tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Brett Delle Grazie" <Brett.Dellegra...@Intact-is.com>
Subject RE: SSL Certificate : Unable to configure Tomcat "server.xml"
Date Tue, 26 Oct 2010 12:45:41 GMT
Hi Richard,

 

Comments below,

 

Regards,

 

Brett

 

From: Richard da Silva [mailto:roman_seaa@yahoo.com] 
Sent: 26 October 2010 13:30
To: Tomcat Users List; Brett Delle Grazie; crypto.sal@gmail.com
Cc: darryl.lewis@unsw.edu.au
Subject: RE: SSL Certificate : Unable to configure Tomcat "server.xml"

 

Dear Sal and Brett,

thank you for pointing this out to me.

I changed the definition of the SSLEngine to "off". 



Just to confirm you changed from:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" />

To:

<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="off" />

 

But, still, the error persists. 

I am unable to copy the error messages, and paste them here, because, as I mentioned in my
earlier post, there is NO error message.  Whenever I try to start Tomcat, I get this weird
scene : lines of text flashing past the screen at lightening speed!  Then my computer "hangs",
and I have to reboot it.

As I also mentioned in my first posting, I have performed this entire procedure before ----
created a keystore, imported the certificate into the keystore, and modified the server.xml
file. And everything worked smoothly.

Back then, I was using Tomcat 6.0.18.  Which is the same version I am using now.



Any reason you can’t use 6.0.29 (current)?


Basically, I have done everything exactly the same way. So, I do not understand where this
problem is coming from.



As explained, I haven’t read your previous posts. What OS and JVM are you using?


And, to make matters worse, there is no "error message" to tell me what I am doing wrong.

The error messages, if present should be in the log files.  I think you need to start from
scratch. Can you retry with just the default tomcat applications, i.e. manager, docs and samples,
(i.e. not your application) in the webapp directory? Then you can try reconfiguring for ssl,
test with the ‘docs’ example application.  This way you know you have a working Tomcat
installation that won’t be doing anything ‘funny’.  Use ‘/’ for your paths as explained
previously. Tomcat should start in roughly ~ 20 seconds depending upon speed of your system.

Check the logs for error messages and then look at installing your application.  This way
we know Tomcat is working before trying your application.





Richard da Silva



--- On Tue, 10/26/10, Brett Delle Grazie <Brett.Dellegrazie@Intact-is.com> wrote:


From: Brett Delle Grazie <Brett.Dellegrazie@Intact-is.com>
Subject: RE: SSL Certificate : Unable to configure Tomcat "server.xml"
To: "Richard da Silva" <roman_seaa@yahoo.com>, "Tomcat Users List" <users@tomcat.apache.org>
Cc: darryl.lewis@unsw.edu.au
Date: Tuesday, October 26, 2010, 1:04 PM

Hi Richard,

 

In your Server_modified.xml up the top you’ve got AprListener configured with SSLEngine=on.

 

This means Tomcat expects the APR type of SSL configuration on a Connector. (see Tomcat SSL
Howto for details)

http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

 

In short – your config is using the wrong SSL type.

 

Either:

(a)    Change the connector to use the SSL under APR type, you’ll need to convert your key,
certificate and CA certificates (including intermediate ones) to the Open SSL PEM type.

(b)   Or turn off the AprListener’s SSLEngine option (simpler).

 

The APR solution is supposed to be faster since it uses the native SSL libraries compiled
specifically for your system.

 

Best Regards,


Brett

 

From: Richard da Silva [mailto:roman_seaa@yahoo.com] 
Sent: 26 October 2010 09:09
To: Tomcat Users List; Brett Delle Grazie
Cc: darryl.lewis@unsw.edu.au
Subject: SSL Certificate : Unable to configure Tomcat "server.xml"

 

Thanks for your response, Darryl

But, the certificate is not the problem. The Tomcat Configuration is the issue (server.xml)



Richard da Silva



--- On Tue, 10/26/10, Darryl Lewis <darryl.lewis@unsw.edu.au> wrote:


