tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Martin Gainty <>
Subject RE: SSL Using IP Addresses
Date Thu, 13 Aug 2009 18:22:12 GMT

no problem
the SSH handshake needs to happen before the HTTPConnection goes live
so if you use or as host in the cert you'll want to use that same IP 
for virtual-server host (or hosts) attribute

make necessary edits to domain.xml

Martin Gainty 
Verzicht und Vertraulichkeitanmerkung/Note de déni et de confidentialité
Diese Nachricht ist vertraulich. Sollten Sie nicht der vorgesehene Empfaenger sein, so bitten
wir hoeflich um eine Mitteilung. Jede unbefugte Weiterleitung oder Fertigung einer Kopie ist
unzulaessig. Diese Nachricht dient lediglich dem Austausch von Informationen und entfaltet
keine rechtliche Bindungswirkung. Aufgrund der leichten Manipulierbarkeit von E-Mails koennen
wir keine Haftung fuer den Inhalt uebernehmen.
Ce message est confidentiel et peut être privilégié. Si vous n'êtes pas le destinataire
prévu, nous te demandons avec bonté que pour satisfaire informez l'expéditeur. N'importe
quelle diffusion non autorisée ou la copie de ceci est interdite. Ce message sert à l'information
seulement et n'aura pas n'importe quel effet légalement obligatoire. Étant donné que les
email peuvent facilement être sujets à la manipulation, nous ne pouvons accepter aucune
responsabilité pour le contenu fourni.

> Date: Thu, 13 Aug 2009 10:54:19 -0700
> Subject: Re: SSL Using IP Addresses
> From:
> To:
> Hello -
> We do not have permission to create a hosts file entry (that was my
> first idea).
> We also do not need both IP address and host name to work at the same
> time, just the IP address.  Our problem seems to be that the Tomcat
> client wants to find a certificate by hostname, even when the URL
> requested is by IP address, and a certificate has been imported with
> an alias of that IP address.
> I looked at the "a1as" certificate extracted from Glassfish and it
> does indeed have a host name in the CN field.  If this is when it can
> not be used to validate a call by IP address, then why does importing
> it with an alias of the IP address not work for us?
> Thank you, my understanding of this is still weak.
> On Thu, Aug 13, 2009 at 8:47 AM, Ognjen Blagojevic<> wrote:
> > Jeff Sexton wrote:
> >>
> >> We have a situation where we need to call a SOAP service in a
> >> Glassfish server via HTTPS from a servlet in Tomcat.  We extract a
> >> self-signed certificate from Glassfish and imported it on the Tomcat
> >> server.  It all works in situations where we can use the
> >> fully-qualified host name in the request and in the alias of the
> >> certificate when importing on the Tomcat server.
> >>
> >> But we need to operate in an environment with a name service.  When we
> >> try to use the IP address of the Glassfish server in the HTTPS call
> >> and in the certificate alias, the call fails with a "no subject
> >> alternate name" exception.
> >>
> >> In Glassfish to Glassfish calls, using the IP address works fine.
> >>
> >> Does anyone know how to make an SSL call from a Tomcat server using
> >> the IP address only?  Is it even possible?
> >
> > I'm not 100% sure, but I think it is not possible.
> >
> > Your server certificate have Common Name (CN) which can match either FQDN
> > ( or IP ( - not both.
> >
> > You can, however, try to workaround your inability to contact DNS server by
> > manually inserting the adress to the "hosts" file, if you have permission to
> > do that.
> >
> > Regards,
> > Ognjen
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail:
> > For additional commands, e-mail:
> >
> >
> -- 
> Jeff Sexton
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:

Windows Live™: Keep your life in sync.
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message