tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From David kerber <dcker...@verizon.net>
Subject Re: SSL Tomcat 6 & 7
Date Fri, 02 Dec 2011 15:43:38 GMT
On 12/2/2011 10:39 AM, Lau Eng Huat wrote:
> I'm still stuck after correcting the recommendation made by Daniel.
>
>    <Listener  className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
>      <Connector
>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>          port="8443" maxHttpHeaderSize="8192"
>          maxThreads="150" minSpareThreads="25"
>          enableLookups="false" disableUploadTimeout="true"
>          acceptCount="100" scheme="https" secure="true"
>          clientAuth="false" sslProtocol="TLS"
> SSLEngine="true"

^^^^^^^^^^^^^^^^^^

You still have SSLEngine set in the connector, where it doesn't belong.



> SSLCertificateFile="${catalina.base}\conf\cert.pem"
> SSLCertificateKeyFile="${catalina.base}\conf\key.pem"
> SSLPassword="tomcat"
>       />
>
>   <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
>
> It still gives me this error
>
> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting property
> 'SSLEngine' to 'true' did not find a matching property.
>
> i'm running tomcat as localhoat under netbeans.
>
> On Fri, Dec 2, 2011 at 9:57 PM, Daniel Mikusa<dmikusa@vmware.com>  wrote:
>
>> On Fri, 2011-12-02 at 01:12 -0800, Lau Eng Huat wrote:
>>> Hi everybody,
>>>
>>> I'm stuck on this SSL over a month. I hope somebody can help me here. I'm
>>> getting a Warning on "WARNING:
>>> [SetAllPropertiesRule]{Server/Service/Connector} Setting property
>>> 'SSLEngine' to 'on' did not find a matching property."
>>
>> Tomcat is telling you that the property "SSLEngine" does not exist on a
>> Connector object.  Note that it is not listed in the documentation
>> either.
>>
>> https://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support
>>
>>
>> Perhaps you are confused with the "SSLEngine" attribute of the
>> AprLifecycleListener?
>>
>> <Listener className="org.apache.catalina.core.AprLifecycleListener"
>>           SSLEngine="on" />
>>
>>
>> and perhaps you meant SSLEnabled="true" on your Connector?
>>
>> Example from docs:
>>
>> <Connector
>>            port="8443" maxThreads="200"
>>            scheme="https" secure="true" SSLEnabled="true"
>>            SSLCertificateFile="/usr/local/ssl/server.crt"
>>            SSLCertificateKeyFile="/usr/local/ssl/server.pem"
>>            clientAuth="optional" SSLProtocol="TLSv1"/>
>>
>> https://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
>>
>> Dan
>>
>>
>>
>>> I have tried using
>>> all this 3 Connection type but it still does not work. I'm running on
>>> Tomcat 7.0
>>>
>>> protocol="org.apache.coyote.http11.Http11Protocol"
>>> protocol="org.apache.coyote.http11.Http11NioProtocol"
>>> protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>
>>> 1. # openssl req -new -x509 -extensions v3_ca -keyout private/cakey.pem
>> -out
>>> cacert.pem -days 3650 -config ./openssl.cnf
>>>
>>> Using configuration from ./openssl.cnfGenerating a 1024 bit RSA
>>> private key.......++++++..........................++++++writing new
>>> private key to 'private/cakey.pem'Enter PEM pass
>>> phrase:tomcatVerifying password - Enter PEM pass phrase:tomcat-----You
>>> are about to be asked to enter information that will be
>>> incorporatedinto your certificate request.What you are about to enter
>>> is what is called a Distinguished Name or a DN.There are quite a few
>>> fields but you can leave some blankFor some fields there will be a
>>> default value,If you enter '.', the field will be left
