tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Torleif" <>
Subject Re: tomcat https
Date Wed, 04 Nov 2009 14:32:35 GMT

Thanks for all your help!!  

I am using Debian Lenny as OS.  

I am trying to set up a funambol server witch use Tomcat. ( )  

I am not sure witch version of Tomcat it uses. (I am at work right now and
cant check)  

By "default place" I mean /home/user/.keystore  

I run "keytool -genkey -alias tomcat -keyalg RSA"  

When I run this command it asks for password witch is "changeit" as default
and everything works ok.  

If I choose a different password and modify "server.xml" accordingly it does
not work.  

maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
-keyalg RSA -keystore /home/user/.keystore
 -storepass mypassword" ) ??

I am ok with using "changeit" as password if this is no security risk. No one
has access to my computer, but can they get access through https if they know
the "changeit" password?  


I also have a mailserver on the same ip "citadel" witch uses "webcit" for

The ports on my mailserver and Tomcat are different.  


Thanks again for all help!!  


>  Wed Nov 04 2009 10:28:22 CET from  "Ognjen Blagojevic"
><>  Subject: Re: tomcat https
>  Torleif wrote:
>>I am trying to set up tomcat to use https.
>> I used "keytool -genkey -alias tomcat -keyalg RSA"
>> If I use "changeit" as password for keystore everything works ok.
>> If I use a different password it does not work.
>> I have modified "server.xml" with keystorePass="newpassword"
>> My .keystore is located in default place.

>  It could help if you tell us what Tomcat version, OS and version are you 
> using and what is "default place".
> .keystore file should be on the home directory of the user running 
> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and 
> Settings\ognjen\" on Windows XP.
> Also note: "Finally, you will be prompted for the key password, which is 
> the password specifically for this Certificate (as opposed to any other 
> Certificates stored in the same keystore file). You MUST use the same 
> password here as was used for the keystore password itself. (Currently, 
> the keytool prompt will tell you that pressing the ENTER key does this 
> for you automatically.)" (tomcat SSL docs)
>>If I use "changeit" as password, will this be a security risk since this
>> is a widely known password?

>  The way I see it, the security risk is not too big. .keystore file will 
> most probably have the same access rights as your server.xml where the 
> keystore password is stored in cleartext. So, if the unauthorized user 
> is able to access .keystore file it will also be able to access the 
> server.xml, and read the keystore password.
> However, if your configuration, backup strategy, or anything else 
> introduces the possibility for unauthorized person to access only the 
> .keystore file (and not server.xml) - or you are simply paranoid - you 
> should change the default password.
>>Also I run a mailserver with https web interface.
>> Can I use a different https certificate in tomcat or must it be the same
>> as my mailserver?

>  It really depends of your configuration.
> Are both webmail and Tomcat on the same port? Do you run webmail 
> application under Tomcat or not? Do you use httpd or not? Do you have 
> more than one IP address available for the server?
> If you use two servers, two different IP addresses OR two different 
> ports on the same IP address, you can have different certificates. In 
> other cases, you can't.
> Regards,
> Ognjen
> ---------------------------------------------------------------------
> To unsubscribe, e-mail:
> For additional commands, e-mail:


  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message