAuth="false"
               compression="8192"
               compressableMimeType="text/javascript,text/css"
               keystoreFile="/usr/local/tomcat/conf/wstest"
               keystorePass="XXX" sslProtocol="TLS"
/>

6) Then I restarted Tomcat and here is what I get in the logs:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No 
available certificate or key corresponds to the SSL cipher suites which are 
enabled.

        at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
        at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
        at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)
        at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
        at java.lang.Thread.run(Thread.java:595)
Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
acceptSocket
WARNING: Reinitializing ServerSocket

Another problem. Any ideas?

7) Then I tried to change the sslProtocol to SSL (rather than TLS) but that 
didn't change anything. The file permissions of the certs are okay,
they are all world-readable.

So guys any ideas on how to solve this? Has anyone ever encountered this 
problem? I searched on Google but I really was unable to
find a proper solution.

Any input is greatly appreciated. Thank you very much.

Best regards,
Werner.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message