>>> blank.-----Organization Name (company) [The Sample
>>> Company]:<enter>Organizational Unit Name (department, division) []:CA
>>> DivisionEmail Address []:ca@sample.comLocality Name (city, district)
>>> [Metropolis]:<enter>State or Province Name (full name) [New
>>> York]:<enter>Country Name (2 letter code) [US]:<enter>Common Name
>>> (hostname, IP, or your name) []:TSC Root CA
>>>
>>> 2.  openssl req -new -nodes -out req.pem -config ./openssl.cnf
>>> 3. openssl ca -out cert.pem -config ./openssl.cnf -infiles req.pem
>>>
>>> Using configuration from ./openssl.cnfEnter PEM pass phrase:demoCheck
>>> that the request matches the signatureSignature okThe Subjects
>>> Distinguished Name is as followsorganizationName      :PRINTABLE:'The
>>> Sample Company'organizationalUnitName:PRINTABLE:'Mail
>>> Server'emailAddress
>>> :IA5STRING:'postmaster@sample.com'localityName
>>> :PRINTABLE:'Metropolis'stateOrProvinceName   :PRINTABLE:'New
>>> York'countryName           :PRINTABLE:'US'commonName
>>> :PRINTABLE:'mail.sample.com'Certificate is to be certified until Dec
>>> 8 04:37:38 2002 GMT (365 days)Sign the certificate? [y/n]:y
>>> 1 out of 1 certificate requests certified, commit? [y/n]yWrite out
>>> database with 1 new entriesData Base Updated
>>>
>>> 4. copy cert.pem tmp.pem5. openssl x509 -in tmp.pem -out cert.pem
>>>
>>> //====================================== OPENSSL.CFG
>>> ======================================================
>>> Attached here is the openssl.cfg
>>>
>>> dir                     = .
>>>
>>> [ ca ]
>>> default_ca              = CA_default
>>>
>>> [ CA_default ]
>>> serial                  = $dir/serial
>>> database                = $dir/index.txt
>>> new_certs_dir           = $dir/newcerts
>>> certificate             = $dir/cacert.pem
>>> private_key             = $dir/private/cakey.pem
>>> default_days            = 365
>>> default_md              = md5
>>> preserve                = no
>>> email_in_dn             = no
>>> nameopt                 = default_ca
>>> certopt                 = default_ca
>>> policy                  = policy_match
>>>
>>> [ policy_match ]
>>> countryName             = match
>>> stateOrProvinceName     = match
>>> organizationName        = match
>>> organizationalUnitName  = optional
>>> commonName              = supplied
>>> emailAddress            = optional
>>>
>>> [ req ]
>>> default_bits            = 1024                  # Size of keys
>>> default_keyfile         = key.pem               # name of generated keys
>>> default_md              = md5                   # message digest
>> algorithm
>>> string_mask             = nombstr               # permitted characters
>>> distinguished_name      = req_distinguished_name
>>> req_extensions          = v3_req
>>>
>>> [ req_distinguished_name ]
>>> # Variable name           Prompt string
>>> #----------------------   ----------------------------------
>>> 0.organizationName      = Organization Name (company)
>>> organizationalUnitName  = Organizational Unit Name (department, division)
>>> emailAddress            = Email Address
>>> emailAddress_max        = 40
>>> localityName            = Locality Name (city, district)
>>> stateOrProvinceName     = State or Province Name (full name)
>>> countryName             = Country Name (2 letter code)
>>> countryName_min         = 2
>>> countryName_max         = 2
>>> commonName              = Common Name (hostname, IP, or your name)
>>> commonName_max          = 64
>>>
>>> # Default values for the above, for consistency and less typing.
