Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm
Precedence: bulk
Reply-To: "Tomcat Users List" <users@tomcat.apache.org>
Received-SPF: pass (nike.apache.org: domain of josh.gooding@gmail.com
 designates 209.85.210.179 as permitted sender)
DomainKey-Signature: a=rsa-sha1; c=nofws;
        d=gmail.com; s=gamma;
        h=mime-version:in-reply-to:references:date:message-id:subject:from:to
         :content-type;
        b=DbKlQPjuxngZbe5q6lh60cXyn7GyrkENErGY1FPlI+q0urz0CL2QDfEf1qSHDlWrdA
         yMOH3bNkS04TttGwaxdyO09SiIcUFa0PNW3sFXd/1vSnUQ/FKksUUyalGhQ0yM+jIxEx
         dQ0rV6rH9Rq86BLoVGSpeSdFoZWF6raZh21uc=
MIME-Version: 1.0
In-Reply-To: <4A822A89.6080406@christopherschultz.net>
References: <4d7e0b220907241925m23bbbef6j4d8cd6bb4fbedec7@mail.gmail.com>
	 <680cbe0e0907270918k2e1669b2k41768d431dbb5091@mail.gmail.com>
	 <ab4570310907290124r6a099062k533fe5bf2005ae12@mail.gmail.com>
	 <4d7e0b220908041243y4a44aad0ka714851ea877d0a@mail.gmail.com>
	 <4d7e0b220908041246n7b3f3709x698e659b8c76f181@mail.gmail.com>
	 <4A789787.3020308@ice-sa.com>
	 <4d7e0b220908050550j11bba82eu29bcc254f646606c@mail.gmail.com>
	 <4d7e0b220908050552m120ecb6erab1eca6524511d81@mail.gmail.com>
	 <4d7e0b220908111347g23d0dfa1l4cacbec68b670ad6@mail.gmail.com>
	 <4A822A89.6080406@christopherschultz.net>
Date: Thu, 13 Aug 2009 14:38:14 -0400
Message-ID: <4d7e0b220908131138i3c607510vaa79ed148fd90965@mail.gmail.com>
Subject: Re: Need some SSL Config help.
From: Josh Gooding <josh.gooding@gmail.com>
To: Tomcat Users List <users@tomcat.apache.org>
Content-Type: multipart/alternative; boundary=000e0cd56af805dfdc04710a3da8

--000e0cd56af805dfdc04710a3da8
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

Ah, I am semi starting to understand now.  I was able to use openssl to
convert my pfx to a pem file which is part of the battle.  From what I have
read in the docs, I needed a .crt file as well, which I used the .txt file
that the hosting co provided to me.  It's nothing but a plain text PGP
signature in a text file.  So I navigated to https://(domain).com and low
and behold it works :).

Next few questions:

#1 - I have deployed an application that uses a realm and has a Login.jsp
page.  The Login.jsp is required and you cannot navigate anywhere in the
application until you have logged in.  How can I make the Login.jsp page
fall under the SSL, then drop off after the authentication?

https://www.(domain.com)/company1/Login.jsp ~~> [successful authentication!]
~~> http://www.(domain.com)/company1/Main.jsp  (Kind of like how my gmail
works)

#2 - Right now when I go to https://(domain).com/company1/ it drops the
HTTPS.  I don't want that.  Any pointers?

Thanks again

- Josh

On Tue, Aug 11, 2009 at 10:35 PM, Christopher Schultz <
chris@christopherschultz.net> wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Josh,
>
> On 8/11/2009 4:47 PM, Josh Gooding wrote:
> > ok back to the topic at hand here.  I have removed httpd from my server,
> > installed APR, and have gotten my cert file from my hosting company.  it
> is
> > in pfx format.  Now I found some information on the net:
> >
> > http://tp.its.yale.edu/pipermail/cas/2005-July/001337.html
> >
> > It was saying that I can just use the pfx file with tomcat 5.5, so I put
> the
> > file in my $CATALINA_HOME directory just as a test, modified my
> server.xml
> > file to accept SSL:
> >
> > *<Connector protocol="HTTP/1.1"
> >             port="443" maxThreads="200"
> >             scheme="https" secure="true" SSLEnabled="true"
> >             keystoreFile="C:/Program
> > Files/[*****]/apache-tomcat-6.0.18/[*****].com.pfx"
> >             keystorePass="[*************]" keystoreType="pkcs12"
> > clientAuth="false" sslProtocol="TLS" />*
> >
> > *and.... blamo I get these exceptions:*
>
> Not surprising. Read the documentation for the APR connector:
> http://tomcat.apache.org/tomcat-5.5-doc/apr.html
>
> Specifically, search for the term "certificate".
>
> First of all, your SSL configuration is completely wrong for use with
> APR. You don't use keystoreFile, keystorePass, and keystoreType. Even if
> you did, telling Java that the keystore is actually a PKCS12 keystore
> while providing it is a PFX-encoded SSL certificate should have tipped
> you off that something was amiss.
>
> If you were previously following the standard SSL documentation
> (http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html), you should
> have seen this note at the top of the file:
>
> "
> IMPORTANT NOTE: This Howto refers to usage of JSSE. When using APR,
> Tomcat will use OpenSSL, which uses a different configuration.
> "
>
> What you want is SSLCertificateFile and friends. SSLCertificateFile is
> documented to only accept certificates in PEM format. Check out this
> page for some tricks to converting your certificate files using openssl:
> http://eoc.eu-eela.eu/doku.php?id=manipulate_your_certificate
>
> There is also a Java tool that can do thing like this called Portecle
> (http://portecle.sourceforge.net/) if you don't have openssl handy.
>
> > *and these to boot.... says it cannot bind to port 443 (or 8443 either)*
> >
> > *Aug 11, 2009 4:13:51 PM org.apache.coyote.http11.Http11AprProtocol start
> > SEVERE: Error starting endpoint
> > java.lang.Exception: Socket bind failed: [730048] Only one usage of each
> > socket address (protocol/network address/port) is normally permitted.
>
> Do you have multiple <Connector> elements specified? If so, check all
> the port numbers. If not, make sure that Tomcat isn't already running.
> If it's not, make sure Apache httpd isn't running :) Finally, make sure
> IIS isn't running or using those ports.
>
> > So it looks like I cannot use a pfx file with tomcat 6.0.18.
>
> You should be able to, just not with the APR connector because openssl
> doesn't grok PKCS12/PFX.
>
> > Am I able to use the pfx file with tomcat 6?
>
> Yes, just not with the APR connector.
>
> > The socket bind issue I have no clue, it
> > looks like something is already running on port 443, but that is
> > impossible.
>
> Really? Try running 'netstat' to find out who is bound to port 443 (or
> 8443).
>
> > I only have the tomcat server running, IIS is disabled and
> > httpd has been removed from the system completely.  I also tried port
> 8443
> > but I am getting the same error message.
>
> netstat -a -b -n -o | find "443"
>
> (make sure you're an administrator or you'll get no output)
>
> Hope that helps,
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkqCKokACgkQ9CaO5/Lv0PBBxACgjcVaS2sdKa7COzdKnSbAAHun
> gl0AnRaKPC30C+und74r7tFKuN63OOmq
> =QIJp
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

--000e0cd56af805dfdc04710a3da8--