tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuli Seppänen <samuli.seppa...@tietoteema.fi>
Subject Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Date Thu, 31 Jan 2008 09:14:12 GMT
Update on this thing Tomcat+SSL+keystore thing:

I dug into the Tomcat 5.5.25 source code to see what's really going on. 
Here's what I found - hopefully it's useful to someone.

Tomcat SSL <Connector> entries accept the following parameters:
- keystorePass (password for the JKS (Java keystore)
- keypass (password for the key inside the JKS
- keystoreFile (keystore location in filesystem)

At least Tomcat 5.5.20 (older, yes) supports only the "keystoreFile" 
parameter. The "keypass" and "keystorePass" get messed up somehow, no 
matter how they're defined in the <Connector> part. The default password 
("changeit") is used instead.

In Tomcat 5.5.21 a Java property check was added to the code to allow a 
property (javax.net.keystorePassword or something) to define the 
keystore password.

In Tomcat 5.5.25 it seems to be possible to use a different keystore 
password and key password. One of them has to be the default 
("changeit"), can't remember which. I didn't have time to check this 
properly.

There's also a "bug" in Tomcat SSL Howto - I'll file a bug report on it 
unless it's has been done already. At least on 5.5.20 the "keystoreFile" 
parameters has to be inserted straight into <Connector>, contrary to 
what the Howto says. This is easily verifiable with "strace".

Unless somebody proves me wrong, I would consider the parameters 
"keypass" and "keystorePass" useless with Tomcat 5.5.x versions. There 
is no practical way to change those without Java debugging and/or 
patching, which is beyond the skill of most system admins. If the 
parameters are indeed usable, please update the Tomcat 5.5 SSL 
documentation to reflect their correct usage. Alternatively tell me how 
to use them correctly and I'll file a patch to the SSL howto.

This configuration hell aside, Tomcat has been a real workhorse. Keep on 
the good work!

Best regards,

Samuli


> Some additional info:
> 
> Debian Etch w/o system-wide Java installation
> 
> These are included in the Funambol sync server bundle (6.5.12):
>  Java Runtime environment 1.5.0
>  Tomcat 5.5.20
> 
> First of all, instead of recipes, I'd prefer to be pointed at 
> information on how to debug this problem. I'm not a professional Java 
> developer so all these Servlet/Java/log4j/properties/Connector/Factory 
> things are a bit strange for me.
> 
> Anyways, here are the HTTPS/SSL connector settings that I've tried to no 
> avail. Please tell me which one _should_  work, or if they are all 
> faulty. The paths are correct.
> 
> <!-- This is based strictly on Tomcat 5.5 SSL Howto. Still -->
> <!-- it does not work. The keystoreFile should be in -->
> <!-- Connector part, not Factory part. Feel free to -->
> <!-- verify with "strace" to see what I mean. -->
>     <Connector port="443" maxHttpHeaderSize="8192"
>                maxThreads="150"
>                minSpareThreads="25"
>                maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystorePass="something"
>                keyAlias="tomcat">
>         <Factory clientAuth="false" protocol="TLS"
>                  keystoreFile="/root/newkeystore"/>
>     </Connector>
> 
>     <!-- Another variant with keystorePass in Connector -->
>     <Connector port="443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
>                maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystorePass="something"
>                keyAlias="tomcat"
>                keystoreFile="/root/newkeystore">
>         <Factory clientAuth="false" protocol="TLS"/>
>     </Connector>
> 
>     <!-- Another variant with keystorePass inside Factory -->
>     <Connector port="443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
>                maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keyAlias="tomcat"
>                keystoreFile="/root/newkeystore">
>         <Factory clientAuth="false" protocol="TLS"
>                keystorePass="something"/>
>     </Connector>
> 
>     <!-- Another variant without Factory part -->
>     <Connector port="443" maxHttpHeaderSize="8192"
>                maxThreads="150" minSpareThreads="25"
>                maxSpareThreads="75"
>                enableLookups="false" disableUploadTimeout="true"
>                acceptCount="100" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                keystorePass="something"
>                keyAlias="tomcat"
>                keystoreFile="/root/newkeystore"/>
> 
> So none of these work. Any ideas?
> 
>> Hi!
>>
>> I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat 
>> 5.0 with both a self-created certificate and a signed (trusted) 
>> certificate, both inside a Java keystore (JKS).
>>
>> Now, with Tomcat 5.5 the SSL connector refuses to start with the 
>> dreaded "keystore was tampered with" error. This only happens _if_ I 
>> change the keystore password to anything else than "changeit".
>>
>> I already searched the mailinglist archives, Tomcat Wiki, Tomcat 
>> Howto's and Google. No definitive answers. Just lots of contradicting 
>> information. I also read the Tomcat 5.5 SSL HOWTO carefully so I'm 
>> positive I did miss anything.
>>
>> Anyways, the process in a nutshell:
>>
>> First I create a new Java keystore (JKS) with keytool, like this:
>>
>>  keytool -genkey -alias tomcat -keyalg RSA -keystore /root/newkeystore
>>
>> Next I move on to modifying the server.xml. No matter what I do, I 
>> can't get Tomcat to use the correct password. The 
>> "keystoreFile="/root/newkeystore" in the <Connector> statement works 
>> as it should (I straced Tomcat startup). The "keystorePass", however, 
>> does not work whether it's inside <Connector> or inside <Factory> 
>> (which is inside the <Connector>. The "keyAlias" entry  did not help 
>> either.
>>
>> I can open my Java keystore just fine with keytool an with the defined 
>> password, so  it seems that Tomcat is just not using the password 
>> that's defined in server.xml and therefore reverts to default.
>>
>> Does anyone have a functional Tomcat 5.5 SSL/https connector 
>> definition which I could use? Or does someone have an idea what's 
>> happening here? I'd be really happy if this thing gets sorted out!
>>
>> Best regards to all,
>>
>> Samuli
>>
>> ---
>>
>> Btw. The Tomcat 5.5 SSL-Howto seems to have an error in it:
>>
>> "If the keystore file is anywhere else, you will need to add a 
>> keystoreFile attribute to the <Factory>  element in the Tomcat 
>> configuration file."
>>
>> I straced Tomcat startup and if the keystoreFile was defined in 
>> <Connector> element, strace showed that Tomcat was trying to open 
>> keystorefile from that location. Adding it to <Factory> did not work.
>>
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
> 
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message