tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Problems with SSL-enabled Tomcat 5.5
Date Wed, 29 Aug 2007 20:32:12 GMT
did you set
keyAlias="root" in server.xml

Werner Schalk wrote:
> Hello,
>
> I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a 
> Sun Solaris 10 (Sparc) but it turns out that this appears not to be an 
> easy task.
> Hopefully you guys can shed some light on this. Basically I do have a 
> Verisign-signed SSL certificate which I would like to add to my
> existing Tomcat config. Now after spending hours of tweaking the 
> config, I do face two problems: Either Tomcat is unable to find
> my alias in the keystore file or there appears to be a problem with 
> the SSL ciphers or certificate itself. Hopefully somebody knows what 
> to do, this
> is giving me a headache for many hours now.
>
> Here is what I did (steps taken from 
> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the 
> Certificate"), please
> note that I removed IPs, hostnames etc. to protect the innocent:
>
> 1) Import of the Verisign root cert into my keystore:
>
> $ keytool -import -alias root -keystore wstest -trustcacerts -file 
> verisign.crt
> Enter keystore password:  XXX
> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
> Inc.", O=VeriSign Trust Network
>
> [ ... ]
>
> Certificate was added to keystore
>
> 2) Import of my Verisign-signed SSL certificate:
>
> $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
> mysystem.crt
> Enter keystore password:  XXX
>
> [ ... ]
>
> Certificate was added to keystore
>
> 3) Change of my Tomcat configuration in server.xml to use the new 
> keystore and SSL cert:
>
> <Connector port="8443" maxHttpHeaderSize="16384"
>               address="myhostname" enableLookups="false"
>               disableUploadTimeout="true" acceptCount="100" 
> maxKeepAliveRequests="100"
>               scheme="https" secure="true" clientAuth="false"
>               compression="8192"
>               compressableMimeType="text/javascript,text/css"
>               keystoreFile="/usr/local/tomcat/conf/wstest"
>               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
> />
>
> 4) Restart of Tomcat and review of Tomcat log file:
>
> # svcadm disable tomcat
> # rm ../logs/catalina.out
> # svcadm enable tomcat
> # tail -f ../logs/catalina.out
>
> [...]
>
> INFO: Deploying web application archive help.war
> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
> start
> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
> start
> SEVERE: Error starting endpoint
> java.io.IOException: Alias name tomcat does not identify a key entry
>        at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

>
>        at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)

>
>        at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)

>
>        at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) 
>
>        at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 
>
>        at 
> org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 
>
>        at 
> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
>        at 
> org.apache.catalina.connector.Connector.start(Connector.java:1089)
>        at 
> org.apache.catalina.core.StandardService.start(StandardService.java:459)
>        at 
> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
>        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>        at 
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 
>
>        at 
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>
>        at java.lang.reflect.Method.invoke(Method.java:585)
>        at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
>        at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
>
> However my keystore DOES contain my two keys (Verisign's key as well 
> as my SSL cert):
>
> # keytool -list --keystore wstest -v
> Enter keystore password:  XXX
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> Alias name: root
> Creation date: Aug 29, 2007
> Entry type: trustedCertEntry
>
> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
> VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, 
> Inc.", O=VeriSign Trust Network
>
> [...]
>
> *******************************************
> *******************************************
>
> Alias name: tomcat
> Creation date: Aug 29, 2007
> Entry type: trustedCertEntry
>
> Owner: CN=myhostname, ...
>
> [...]
>
> *******************************************
> *******************************************
>
> Here is the first problem: Why does my alias "tomcat" not identify a 
> key entry in the keystore? It does exist, doesn't it?
>
> 5) Now to get around this problem, I removed the "keyAlias" directive 
> from the Tomcat config which now like like this:
>
> <Connector port="8443" maxHttpHeaderSize="16384"
>               address="myhostname" enableLookups="false"
>               disableUploadTimeout="true" acceptCount="100" 
> maxKeepAliveRequests="100"
>               scheme="https" secure="true" clientAuth="false"
>               compression="8192"
>               compressableMimeType="text/javascript,text/css"
>               keystoreFile="/usr/local/tomcat/conf/wstest"
>               keystorePass="XXX" sslProtocol="TLS"
> />
>
> 6) Then I restarted Tomcat and here is what I get in the logs:
>
> # svcadm disable tomcat
> # rm ../logs/catalina.out
> # svcadm enable tomcat
> # tail -f ../logs/catalina.out
>
> [...]
>
> java.net.SocketException: SSL handshake 
> errorjavax.net.ssl.SSLException: No available certificate or key 
> corresponds to the SSL cipher suites which are enabled.
>
>        at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

>
>        at 
> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) 
>
>        at 
> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)

>
>        at 
> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) 
>
>        at java.lang.Thread.run(Thread.java:595)
> Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
> acceptSocket
> WARNING: Reinitializing ServerSocket
>
> Another problem. Any ideas?
>
> 7) Then I tried to change the sslProtocol to SSL (rather than TLS) but 
> that didn't change anything. The file permissions of the certs are okay,
> they are all world-readable.
>
> So guys any ideas on how to solve this? Has anyone ever encountered 
> this problem? I searched on Google but I really was unable to
> find a proper solution.
>
> Any input is greatly appreciated. Thank you very much.
>
> Best regards,
> Werner.
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message