tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Delle Grazie" <Brett.Dellegra...@Intact-is.com>
Subject RE: SSL Certificate : Unable to configure Tomcat "server.xml"
Date Tue, 26 Oct 2010 10:04:50 GMT
Hi Richard,

 

In your Server_modified.xml up the top you've got AprListener configured
with SSLEngine=on.

 

This means Tomcat expects the APR type of SSL configuration on a
Connector. (see Tomcat SSL Howto for details)

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

 

In short - your config is using the wrong SSL type.

 

Either:

(a)    Change the connector to use the SSL under APR type, you'll need
to convert your key, certificate and CA certificates (including
intermediate ones) to the Open SSL PEM type.

(b)   Or turn off the AprListener's SSLEngine option (simpler).

 

The APR solution is supposed to be faster since it uses the native SSL
libraries compiled specifically for your system.

 

Best Regards,


Brett

 

From: Richard da Silva [mailto:roman_seaa@yahoo.com] 
Sent: 26 October 2010 09:09
To: Tomcat Users List; Brett Delle Grazie
Cc: darryl.lewis@unsw.edu.au
Subject: SSL Certificate : Unable to configure Tomcat "server.xml"

 

Thanks for your response, Darryl

But, the certificate is not the problem. The Tomcat Configuration is the
issue (server.xml)




Richard da Silva



--- On Tue, 10/26/10, Darryl Lewis <darryl.lewis@unsw.edu.au> wrote:


From: Darryl Lewis <darryl.lewis@unsw.edu.au>
Subject: RE: SSL Certificate : Unable to configure Tomcat "server.xml"
To: "Tomcat Users List" <users@tomcat.apache.org>,
"brett.dellegrazie@intact-is.com" <brett.dellegrazie@intact-is.com>
Date: Tuesday, October 26, 2010, 10:26 AM

Here are my notes on importing a SSL certificate in case that is the
problem. I had a lot of issues and errors when I first tried.
(these were compiled from suggestions on this list)

Importing SSL certificates

Root                 AddTrustExternalCARoot.crt
Intermediate CA        UTNAddTrustServerCA.crt
Intermediate CA        PositiveSSLCA.crt
domain/site certificate    yourdomainname.crt

Location of keystore:
cp .keystore /usr/share/tomcat5/.keystore
Notes: default keystore is .keystore in the CWD

1.    Delete default tomcat cert
keytool -delete -alias "tomcat" -keystore /path/to/keystore

2.    Generate new key
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024  -keystore
/path/to/keystore

Enter keystore password: (default is changeit)
What is your first and last name
[Unknown]: xx
What is the name of your organizational unit?
[Unknown]: xx
What is the name of your organization?
[Unknown]: xx
What is the name of your City or Locality?
[Unknown]: xx
What is the name of your State or Province?
[Unknown]: xx
What is the two-letter country code for this unit?
[Unknown]: xx
Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct?
[no]: y

Enter key password for <tomcat>

(RETURN if same as keystore password):

3.    create CSR
keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr  -keystore
/path/to/keystore
use this csr to order SSL certificate

4.     import the certificate back into the keystore
keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore
/path/to/keystore

-----Original Message-----
From: Richard da Silva [mailto:roman_seaa@yahoo.com] 
Sent: Tuesday, 26 October 2010 5:25 PM
To: brett.dellegrazie@intact-is.com
Cc: users@tomcat.apache.org
Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml"

(a) Exists in certificate store 'cacerts' (bad idea btw).

Yes it does exist.

But, I took your advice, and created a separate keystore. Then imported
the certificate there

(b) Exists with the exact label 'tomcat'

Yes, it does


>From what I have seen so far, the problem does not lie with the SSL
certificate itself. It's with the Tomcat configuration (and that damn
server.xml file).  



Richard da Silva

--- On Mon, 10/25/10, Brett Delle Grazie
<brett.dellegrazie@intact-is.com> wrote:

From: Brett Delle Grazie <brett.dellegrazie@intact-is.com>
Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml"
To: "Richard da Silva" <roman_seaa@yahoo.com>
Cc: users@tomcat.apache.org
Date: Monday, October 25, 2010, 12:33 PM

Hi,

I haven't read the rest of the thread (forgive me for that) so please
ignore if I'm repeating someone else's advice.

Can you manually confirm (via command line tool 'keytool') that the
certificate:

(a) Exists in certificate store 'cacerts' (bad idea btw).
(b) Exists with the exact label 'tomcat' (might be case sensitive - I
don't know).
(c) Verify your private key is in 'cacerts' (really bad idea btw) - what
happens when you upgrade Java?

Do yourself a favour and use a separate keystore for private key +
certificate.

