tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Crypto Sal <crypto....@gmail.com>
Subject Re: SSL with multiple Tomcat instances
Date Thu, 27 Aug 2009 02:02:50 GMT
Don,

I think we found our culprit. (Java). The reason that "webadvisor" 
works, because it functions like a true server, your browser is speaking 
directly to the web server. "webui" is failing due to Java not trusting 
the IPS root certificate (which doesn't exist by default in Java 3-6+) 
Most people should have Java 5 or 6 installed, with some still using 
Java3(rare) or Java4(some linux people and older Windows users).Java5 is 
soon to be deprecated by Sun. As you may already know, Java compiling is 
done client-side vs. server side for your applet. So all of your users 
must have the IPS root installed in their instance of Java for this cert 
to work. There's a way to do it, but it is not all that practical. 
(adding root certs to Java on ALL clients, which may beyond your control)

Your best bet is to go with a more ubiquitous Commercial CA (Comodo, 
Versign, Thawte, GoDaddy, etc.), which would be ones that extend much 
further than Web Browsers. Java's default cert store is in a file called 
"ca-certs", which is located in the security folder of where java 
resides. A simple "locate cacerts" will reveal its locate on the server. 
>From here you can do a "keytool -v -list -keystore PATH_TO_KEYSTORE > 
OUTPUT_FILE ", keystore pass is "changeit", by default. Multiple 
versions of Java can exist on the same machine, if you would like to see 
which CAs are more ubiquitous for your installation.

--Sal

On 08/26/2009 09:19 PM, Don Prezioso wrote:
> Hmmm...
>
> Webadvisor serves up pretty much straight HTML, a little javascript, and much of the
HTML is generated from another server, but what tomcat is serving up is mostly normal HTML.
>
> WebUI however only serves up a single java applet. From that point on, the applet is
talking to a completely different server and tomcat is out of the picture.  Also, the graphic
you sent looks almost identical to the message I am seeing. So...
>
> Would the java applet be using the certificate in addition to tomcat? Would I need to
add the root certificate to a keystore that Java has somewhere?
>
> Thanks for all your help.
>
> Don
>
> --
> Donald Prezioso
> Director of Administrative I.T.
> Ashland University
> Ashland, Ohio
> ________________________________________
> From: Crypto Sal [crypto.sal@gmail.com]
> Sent: Wednesday, August 26, 2009 7:55 PM
> To: Tomcat Users List
> Subject: Re: SSL with multiple Tomcat instances
>
> Don,
>
> ipsCA is having some issues right now. Both OCSP (Online Certificate
> Status Protocol) and their CRL are DOWN. (It's not a good sign).
> Earlier, you stated that "webui" is the problem child, but "webadvisor"
> was working fine cross browser (Chrome, Firefox, IE, etc), correct or is
> this incorrect? Are both serving up pretty much the same content?
>
> Based on your description of the error message, it almost sounds like a
> Java issue. Is it a Java dialog box that comes up? Does it look like
> this at all?
>
> https://knowledge.verisign.com/resources/sites/VERISIGN/content/staging/SOLUTION/9000/SO9007/en_US/0.1/EV%20error.bmp
>
> ipsCA does not exist in Java5 or 6 by default. It is in Browsers (IE,
> Firefox, Chrome, Safari), but not Java or Opera.
>
> Attachments are pretty much stripped from this list. You'd either need
> to use imageshack.us or host elsewhere and provide the URL.
>
> --Sal
>
>
> On 08/26/2009 05:21 PM, Don Prezioso wrote:
>    
>> Sorry, my pictures got stripped from the message so...
>>
>> msg1.jpg basically says "The web site's certificate cannot be verified. Do you want
to continue?" "Name: webui.ashland.edu" "Publisher: webui.ashland.edu" and has a link for
more information...
>>
>> msg2.jpg says "The certificate was issued by a source that is not trusted." and has
a link for Certificate Details...
>>
>> msg3a-c show the certificate chain, including webui.ashland.edu, ipsCA CLASEA1, and
IPS SERVIDORES.
>>
>> --
>> Don Prezioso
>> Director of Administrative I.T.
>> Ashland University
>> Ashland, Ohio
>>
>>
>> -----Original Message-----
>> From: Don Prezioso
>> Sent: Wednesday, August 26, 2009 5:15 PM
>> To: Tomcat Users List
>> Subject: RE: SSL with multiple Tomcat instances
>>
>> When I connect to webui.ashland.edu I get the message in msg1.jpg.
>>
>> When I click on 'More Information...', I get the message in msg2.jpg
>>
>> When I click on 'Certificate Details...' I get what you see in msg3a-c.jpg
>>
>> Now this is the really strange thing. It appears to be a perfectly valid certificate
with a valid CA. When connecting to webadvisor.ashland.edu, I see almost identical certificate
details (the signature and CN are appropriately different). These are the same messages I
have been getting all along.
>>
>> The only thing that I can think is different between the two instances is that the
webui instance is behind the firewall and cannot be seen from off campus. I didn't think that
was an issue with validating certificates, is it?
>>
>> Thanks again
>>
>> Don
>>
>> --
>> Don Prezioso
>> Director of Administrative I.T.
>> Ashland University
>> Ashland, Ohio
>>
>>
>> -----Original Message-----
>> From: Crypto Sal [mailto:crypto.sal@gmail.com]
>> Sent: Wednesday, August 26, 2009 4:48 PM
>> To: Tomcat Users List
>> Subject: Re: SSL with multiple Tomcat instances
>>
>> Don,
>> It's very strange that one works and the other does not especially since they're
from the same CA and presenting the same information. (Just different common names) I can't
connect to your external site [webadvisor] via Firefox 3.5 or Chrome 4.0 due to the fact that
your CA's OCSP responder is down.[ Error Code: 403 Forbidden. The server denied the specified
Uniform Resource Locator (URL). Contact the server administrator. (12202) ].  I have to disable
OCSP in Firefox 3.5 to continue, but I do get a valid connection.
>>
>> Has the error message changed at all since we've been working? Or are you still getting
a response that relates to "Unknown Issuer"?
>>
>>
>>
>> On Wed, Aug 26, 2009 at 9:01 AM, Don Prezioso<dprez@ashland.edu>   wrote:
>>
>>
>>      
>>> Sal,
>>>
>>> Thanks again.
>>>
>>> When I connect using port 8443 or 443, or using the FQDN or the IP
>>> address, I get the same response from the s_client request.
>>>
>>> The reason I am using port 8443 is so I don't have to have root
>>> running the tomcat instance. My understanding was that you had to be
>>> root to allocate ports under 1024. Just to have that extra little bit
>>> of security we have a user 'tomcat' that runs the tomcat instances. I
>>> didn't want to have to specify the port number in URLs, and we had
>>> some problems with people who weren't able to connect out through
>>> their company's firewall on port 8443, so we wanted to make it appear
>>> that they were connecting on port 443, but really be using 8443.
>>>
>>> So, when I connect in a browser, I use https://webui.ashland.edu
>>>
>>> Don
>>>
>>>
>>>
>>>        
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>      
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>    


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message