tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Samuli Seppänen <>
Subject Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Date Fri, 01 Feb 2008 13:28:07 GMT
>> From: Samuli Seppänen [] 
>> Subject: Re: Tomcat 5.5 and SSL connector: keystore was 
>> tampered with [SOLVED]
>> Tomcat SSL <Connector> entries accept the following parameters:
>> - keystorePass (password for the JKS (Java keystore)
>> - keypass (password for the key inside the JKS
>> - keystoreFile (keystore location in filesystem)
> The problem with your analysis is that the kepass attribute is not in the Tomcat doc,
and you've misinterpreted the code.  As currently implemented, the keypass attribute is simply
an internal alias for keystorePass, nothing else.

Yes, you're probably right, I didn't have time to really dig into the code.

> Note the following from the SSL how-to:
> "Finally, you will be prompted for the key password, which is the password specifically
for this Certificate (as opposed to any other Certificates stored in the same keystore file).
You MUST use the same password here as was used for the keystore password itself."
> "Note: your private key password and keystore password should be the same."
> If you want things to work differently, submit an enhancement request (preferably with
a patch).

I've been aware of that, and I do understand the difference. My only 
problem has been the requirement to use the default password "changeit". 
As a sysadmin I'm against using a widely known default password for 
anything, especially if it has anything to do with the Internet.

I have nothing against using the same password for the JKS _and_ for the 
certificate, as long as the password is not "changeit". Anyways, please 
tell me if my conserns are unfounded from a security perspective.

>> At least on 5.5.20 the "keystoreFile" parameters has 
>> to be inserted straight into <Connector>, contrary to 
>> what the Howto says.
> Where else does the doc say the keystoreFile attribute can be specified?  I can't find
anything other than a comment about its default location, which seems to work fine.

Take a look at "Troubleshooting" section in


# When Tomcat starts up, I get an exception like 
" {some-directory}/{some-file} not found".

A likely explanation is that Tomcat cannot find the keystore file where 
it is looking. By default, Tomcat expects the keystore file to be named 
.keystore in the user home directory under which Tomcat is running 
(which may or may not be the same as yours :-). If the keystore file is 
anywhere else, you will need to add a keystoreFile attribute to the 
<Factory> element in the Tomcat configuration file.


I'll verify this thing one more time to be sure and then file a 
bugreport and attach a patch.

Best regards,


To start a new topic, e-mail:
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message