tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel M Garland <daniel.garl...@titanemail.com>
Subject OpenSSL + APR + Tomcat 5.5.2 Help
Date Wed, 28 Nov 2007 16:10:22 GMT
Hi folks,

Again I call on your expert assistance:

I have a tomcat 5.5.2 server running on a Debian Etch linux box. Its 
configured to use APR 1.1.3 and I want to get SSL going. I've 
successfully managed this using JSSE but not OpenSSL. I installed 
openssl using apt, as well as the APR libraries. Tomcat was installed 
with the binaries from Apache.

I ran the following commands (with help from http://marc.info):

- Create private key and certificate request for my own certificate 
authority
openssl req -new -newkey rsa:1024 -nodes -out ssl/ca/ca.csr -keyout
ssl/ca/ca.key

- Self-sign
openssl x509 -trustout -signkey ssl/ca/ca.key -days 365 -req -in
ssl/ca/ca.csr -out ssl/ca/ca.pem

-Import into Java's security thingy
keytool -import -keystore $JAVA_HOME/jre/lib/security/cacerts -file 
ssl/ca/ca.pem -alias tomcat

-Created a file CA's serial numbers?
echo "02" > ssl/ca/ca.srl

-Created a keystore
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024 -keystore
~/.keystore -storetype JKS

-Create a certficate request for the server
keytool -certreq -keyalg RSA -alias tomcat -file ssl/certreq.csr 
-keystore .keystore

(This certificate got sent off to verisign, but in the meantime I 
thought I'd try signing myself off to see SSL working)

openssl x509 -CA ssl/ca/ca.pem -CAkey ssl/ca/ca.key -CAserial 
ssl/ca/ca.srl -req -in ssl/certreq.csr  -out ssl/selfcert.crt -days 365

- Import my self-cert into the keystore
keytool -import -alias tomcat  -keystore .keystore -trustcacerts -file 
ssl/selfcert.crt

Then I had this in server.xml
<Connector port="8443" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS" 
keystoreFile="/home/tomcat5/.keystore" keystorePass="password" />

The docs said that it would pickup .keystore in the user's home 
directory but I thought I'd set it explicitly.

When I restart tomcat I see in the log:
28-Nov-2007 14:59:26 org.apache.coyote.http11.Http11AprProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443

And no errors alluding to SSL anywhere else.

When I try to access

https://myserver:8443

firefox tells me that the connection was interrupted, following a 
lengthy pause.

keytool -list shows 1 entry.

Since I'm a bit of a newbie to SSL, and there is nothing in the log, I 
am stuck as for what to do next. I gather that since I use APR I might 
need other settings in my server.conf, but the documentation is vauge on 
whether I need both the keystore attributes and the openssl stuff, or 
just the ssl stuff, or what. If I were to add the SSLEngine, 
SSLCertificateFile, SSLCertificateKeyFile attributes, what values would 
I feed them based on the previous steps?

Does anyone have any good howtos for the openssl side of things (the 
first line of the official docs is a caveat that the howto applies to 
JSSE only!)

Thanks in advance

Dan Garland

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message