tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Werner Schalk" <werner_sch...@gmx.de>
Subject Re: Problems with SSL-enabled Tomcat 5.5
Date Thu, 30 Aug 2007 14:06:02 GMT
Hello,

setting keyAlias="root" did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is unable to 
find
my alias in the keystore file (if I specify a keyAlias) or there appears to 
be a problem with the SSL ciphers or certificate itself (if I don't specify 
a
keyAlias).

The two error message I am getting when attempting to start Tomcat are (see 
further below):

1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key corresponds 
to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

Any more ideas? Is the problem maybe caused because I am creating a new 
keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?

Thank you. Any input is greatly appreciated.

Bye,
Werner.

----- Original Message ----- 
From: "Filip Hanik - Dev Lists" <devlists@hanik.com>
To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


> did you set
> keyAlias="root" in server.xml
>
> Werner Schalk wrote:
>> Hello,
>>
>> I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun 
>> Solaris 10 (Sparc) but it turns out that this appears not to be an easy 
>> task.
>> Hopefully you guys can shed some light on this. Basically I do have a 
>> Verisign-signed SSL certificate which I would like to add to my
>> existing Tomcat config. Now after spending hours of tweaking the config, 
>> I do face two problems: Either Tomcat is unable to find
>> my alias in the keystore file or there appears to be a problem with the 
>> SSL ciphers or certificate itself. Hopefully somebody knows what to do, 
>> this
>> is giving me a headache for many hours now.
>>
>> Here is what I did (steps taken from 
>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the 
>> Certificate"), please
>> note that I removed IPs, hostnames etc. to protect the innocent:
>>
>> 1) Import of the Verisign root cert into my keystore:
>>
>> $ keytool -import -alias root -keystore wstest -trustcacerts -file 
>> verisign.crt
>> Enter keystore password:  XXX
>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
>> Inc.", O=VeriSign Trust Network
>>
>> [ ... ]
>>
>> Certificate was added to keystore
>>
>> 2) Import of my Verisign-signed SSL certificate:
>>
>> $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
>> mysystem.crt
>> Enter keystore password:  XXX
>>
>> [ ... ]
>>
>> Certificate was added to keystore
>>
>> 3) Change of my Tomcat configuration in server.xml to use the new 
>> keystore and SSL cert:
>>
>> <Connector port="8443" maxHttpHeaderSize="16384"
>>               address="myhostname" enableLookups="false"
>>               disableUploadTimeout="true" acceptCount="100" 
>> maxKeepAliveRequests="100"
>>               scheme="https" secure="true" clientAuth="false"
>>               compression="8192"
>>               compressableMimeType="text/javascript,text/css"
>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
>> />
>>
>> 4) Restart of Tomcat and review of Tomcat log file:
>>
>> # svcadm disable tomcat
>> # rm ../logs/catalina.out
>> # svcadm enable tomcat
>> # tail -f ../logs/catalina.out
>>
>> [...]
>>
>> INFO: Deploying web application archive help.war
>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>> start
>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>> start
>> SEVERE: Error starting endpoint
>> java.io.IOException: Alias name tomcat does not identify a key entry
>>        at 
>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
>>        at 
>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
>>        at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
>>        at 
>> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)
>>        at 
>> org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
>>        at 
>> org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
>>        at 
>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
>>        at 
>> org.apache.catalina.connector.Connector.start(Connector.java:1089)
>>        at 
>> org.apache.catalina.core.StandardService.start(StandardService.java:459)
>>        at 
>> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
>>        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>        at 
>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
>>        at 
>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
>>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
>>
>> However my keystore DOES contain my two keys (Verisign's key as well as 
>> my SSL cert):
>>
>> # keytool -list --keystore wstest -v
>> Enter keystore password:  XXX
>>
>> Keystore type: jks
>> Keystore provider: SUN
>>
>> Your keystore contains 2 entries
>>
>> Alias name: root
>> Creation date: Aug 29, 2007
>> Entry type: trustedCertEntry
>>
>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
>> Inc.", O=VeriSign Trust Network
>>
>> [...]
>>
>> *******************************************
>> *******************************************
>>
>> Alias name: tomcat
>> Creation date: Aug 29, 2007
>> Entry type: trustedCertEntry
>>
>> Owner: CN=myhostname, ...
>>
>> [...]
>>
>> *******************************************
>> *******************************************
>>
>> Here is the first problem: Why does my alias "tomcat" not identify a key 
>> entry in the keystore? It does exist, doesn't it?
>>
>> 5) Now to get around this problem, I removed the "keyAlias" directive 
>> from the Tomcat config which now like like this:
>>
>> <Connector port="8443" maxHttpHeaderSize="16384"
>>               address="myhostname" enableLookups="false"
>>               disableUploadTimeout="true" acceptCount="100" 
>> maxKeepAliveRequests="100"
>>               scheme="https" secure="true" clientAuth="false"
>>               compression="8192"
>>               compressableMimeType="text/javascript,text/css"
>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>               keystorePass="XXX" sslProtocol="TLS"
>> />
>>
>> 6) Then I restarted Tomcat and here is what I get in the logs:
>>
>> # svcadm disable tomcat
>> # rm ../logs/catalina.out
>> # svcadm enable tomcat
>> # tail -f ../logs/catalina.out
>>
>> [...]
>>
>> java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: 
>> No available certificate or key corresponds to the SSL cipher suites 
>> which are enabled.
>>
>>        at 
>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
>>        at 
>> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)
>>        at 
>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)
>>        at 
>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)
>>        at java.lang.Thread.run(Thread.java:595)
>> Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
>> acceptSocket
>> WARNING: Reinitializing ServerSocket
>>
>> Another problem. Any ideas?
>>
>> 7) Then I tried to change the sslProtocol to SSL (rather than TLS) but 
>> that didn't change anything. The file permissions of the certs are okay,
>> they are all world-readable.
>>
>> So guys any ideas on how to solve this? Has anyone ever encountered this 
>> problem? I searched on Google but I really was unable to
>> find a proper solution.
>>
>> Any input is greatly appreciated. Thank you very much.
>>
>> Best regards,
>> Werner.
>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message