tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuli Seppänen <samuli.seppa...@tietoteema.fi>
Subject Re: Tomcat 5.5 and SSL connector: keystore was tampered with
Date Wed, 30 Jan 2008 10:44:24 GMT
Some additional info:

Debian Etch w/o system-wide Java installation

These are included in the Funambol sync server bundle (6.5.12):
  Java Runtime environment 1.5.0
  Tomcat 5.5.20

First of all, instead of recipes, I'd prefer to be pointed at 
information on how to debug this problem. I'm not a professional Java 
developer so all these Servlet/Java/log4j/properties/Connector/Factory 
things are a bit strange for me.

Anyways, here are the HTTPS/SSL connector settings that I've tried to no 
avail. Please tell me which one _should_  work, or if they are all 
faulty. The paths are correct.

<!-- This is based strictly on Tomcat 5.5 SSL Howto. Still -->
<!-- it does not work. The keystoreFile should be in -->
<!-- Connector part, not Factory part. Feel free to -->
<!-- verify with "strace" to see what I mean. -->
     <Connector port="443" maxHttpHeaderSize="8192"
                maxThreads="150"
                minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
                keystorePass="something"
                keyAlias="tomcat">
         <Factory clientAuth="false" protocol="TLS"
                  keystoreFile="/root/newkeystore"/>
     </Connector>

     <!-- Another variant with keystorePass in Connector -->
     <Connector port="443" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
                keystorePass="something"
                keyAlias="tomcat"
                keystoreFile="/root/newkeystore">
         <Factory clientAuth="false" protocol="TLS"/>
     </Connector>

     <!-- Another variant with keystorePass inside Factory -->
     <Connector port="443" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
                keyAlias="tomcat"
                keystoreFile="/root/newkeystore">
         <Factory clientAuth="false" protocol="TLS"
                keystorePass="something"/>
     </Connector>

     <!-- Another variant without Factory part -->
     <Connector port="443" maxHttpHeaderSize="8192"
                maxThreads="150" minSpareThreads="25"
                maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true"
                acceptCount="100" scheme="https" secure="true"
                clientAuth="false" sslProtocol="TLS"
                keystorePass="something"
                keyAlias="tomcat"
                keystoreFile="/root/newkeystore"/>

So none of these work. Any ideas?

> Hi!
> 
> I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat 
> 5.0 with both a self-created certificate and a signed (trusted) 
> certificate, both inside a Java keystore (JKS).
> 
> Now, with Tomcat 5.5 the SSL connector refuses to start with the dreaded 
> "keystore was tampered with" error. This only happens _if_ I change the 
> keystore password to anything else than "changeit".
> 
> I already searched the mailinglist archives, Tomcat Wiki, Tomcat Howto's 
> and Google. No definitive answers. Just lots of contradicting 
> information. I also read the Tomcat 5.5 SSL HOWTO carefully so I'm 
> positive I did miss anything.
> 
> Anyways, the process in a nutshell:
> 
> First I create a new Java keystore (JKS) with keytool, like this:
> 
>  keytool -genkey -alias tomcat -keyalg RSA -keystore /root/newkeystore
> 
> Next I move on to modifying the server.xml. No matter what I do, I can't 
> get Tomcat to use the correct password. The 
> "keystoreFile="/root/newkeystore" in the <Connector> statement works as 
> it should (I straced Tomcat startup). The "keystorePass", however, does 
> not work whether it's inside <Connector> or inside <Factory> (which is 
> inside the <Connector>. The "keyAlias" entry  did not help either.
> 
> I can open my Java keystore just fine with keytool an with the defined 
> password, so  it seems that Tomcat is just not using the password that's 
> defined in server.xml and therefore reverts to default.
> 
> Does anyone have a functional Tomcat 5.5 SSL/https connector definition 
> which I could use? Or does someone have an idea what's happening here? 
> I'd be really happy if this thing gets sorted out!
> 
> Best regards to all,
> 
> Samuli
> 
> ---
> 
> Btw. The Tomcat 5.5 SSL-Howto seems to have an error in it:
> 
> "If the keystore file is anywhere else, you will need to add a 
> keystoreFile attribute to the <Factory>  element in the Tomcat 
> configuration file."
> 
> I straced Tomcat startup and if the keystoreFile was defined in 
> <Connector> element, strace showed that Tomcat was trying to open 
> keystorefile from that location. Adding it to <Factory> did not work.
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message