One other minor detail - I think I remember reading something about only
using '/' form of slash in Tomcat configs regardless of OS.  But can't
remember where it was (somewhere in Tomcat docs I think).

Regards,

Brett

On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote:
> Hi guys,
> 
> thanks for your responses.
> 
> Nothing seems to work so far. 
> 
> As requested, I am sending the full outlines of my "Server.xml" file.
> 
> The first file is the original "Server.xml"  (I saved a copy of it,
> naturally)
> 
> The second file --- "server.xml_modified" ---- is the file which I
> modified, and the one I am now trying to use in Tomcat.
> 
> Any helpful tips would be greatly appreciated.
> 
> Thanks.
> 
> 
> 
> 
> Richard da Silva
> 
> 
> 
> --- On Fri, 10/22/10, Richard da Silva <roman_seaa@yahoo.com> wrote:
>         
>         From: Richard da Silva <roman_seaa@yahoo.com>
>         Subject: SSL Certificate : Unable to configure Tomcat
>         "server.xml"
>         To: users@tomcat.apache.org
>         Date: Friday, October 22, 2010, 3:53 PM
>         
>         Hi all,
>         
>         I've been fighting with a very silly problem all day.
>         
>         I have an instance of Sun Identity Manager (IDM) running on a
>         Tomcat server.
>         
>         To be able to use some of its Resources features, we have had
>         to create and install SSL Certificates.
>         
>         Using some of the online documentation on the installation of
>         SSL Certificates, I was able to successfully copy the
>         Certificate to the keystore. (I did not create a new keystore.
>         Instead, I used the default keystore which comes with the JAVA
>         kit :  "cacerts" )
>         
>         Everything seemed to work fine, and I got the confirmation
>         message saying : "Certificate installed in keystore"
>         
>         The final stage involves configuring the Tomcat "server.xml"
>         file, to be able to allow SSL connection, and also to pinpoint
>         the location of the Keystore. 
>         
>         First, I commented out the "Connector Port 8080" details.  And
>         then, I modified the "Connector port 8443" as follows : 
>         
>         
>         <Connector port="8443" maxHttpHeaderSize="8192"
>         maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>         enableLookups="false" disableUploadTimeout="true"
>         acceptCount="100" scheme="https" secure="true"
>         SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
>         keyAlias="tomcat"
>         keystoreFile="C:\Program Files\Java\jdk1.6.0_21\jre\lib
>         \security\cacerts" keypass="my_password"/> 
>         
>         
>         And, this is where my problems began.
>         
>         For some reason, I cannot get this to work.
>         
>         At first, I was using Tomcat version 6.0.21   
>         
>         I began to get several errors in my Tomcat window 
>         
>         (a)  only one usage allowed for each of the following :
>         port / protocol / maxThreads, 
>         
>         etc, etc
>         
>         (b) System parameter "maxThreads"........no match found for
>         parameter;
>              System parameter "scheme"........no match found for
>         parameter;
>              System parameter "clientAuth"........no match found for
>         parameter;
>         
>         etc, etc
>         
>         
>         
>         I began to wonder if, maybe, there was something wrong with
>         the Tomcat version (6.0.21)
>         
>         Last year, I had successfully performed a similar procedure
>         (installed Certificate, modified Tomcat server.xml file, etc).
>         But, that version I used was :  6.0.18
>         
>         So, I decided to try it.  I downloaded an older version of
>         Tomcat (6.0.18), and repeated the process all over again.
>         
>         This time, there were none of the above-mentioned errors. But,
>         I got another error : 
>         
>         Alias "tomcat" not found.
>         
>         So, I removed that line ----- keyAlias="tomcat" ---- and
>         re-started the server.
>         
>         This time, something else happened : when I start-up the
>         server, the Tomcat window goes haywire. I see phrases and
>         lines of data (output) flashing on the screen at the speed of
>         light. And, then, my computer hangs.  I have to re-boot it, to
>         get it working again.
>         
>         I'm at a total loss. 
>         
>         I have racked my brain for any and all possible causes. At
>         first, I thought that, maybe, I ought to have created a whole
>         NEW keystore (as it mentions in the online manual). But, since
>         I was able to successfully import my certificate into the
>         default "cacerts", I figured that was not the reason.
>         
>         And, besides, there is obviously something wrong with the
>         newer version of Tomcat, because the older version (which I am
>         now using), did not give me those earlier errors.
>         
>         But, I still do not know what  I am doing wrong.
>         
>         Any help will be greatly appreciated.
>         
>         
>         Thanks.
>         
>         
>         
>         
>         Richard da Silva
>         
>         
>         
>         
> 



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message