tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Filip Hanik - Dev Lists <devli...@hanik.com>
Subject Re: Problems with SSL-enabled Tomcat 5.5
Date Thu, 30 Aug 2007 15:05:47 GMT
looks like the keyAlias="root" is not taking into effect, as the 
container complains for not finding one named "tomcat"

could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the 
"tomcat" alias, leave the "root" alias in there.

Filip

Werner Schalk wrote:
> Hello,
>
> setting keyAlias="root" did not change anything. Then I downloaded the 
> latest version of Tomcat, added the Verisign cert to my cacerts file
> and imported my Verisign-signed SSL certificate into a new keystore. 
> Unfortunately that does not change my situation: Either Tomcat is 
> unable to find
> my alias in the keystore file (if I specify a keyAlias) or there 
> appears to be a problem with the SSL ciphers or certificate itself (if 
> I don't specify a
> keyAlias).
>
> The two error message I am getting when attempting to start Tomcat are 
> (see further below):
>
> 1/with keyAlias directive:
> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
> start
> SEVERE: Error starting endpoint
> java.io.IOException: Alias name tomcat does not identify a key entry
> at 
> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

>
>
> 2/without keyAlias directive:
> java.net.SocketException: SSL handshake
> errorjavax.net.ssl.SSLException: No available certificate or key 
> corresponds to the SSL cipher suites which are enabled.
> at 
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

>
>
> Any more ideas? Is the problem maybe caused because I am creating a 
> new keystore and the key of the Verisign-signed
> certificate is in a separate file (my colleague deleted the original 
> keystore file)? Are we screwed now?
>
> Thank you. Any input is greatly appreciated.
>
> Bye,
> Werner.
>
> ----- Original Message ----- From: "Filip Hanik - Dev Lists" 
> <devlists@hanik.com>
> To: "Tomcat Users List" <users@tomcat.apache.org>
> Sent: Wednesday, August 29, 2007 10:32 PM
> Subject: Re: Problems with SSL-enabled Tomcat 5.5
>
>
>> did you set
>> keyAlias="root" in server.xml
>>
>> Werner Schalk wrote:
>>> Hello,
>>>
>>> I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on 
>>> a Sun Solaris 10 (Sparc) but it turns out that this appears not to 
>>> be an easy task.
>>> Hopefully you guys can shed some light on this. Basically I do have 
>>> a Verisign-signed SSL certificate which I would like to add to my
>>> existing Tomcat config. Now after spending hours of tweaking the 
>>> config, I do face two problems: Either Tomcat is unable to find
>>> my alias in the keystore file or there appears to be a problem with 
>>> the SSL ciphers or certificate itself. Hopefully somebody knows what 
>>> to do, this
>>> is giving me a headache for many hours now.
>>>
>>> Here is what I did (steps taken from 
>>> http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing 
>>> the Certificate"), please
>>> note that I removed IPs, hostnames etc. to protect the innocent:
>>>
>>> 1) Import of the Verisign root cert into my keystore:
>>>
>>> $ keytool -import -alias root -keystore wstest -trustcacerts -file 
>>> verisign.crt
>>> Enter keystore password:  XXX
>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>> VeriSign, OU=VeriSign International Server CA - Class 3, 
>>> OU="VeriSign, Inc.", O=VeriSign Trust Network
>>>
>>> [ ... ]
>>>
>>> Certificate was added to keystore
>>>
>>> 2) Import of my Verisign-signed SSL certificate:
>>>
>>> $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
>>> mysystem.crt
>>> Enter keystore password:  XXX
>>>
>>> [ ... ]
>>>
>>> Certificate was added to keystore
>>>
>>> 3) Change of my Tomcat configuration in server.xml to use the new 
>>> keystore and SSL cert:
>>>
>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>               address="myhostname" enableLookups="false"
>>>               disableUploadTimeout="true" acceptCount="100" 
>>> maxKeepAliveRequests="100"
>>>               scheme="https" secure="true" clientAuth="false"
>>>               compression="8192"
>>>               compressableMimeType="text/javascript,text/css"
>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>               keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
>>> />
>>>
>>> 4) Restart of Tomcat and review of Tomcat log file:
>>>
>>> # svcadm disable tomcat
>>> # rm ../logs/catalina.out
>>> # svcadm enable tomcat
>>> # tail -f ../logs/catalina.out
>>>
>>> [...]
>>>
>>> INFO: Deploying web application archive help.war
>>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>>> start
>>> INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
>>> Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
>>> start
>>> SEVERE: Error starting endpoint
>>> java.io.IOException: Alias name tomcat does not identify a key entry
>>>        at 
>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)

