tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Josh Gooding <josh.good...@gmail.com>
Subject Re: Need some SSL Config help.
Date Thu, 13 Aug 2009 18:38:14 GMT
Ah, I am semi starting to understand now.  I was able to use openssl to
convert my pfx to a pem file which is part of the battle.  From what I have
read in the docs, I needed a .crt file as well, which I used the .txt file
that the hosting co provided to me.  It's nothing but a plain text PGP
signature in a text file.  So I navigated to https://(domain).com and low
and behold it works :).

Next few questions:

#1 - I have deployed an application that uses a realm and has a Login.jsp
page.  The Login.jsp is required and you cannot navigate anywhere in the
application until you have logged in.  How can I make the Login.jsp page
fall under the SSL, then drop off after the authentication?

https://www.(domain.com)/company1/Login.jsp ~~> [successful authentication!]
~~> http://www.(domain.com)/company1/Main.jsp  (Kind of like how my gmail
works)

#2 - Right now when I go to https://(domain).com/company1/ it drops the
HTTPS.  I don't want that.  Any pointers?

Thanks again

- Josh

On Tue, Aug 11, 2009 at 10:35 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Josh,
>
> On 8/11/2009 4:47 PM, Josh Gooding wrote:
> > ok back to the topic at hand here.  I have removed httpd from my server,
> > installed APR, and have gotten my cert file from my hosting company.  it
> is
> > in pfx format.  Now I found some information on the net:
> >
> > http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html
> >
> > It was saying that I can just use the pfx file with tomcat 5.5, so I put
> the
> > file in my $CATALINA_HOME directory just as a test, modified my
> server.xml
> > file to accept SSL:
> >
> > *<Connector protocol="HTTP/1.1"
> >             port="443" maxThreads="200"
> >             scheme="https" secure="true" SSLEnabled="true"
> >             keystoreFile="C:/Program
> > Files/[*****]/apache-tomcat-6.0.18/[*****].com.pfx"
> >             keystorePass="[*************]" keystoreType="pkcs12"
> > clientAuth="false" sslProtocol="TLS" />*
> >
> > *and.... blamo I get these exceptions:*
>
> Not surprising. Read the documentation for the APR connector:
> http://tomcat.apache.org/tomcat-5.5-doc/apr.html
>
> Specifically, search for the term "certificate".
>
> First of all, your SSL configuration is completely wrong for use with
> APR. You don't use keystoreFile, keystorePass, and keystoreType. Even if
> you did, telling Java that the keystore is actually a PKCS12 keystore
> while providing it is a PFX-encoded SSL certificate should have tipped
> you off that something was amiss.
>
> If you were previously following the standard SSL documentation
> (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html), you should
> have seen this note at the top of the file:
>
> "
> IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR,
> Tomcat will use OpenSSL, which uses a different configuration.
> "
>
> What you want is SSLCertificateFile and friends. SSLCertificateFile is
> documented to only accept certificates in PEM format. Check out this
> page for some tricks to converting your certificate files using openssl:
> http://eoc.eu-eela.eu/doku.php?id=manipulate_your_certificate
>
> There is also a Java tool that can do thing like this called Portecle
> (http://portecle.sourceforge.net/) if you don't have openssl handy.
>
> > *and these to boot.... says it cannot bind to port 443 (or 8443 either)*
> >
> > *Aug 11, 2009 4:13:51 PM org.apache.coyote.http11.Http11AprProtocol start
> > SEVERE: Error starting endpoint
> > java.lang.Exception: Socket bind failed: [730048] Only one usage of each
> > socket address (protocol/network address/port) is normally permitted.
>
> Do you have multiple <Connector> elements specified? If so, check all
> the port numbers. If not, make sure that Tomcat isn't already running.
> If it's not, make sure Apache httpd isn't running :) Finally, make sure
> IIS isn't running or using those ports.
>
> > So it looks like I cannot use a pfx file with tomcat 6.0.18.
>
> You should be able to, just not with the APR connector because openssl
> doesn't grok PKCS12/PFX.
>
> > Am I able to use the pfx file with tomcat 6?
>
> Yes, just not with the APR connector.
>
> > The socket bind issue I have no clue, it
> > looks like something is already running on port 443, but that is
> > impossible.
>
> Really? Try running 'netstat' to find out who is bound to port 443 (or
> 8443).
>
> > I only have the tomcat server running, IIS is disabled and
> > httpd has been removed from the system completely.  I also tried port
> 8443
> > but I am getting the same error message.
>
> netstat -a -b -n -o | find "443"
>
> (make sure you're an administrator or you'll get no output)
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqCKokACgkQ9CaO5/Lv0PBBxACgjcVaS2sdKa7COzdKnSbAAHun
> gl0AnRaKPC30C+und74r7tFKuN63OOmq
> =QIJp
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message