From: Darryl Lewis <darryl.lewis@unsw.edu.au>
Subject: RE: SSL Certificate : Unable to configure Tomcat "server.xml"
To: "Tomcat Users List" <users@tomcat.apache.org>, "brett.dellegrazie@intact-is.com"
<brett.dellegrazie@intact-is.com>
Date: Tuesday, October 26, 2010, 10:26 AM

Here are my notes on importing a SSL certificate in case that is the problem. I had a lot
of issues and errors when I first tried.
(these were compiled from suggestions on this list)

Importing SSL certificates

Root                 AddTrustExternalCARoot.crt
Intermediate CA        UTNAddTrustServerCA.crt
Intermediate CA        PositiveSSLCA.crt
domain/site certificate    yourdomainname.crt

Location of keystore:
cp .keystore /usr/share/tomcat5/.keystore
Notes: default keystore is .keystore in the CWD

1.    Delete default tomcat cert
keytool -delete -alias "tomcat" -keystore /path/to/keystore

2.    Generate new key
keytool -genkey -alias tomcat -keyalg RSA -keysize 1024  -keystore /path/to/keystore

Enter keystore password: (default is changeit)
What is your first and last name
[Unknown]: xx
What is the name of your organizational unit?
[Unknown]: xx
What is the name of your organization?
[Unknown]: xx
What is the name of your City or Locality?
[Unknown]: xx
What is the name of your State or Province?
[Unknown]: xx
What is the two-letter country code for this unit?
[Unknown]: xx
Is CN=yourserver.com,OU=xx, O=xx, L=xx, ST=xx, C=xx correct?
[no]: y

Enter key password for <tomcat>

(RETURN if same as keystore password):

3.    create CSR
keytool -certreq -keyalg RSA -alias tomcat -file ssl.csr  -keystore /path/to/keystore
use this csr to order SSL certificate

4.     import the certificate back into the keystore
keytool -import -alias tomcat -trustcacerts -file ssl.crt -keystore /path/to/keystore

-----Original Message-----
From: Richard da Silva [mailto:roman_seaa@yahoo.com] 
Sent: Tuesday, 26 October 2010 5:25 PM
To: brett.dellegrazie@intact-is.com
Cc: users@tomcat.apache.org
Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml"

(a) Exists in certificate store 'cacerts' (bad idea btw).

Yes it does exist.

But, I took your advice, and created a separate keystore. Then imported the certificate there

(b) Exists with the exact label 'tomcat'

Yes, it does


From what I have seen so far, the problem does not lie with the SSL certificate itself. It's
with the Tomcat configuration (and that damn server.xml file).  



Richard da Silva

--- On Mon, 10/25/10, Brett Delle Grazie <brett.dellegrazie@intact-is.com> wrote:

From: Brett Delle Grazie <brett.dellegrazie@intact-is.com>
Subject: Re: SSL Certificate : Unable to configure Tomcat "server.xml"
To: "Richard da Silva" <roman_seaa@yahoo.com>
Cc: users@tomcat.apache.org
Date: Monday, October 25, 2010, 12:33 PM

Hi,

I haven't read the rest of the thread (forgive me for that) so please
ignore if I'm repeating someone else's advice.

Can you manually confirm (via command line tool 'keytool') that the
certificate:

(a) Exists in certificate store 'cacerts' (bad idea btw).
(b) Exists with the exact label 'tomcat' (might be case sensitive - I
don't know).
(c) Verify your private key is in 'cacerts' (really bad idea btw) - what
happens when you upgrade Java?

Do yourself a favour and use a separate keystore for private key +
certificate.

One other minor detail - I think I remember reading something about only
using '/' form of slash in Tomcat configs regardless of OS.  But can't
remember where it was (somewhere in Tomcat docs I think).