>>>
>>>        at 
>>> org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)

>>>
>>>        at 
>>> org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
>>>        at 
>>> org.apache.catalina.connector.Connector.start(Connector.java:1089)
>>>        at 
>>> org.apache.catalina.core.StandardService.start(StandardService.java:459) 
>>>
>>>        at 
>>> org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
>>>        at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
>>>        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
>>>        at 
>>> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)

>>>
>>>        at 
>>> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)

>>>
>>>        at java.lang.reflect.Method.invoke(Method.java:585)
>>>        at 
>>> org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
>>>        at 
>>> org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)
>>>
>>> However my keystore DOES contain my two keys (Verisign's key as well 
>>> as my SSL cert):
>>>
>>> # keytool -list --keystore wstest -v
>>> Enter keystore password:  XXX
>>>
>>> Keystore type: jks
>>> Keystore provider: SUN
>>>
>>> Your keystore contains 2 entries
>>>
>>> Alias name: root
>>> Creation date: Aug 29, 2007
>>> Entry type: trustedCertEntry
>>>
>>> Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
>>> VeriSign, OU=VeriSign International Server CA - Class 3, 
>>> OU="VeriSign, Inc.", O=VeriSign Trust Network
>>>
>>> [...]
>>>
>>> *******************************************
>>> *******************************************
>>>
>>> Alias name: tomcat
>>> Creation date: Aug 29, 2007
>>> Entry type: trustedCertEntry
>>>
>>> Owner: CN=myhostname, ...
>>>
>>> [...]
>>>
>>> *******************************************
>>> *******************************************
>>>
>>> Here is the first problem: Why does my alias "tomcat" not identify a 
>>> key entry in the keystore? It does exist, doesn't it?
>>>
>>> 5) Now to get around this problem, I removed the "keyAlias" 
>>> directive from the Tomcat config which now like like this:
>>>
>>> <Connector port="8443" maxHttpHeaderSize="16384"
>>>               address="myhostname" enableLookups="false"
>>>               disableUploadTimeout="true" acceptCount="100" 
>>> maxKeepAliveRequests="100"
>>>               scheme="https" secure="true" clientAuth="false"
>>>               compression="8192"
>>>               compressableMimeType="text/javascript,text/css"
>>>               keystoreFile="/usr/local/tomcat/conf/wstest"
>>>               keystorePass="XXX" sslProtocol="TLS"
>>> />
>>>
>>> 6) Then I restarted Tomcat and here is what I get in the logs:
>>>
>>> # svcadm disable tomcat
>>> # rm ../logs/catalina.out
>>> # svcadm enable tomcat
>>> # tail -f ../logs/catalina.out
>>>
>>> [...]
>>>
>>> java.net.SocketException: SSL handshake 
>>> errorjavax.net.ssl.SSLException: No available certificate or key 
>>> corresponds to the SSL cipher suites which are enabled.
>>>
>>>        at 
>>> org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407)

>>>
>>>        at 
>>> org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70)

>>>
>>>        at 
>>> org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684)

>>>
>>>        at java.lang.Thread.run(Thread.java:595)
>>> Aug 29, 2007 12:47:28 PM org.apache.tomcat.util.net.PoolTcpEndpoint 
>>> acceptSocket
>>> WARNING: Reinitializing ServerSocket
>>>
>>> Another problem. Any ideas?
>>>
>>> 7) Then I tried to change the sslProtocol to SSL (rather than TLS) 
>>> but that didn't change anything. The file permissions of the certs 
>>> are okay,
>>> they are all world-readable.
>>>
>>> So guys any ideas on how to solve this? Has anyone ever encountered 
>>> this problem? I searched on Google but I really was unable to
>>> find a proper solution.
>>>
>>> Any input is greatly appreciated. Thank you very much.
>>>
>>> Best regards,
>>> Werner.
>>>
>>>
>>>
>>> ---------------------------------------------------------------------
>>> To start a new topic, e-mail: users@tomcat.apache.org
>>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>>> For additional commands, e-mail: users-help@tomcat.apache.org
>>>
>>>
>>>
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org 
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message