>>> # Variable name                   Value
>>> #------------------------------   ------------------------------
>>> 0.organizationName_default      = The Sample Company
>>> localityName_default            = Metropolis
>>> stateOrProvinceName_default     = New York
>>> countryName_default             = US
>>>
>>> [ v3_ca ]
>>> basicConstraints        = CA:TRUE
>>> subjectKeyIdentifier    = hash
>>> authorityKeyIdentifier  = keyid:always,issuer:always
>>>
>>> [ v3_req ]
>>> basicConstraints        = CA:FALSE
>>> subjectKeyIdentifier    = hash
>>>
>>> ============================================= SERVER.XML
>>> ===================================================
>>> Attached here is the server.xml
>>>
>>> <Server port="8025" shutdown="SHUTDOWN">
>>>      <Listener SSLEngine="on"
>>> className="org.apache.catalina.core.AprLifecycleListener"/>
>>>      <Listener className="org.apache.catalina.core.JasperListener"/>
>>>      <Listener
>>> className="org.apache.catalina.core.JreMemoryLeakPreventionListener"/>
>>>      <Listener
>>> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
>>>      <Listener
>>> className="org.apache.catalina.core.ThreadLocalLeakPreventionListener"/>
>>>
>>>      <GlobalNamingResources>
>>>          <Resource auth="Container" description="User database that can be
>>> updated and saved"
>>> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
>>> name="UserDatabase" pathname="conf/tomcat-users.xml"
>>> type="org.apache.catalina.UserDatabase"/>
>>>      </GlobalNamingResources>
>>>
>>>      <Service name="Catalina">
>>>          <Connector URIEncoding="utf-8" connectionTimeout="20000"
>>> port="8084" protocol="HTTP/1.1" redirectPort="8443"/>
>>>
>>>
>>>      <Connector
>>>          protocol="org.apache.coyote.http11.Http11AprProtocol"
>>>          port="8443" maxHttpHeaderSize="8192"
>>>          maxThreads="150" minSpareThreads="25"
>>>          enableLookups="false" disableUploadTimeout="true"
>>>          acceptCount="100" scheme="https" secure="true"
>>>          clientAuth="false" sslProtocol="TLS"
>>> SSLEngine="on"
>>> SSLCertificateFile="${catalina.base}\conf\cert.pem"
>>> SSLCertificateKeyFile="${catalina.base}\conf\key.pem"
>>> SSLPassword="tomcat"
>>>       />
>>>          <Connector port="8009" protocol="AJP/1.3" redirectPort="8443"/>
>>>          <Engine defaultHost="localhost" name="Catalina">
>>>              <Realm className="org.apache.catalina.realm.LockOutRealm">
>>>                  <Realm
>>> className="org.apache.catalina.realm.UserDatabaseRealm"
>>> resourceName="UserDatabase"/>
>>>              </Realm>
>>>              <Host appBase="webapps" autoDeploy="false" name="localhost"
>>> unpackWARs="true">
>>>                  <Valve
>>> className="org.apache.catalina.valves.AccessLogValve" directory="logs"
>>> pattern="%h %l %u %t&quot;%r&quot; %s %b" prefix="localhost_access_log."
>>> resolveHosts="false" suffix=".txt"/>
>>>              </Host>
>>>          </Engine>
>>>      </Service>
>>> </Server>
>>>
>>> //================================================= NETBEAN OUTPUT
>>> =======================================
>>> Using CATALINA_BASE:
>>> "C:\Users\LEH\.netbeans\7.0\apache-tomcat-7.0.14.0_base"
>>> Using CATALINA_HOME:   "D:\WEB_PROGRAMS\Apache Tomcat 7.0.14"
>>> Using CATALINA_TMPDIR:
>>> "C:\Users\LEH\.netbeans\7.0\apache-tomcat-7.0.14.0_base\temp"
>>> Using JRE_HOME:        "C:\IMPORTANT SOFTWARE\JDK_32"
>>> Using CLASSPATH:       "D:\WEB_PROGRAMS\Apache Tomcat
>>> 7.0.14\bin\bootstrap.jar;D:\WEB_PROGRAMS\Apache Tomcat
>>> 7.0.14\bin\tomcat-juli.jar"
>>> Dec 2, 2011 5:04:43 PM org.apache.catalina.core.AprLifecycleListener init
>>> INFO: Loaded APR based Apache Tomcat Native library 1.1.20.
>>> Dec 2, 2011 5:04:43 PM org.apache.catalina.core.AprLifecycleListener init
>>> INFO: APR capabilities: IPv6 [true], sendfile [true], accept filters
>>> [false], random [true].
>>> Dec 2, 2011 5:04:43 PM org.apache.catalina.startup.SetAllPropertiesRule
>>> begin
>>> WARNING: [SetAllPropertiesRule]{Server/Service/Connector} Setting
>> property
>>> 'SSLEngine' to 'on' did not find a matching property.