Regards,

Brett

On Sun, 2010-10-24 at 23:47 -0700, Richard da Silva wrote:
> Hi guys,
> 
> thanks for your responses.
> 
> Nothing seems to work so far. 
> 
> As requested, I am sending the full outlines of my "Server.xml" file.
> 
> The first file is the original "Server.xml"  (I saved a copy of it,
> naturally)
> 
> The second file --- "server.xml_modified" ---- is the file which I
> modified, and the one I am now trying to use in Tomcat.
> 
> Any helpful tips would be greatly appreciated.
> 
> Thanks.
> 
> 
> 
> 
> Richard da Silva
> 
> 
> 
> --- On Fri, 10/22/10, Richard da Silva <roman_seaa@yahoo.com> wrote:
>         
>         From: Richard da Silva <roman_seaa@yahoo.com>
>         Subject: SSL Certificate : Unable to configure Tomcat
>         "server.xml"
>         To: users@tomcat.apache.org
>         Date: Friday, October 22, 2010, 3:53 PM
>         
>         Hi all,
>         
>         I've been fighting with a very silly problem all day.
>         
>         I have an instance of Sun Identity Manager (IDM) running on a
>         Tomcat server.
>         
>         To be able to use some of its Resources features, we have had
>         to create and install SSL Certificates.
>         
>         Using some of the online documentation on the installation of
>         SSL Certificates, I was able to successfully copy the
>         Certificate to the keystore. (I did not create a new keystore.
>         Instead, I used the default keystore which comes with the JAVA
>         kit :  "cacerts" )
>         
>         Everything seemed to work fine, and I got the confirmation
>         message saying : "Certificate installed in keystore"
>         
>         The final stage involves configuring the Tomcat "server.xml"
>         file, to be able to allow SSL connection, and also to pinpoint
>         the location of the Keystore. 
>         
>         First, I commented out the "Connector Port 8080" details.  And
>         then, I modified the "Connector port 8443" as follows : 
>         
>         
>         <Connector port="8443" maxHttpHeaderSize="8192"
>         maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
>         enableLookups="false" disableUploadTimeout="true"
>         acceptCount="100" scheme="https" secure="true"
>         SSLEnabled="true" clientAuth="false" sslProtocol="TLS"
>         keyAlias="tomcat"
>         keystoreFile="C:\Program Files\Java\jdk1.6.0_21\jre\lib
>         \security\cacerts" keypass="my_password"/> 
>         
>         
>         And, this is where my problems began.
>         
>         For some reason, I cannot get this to work.
>         
>         At first, I was using Tomcat version 6.0.21   
>         
>         I began to get several errors in my Tomcat window 
>         
>         (a)  only one usage allowed for each of the following :
>         port / protocol / maxThreads, 
>         
>         etc, etc
>         
>         (b) System parameter "maxThreads"........no match found for
>         parameter;
>              System parameter "scheme"........no match found for
>         parameter;
>              System parameter "clientAuth"........no match found for
>         parameter;
>         
>         etc, etc
>         
>         
>         
>         I began to wonder if, maybe, there was something wrong with
>         the Tomcat version (6.0.21)
>         
>         Last year, I had successfully performed a similar procedure
>         (installed Certificate, modified Tomcat server.xml file, etc).
>         But, that version I used was :  6.0.18
>         
>         So, I decided to try it.  I downloaded an older version of
>         Tomcat (6.0.18), and repeated the process all over again.
>         
>         This time, there were none of the above-mentioned errors. But,
>         I got another error : 
>         
>         Alias "tomcat" not found.
>         
>         So, I removed that line ----- keyAlias="tomcat" ---- and
>         re-started the server.
>         
>         This time, something else happened : when I start-up the
>         server, the Tomcat window goes haywire. I see phrases and
>         lines of data (output) flashing on the screen at the speed of
>         light. And, then, my computer hangs.  I have to re-boot it, to
>         get it working again.
>         
>         I'm at a total loss. 
>         
>         I have racked my brain for any and all possible causes. At
>         first, I thought that, maybe, I ought to have created a whole
>         NEW keystore (as it mentions in the online manual). But, since
>         I was able to successfully import my certificate into the
>         default "cacerts", I figured that was not the reason.
>         
>         And, besides, there is obviously something wrong with the
>         newer version of Tomcat, because the older version (which I am
>         now using), did not give me those earlier errors.
>         
>         But, I still do not know what  I am doing wrong.
>         
>         Any help will be greatly appreciated.
>         
>         
>         Thanks.
>         
>         
>         
>         
>         Richard da Silva
>         
>         
>         
>         
> 



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org




      

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________



______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________


______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email 
______________________________________________________________________
Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message