tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Vadim Letitchevski <vletitchev...@teledyne.com>
Subject RE: JSSE question
Date Mon, 07 Dec 2009 18:25:53 GMT
Bill.

I have followed the recommendations in that document but did not succeed.
So I have a set of self-generated (using OpenSSL) credentials. OpenSSL server and client work
fine (connect) using these credentials with authentication both ways.
Following the instructions in (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html) I have
done:

openssl pkcs12 -export -in /etc/pki/tls/certs/localhost.crt -inkey /etc/pki/tls/private/localhost.key
-out mycert.p12 -name tomcat -CAfile /etc/pki/tls/cacert.pem -caname root -chain

I have used the password changeit.

Next I have edited server.xml to have these strings:

    <!-- Define a server-auth SSL HTTP/1.1 Connector on port 8442 -->
    <Connector port="8442" maxHttpHeaderSize="8192" SSLEnabled="true"
               keystoreFile="conf/mycert.p12" keystorePass="changeit"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

    <!-- Define a mutual-auth SSL HTTP/1.1 Connector on port 8443 -->
    <Connector port="8443" maxHttpHeaderSize="8192" SSLEnabled="true"
               keystoreFile="conf/mycert.p12" keystorePass="changeit"
               truststoreFile="conf/mycert.p12" truststorePass="changeit"
               maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
               enableLookups="false" disableUploadTimeout="true"
               scheme="https" secure="true"
               clientAuth="true" sslProtocol="TLS" />

Then I started server and used Firefox trying to open https://localhost:8442 or https:/localhost:8443
with no success (failed to connect page).
Catalina log file shows "java.io.exception: Invalid keystore format."
What have I done wrong?

Thanks 
Vadim. 

-----Original Message-----
From: news [mailto:news@ger.gmane.org] On Behalf Of Bill Barker
Sent: Friday, December 04, 2009 7:25 PM
To: users@tomcat.apache.org
Subject: Re: JSSE question


"Vadim Letitchevski" <vletitchevski@teledyne.com> wrote in message news:E17DA276F9A0C84FAD22739DE29C389005DAFC3613@ENTMAIL01.tad.teledyne.com...
>I am confused. Can Tomcat use only JKS keystore or it can also use pem 
>or some other certificate storages?
>

In the Tomcat docs (http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html),
it shows how to use a PKCS12 keystore.  At some point that should be updated to include an
example for using a PKCS11 keystore.

The actual answer is that the JSSE Connector can use any keystore format that is supported
by your Java vendor.  In particular, with the Sun JVM, you can't use PEM (however the APR
Connector does use PEM).  However, it is usually pretty easy to convert PEM to PKCS12 (see
the link above for an example).

>
> Thanks
> Vadim.
> (310)765-3812
>
>
> 




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message