tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Ognjen Blagojevic <ogn...@etf.bg.ac.rs>
Subject Re: tomcat https
Date Wed, 04 Nov 2009 16:47:33 GMT
Torleif wrote:
> By "default place" I mean /home/user/.keystore  

/home/user/.keystore? That's strange. Is it maybe 
/home/tomcat/.keystore? Or you have a user "user" on your system? Under 
what user did you create .keystore file?


> If I choose a different password and modify "server.xml" accordingly it does
> not work.  

Did you choose the same password for bot keystore AND certificate, as 
pointed in the Tomcat docs?


> maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
> -keyalg RSA -keystore /home/user/.keystore
>  -storepass mypassword" ) ??

No, that is not the source of the problem.


> I am ok with using "changeit" as password if this is no security risk. No one
> has access to my computer, but can they get access through https if they know
> the "changeit" password?  

Well, anyone could access to you webapps (not to the entire file system) 
regardless of the keystore password.


> I also have a mailserver on the same ip "citadel" witch uses "webcit" for
> webmail.  
> 
> The ports on my mailserver and Tomcat are different.  

Then you can use different certificates.


Regards,
Ognjen


> 
>    
> 
> Thanks again for all help!!  
> 
>    
> 
> Torleif  
>>  Wed Nov 04 2009 10:28:22 CET from  "Ognjen Blagojevic"
>> <ognjen@etf.bg.ac.rs>  Subject: Re: tomcat https
>>
>>  Torleif wrote:
>>  
>>> I am trying to set up tomcat to use https.
>>> I used "keytool -genkey -alias tomcat -keyalg RSA"
>>> If I use "changeit" as password for keystore everything works ok.
>>> If I use a different password it does not work.
>>> I have modified "server.xml" with keystorePass="newpassword"
>>> My .keystore is located in default place.
>>>
>>>
> 
>>  It could help if you tell us what Tomcat version, OS and version are you 
>> using and what is "default place".
>>
>> .keystore file should be on the home directory of the user running 
>> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and 
>> Settings\ognjen\" on Windows XP.
>>
>> Also note: "Finally, you will be prompted for the key password, which is 
>> the password specifically for this Certificate (as opposed to any other 
>> Certificates stored in the same keystore file). You MUST use the same 
>> password here as was used for the keystore password itself. (Currently, 
>> the keytool prompt will tell you that pressing the ENTER key does this 
>> for you automatically.)" (tomcat SSL docs)
>>
>>
>>  
>>> If I use "changeit" as password, will this be a security risk since this
>>> is a widely known password?
>>>
>>>
> 
>>  The way I see it, the security risk is not too big. .keystore file will 
>> most probably have the same access rights as your server.xml where the 
>> keystore password is stored in cleartext. So, if the unauthorized user 
>> is able to access .keystore file it will also be able to access the 
>> server.xml, and read the keystore password.
>>
>> However, if your configuration, backup strategy, or anything else 
>> introduces the possibility for unauthorized person to access only the 
>> .keystore file (and not server.xml) - or you are simply paranoid - you 
>> should change the default password.
>>
>>
>>  
>>> Also I run a mailserver with https web interface.
>>> Can I use a different https certificate in tomcat or must it be the same
>>> as my mailserver?
>>>
>>>
> 
>>  It really depends of your configuration.
>>
>> Are both webmail and Tomcat on the same port? Do you run webmail 
>> application under Tomcat or not? Do you use httpd or not? Do you have 
>> more than one IP address available for the server?
>>
>> If you use two servers, two different IP addresses OR two different 
>> ports on the same IP address, you can have different certificates. In 
>> other cases, you can't.
>>
>> Regards,
>> Ognjen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>>  
> 
>   
> 
>  


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message