tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Torleif" <torl...@askedal.net>
Subject Re: tomcat https
Date Wed, 04 Nov 2009 21:25:30 GMT


Hi again.

My server.xml:

<Connector 
port="8443" minProcessors="5" maxProcessors="75"
           enableLookups="true" disableUploadTimeout="true"
           acceptCount="100" debug="0" scheme="https" secure="true";
           clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user/.keystore" keystorePass="mypassword"
/>
-->


I run Tomcat as "user".

I followed this guide:

http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html


Maybe my cert password is not the same as keystore??
I thougt my keystore containing the cert was created with
"keytool -genkey -alias tomcat -keyalg RSA"  ??

Thanks everyone!!










On Wed, 2009-11-04 at 17:47 +0100, Ognjen Blagojevic wrote:
> Torleif wrote:
> > By "default place" I mean /home/user/.keystore  
> 
> /home/user/.keystore? That's strange. Is it maybe 
> /home/tomcat/.keystore? Or you have a user "user" on your system? Under 
> what user did you create .keystore file?
> 
> 
> > If I choose a different password and modify "server.xml" accordingly it does
> > not work.  
> 
> Did you choose the same password for bot keystore AND certificate, as 
> pointed in the Tomcat docs?
> 
> 
> > maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
> > -keyalg RSA -keystore /home/user/.keystore
> >  -storepass mypassword" ) ??
> 
> No, that is not the source of the problem.
> 
> 
> > I am ok with using "changeit" as password if this is no security risk. No one
> > has access to my computer, but can they get access through https if they know
> > the "changeit" password?  
> 
> Well, anyone could access to you webapps (not to the entire file system) 
> regardless of the keystore password.
> 
> 
> > I also have a mailserver on the same ip "citadel" witch uses "webcit" for
> > webmail.  
> > 
> > The ports on my mailserver and Tomcat are different.  
> 
> Then you can use different certificates.
> 
> 
> Regards,
> Ognjen
> 
> 
> > 
> >    
> > 
> > Thanks again for all help!!  
> > 
> >    
> > 
> > Torleif  
> >>  Wed Nov 04 2009 10:28:22 CET from  "Ognjen Blagojevic"
> >> <ognjen@etf.bg.ac.rs>  Subject: Re: tomcat https
> >>
> >>  Torleif wrote:
> >>  
> >>> I am trying to set up tomcat to use https.
> >>> I used "keytool -genkey -alias tomcat -keyalg RSA"
> >>> If I use "changeit" as password for keystore everything works ok.
> >>> If I use a different password it does not work.
> >>> I have modified "server.xml" with keystorePass="newpassword"
> >>> My .keystore is located in default place.
> >>>
> >>>
> > 
> >>  It could help if you tell us what Tomcat version, OS and version are you 
> >> using and what is "default place".
> >>
> >> .keystore file should be on the home directory of the user running 
> >> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and 
> >> Settings\ognjen\" on Windows XP.
> >>
> >> Also note: "Finally, you will be prompted for the key password, which is 
> >> the password specifically for this Certificate (as opposed to any other 
> >> Certificates stored in the same keystore file). You MUST use the same 
> >> password here as was used for the keystore password itself. (Currently, 
> >> the keytool prompt will tell you that pressing the ENTER key does this 
> >> for you automatically.)" (tomcat SSL docs)
> >>
> >>
> >>  
> >>> If I use "changeit" as password, will this be a security risk since this
> >>> is a widely known password?
> >>>
> >>>
> > 
> >>  The way I see it, the security risk is not too big. .keystore file will 
> >> most probably have the same access rights as your server.xml where the 
> >> keystore password is stored in cleartext. So, if the unauthorized user 
> >> is able to access .keystore file it will also be able to access the 
> >> server.xml, and read the keystore password.
> >>
> >> However, if your configuration, backup strategy, or anything else 
> >> introduces the possibility for unauthorized person to access only the 
> >> .keystore file (and not server.xml) - or you are simply paranoid - you 
> >> should change the default password.
> >>
> >>
> >>  
> >>> Also I run a mailserver with https web interface.
> >>> Can I use a different https certificate in tomcat or must it be the same
> >>> as my mailserver?
> >>>
> >>>
> > 
> >>  It really depends of your configuration.
> >>
> >> Are both webmail and Tomcat on the same port? Do you run webmail 
> >> application under Tomcat or not? Do you use httpd or not? Do you have 
> >> more than one IP address available for the server?
> >>
> >> If you use two servers, two different IP addresses OR two different 
> >> ports on the same IP address, you can have different certificates. In 
> >> other cases, you can't.
> >>
> >> Regards,
> >> Ognjen
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >>
> >>
> >>  
> > 
> >   
> > 
> >  
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message