>>> Dec 2, 2011 5:04:44 PM org.apache.coyote.AbstractProtocolHandler init
>>> INFO: Initializing ProtocolHandler ["http-apr-8084"]
>>> Dec 2, 2011 5:04:44 PM org.apache.coyote.AbstractProtocolHandler init
>>> INFO: Initializing ProtocolHandler ["http-apr-8443"]
>>> Dec 2, 2011 5:04:44 PM org.apache.coyote.AbstractProtocolHandler init
>>> INFO: Initializing ProtocolHandler ["ajp-apr-8009"]
>>> Dec 2, 2011 5:04:44 PM org.apache.catalina.startup.Catalina load
>>> INFO: Initialization processed in 953 ms
>>> Dec 2, 2011 5:04:44 PM org.apache.catalina.core.StandardService
>>> startInternal
>>> INFO: Starting service Catalina
>>> Dec 2, 2011 5:04:44 PM org.apache.catalina.core.StandardEngine
>> startInternal
>>> INFO: Starting Servlet Engine: Apache Tomcat/7.0.14
>>> Dec 2, 2011 5:04:44 PM org.apache.catalina.startup.HostConfig
>>> deployDescriptor
>>> INFO: Deploying configuration descriptor ABC_WEBSITE.xml from
>>>
>> C:\Users\LEH\.netbeans\7.0\apache-tomcat-7.0.14.0_base\conf\Catalina\localhost
>>> Dec 2, 2011 5:04:47 PM com.sun.faces.config.ConfigureListener
>>> contextInitialized
>>> INFO: Initializing Mojarra 2.1.1 (FCS 20110408) for context
>> '/ABC_WEBSITE'
>>> Dec 2, 2011 5:04:47 PM com.sun.faces.spi.InjectionProviderFactory
>>> createInstance
>>> INFO: JSF1048: PostConstruct/PreDestroy annotations present.
>>   ManagedBeans
>>> methods marked with these annotations will have said annotations
>> processed.
>>> Dec 2, 2011 5:04:47 PM org.apache.catalina.startup.HostConfig
>>> deployDescriptor
>>> INFO: Deploying configuration descriptor manager.xml from
>>>
>> C:\Users\LEH\.netbeans\7.0\apache-tomcat-7.0.14.0_base\conf\Catalina\localhost
>>> Dec 2, 2011 5:04:48 PM org.apache.catalina.startup.HostConfig
>>> deployDescriptor
>>> INFO: Deploying configuration descriptor ROOT.xml from
>>>
>> C:\Users\LEH\.netbeans\7.0\apache-tomcat-7.0.14.0_base\conf\Catalina\localhost
>>> Dec 2, 2011 5:04:48 PM org.apache.coyote.AbstractProtocolHandler start
>>> INFO: Starting ProtocolHandler ["http-apr-8084"]
>>> Dec 2, 2011 5:04:48 PM org.apache.coyote.AbstractProtocolHandler start
>>> INFO: Starting ProtocolHandler ["http-apr-8443"]
>>> Dec 2, 2011 5:04:48 PM org.apache.coyote.AbstractProtocolHandler start
>>> INFO: Starting ProtocolHandler ["ajp-apr-8009"]
>>> Dec 2, 2011 5:04:48 PM org.apache.catalina.startup.Catalina start
>>>
>>> God Bless
>>> ENg Huat
>>>
>>> On Sun, Nov 13, 2011 at 11:19 PM, Pid<pid@pidster.com>  wrote:
>>>
>>>> On 13/11/2011 10:03, Lau Eng Huat wrote:
>>>>> Hi everybody,
>>>>>
>>>>> I have followed this example on setting up the SSL on Tomcat Expert
>>>>>
>>>>
>> http://www.tomcatexpert.com/knowledge-base/using-openssl-configure-ssl-certificates-tomcat
>>>>> .
>>>>> The question that I have is how do you use Apache Common HttpClient
>> to
>>>> sent
>>>>> and received information from the servlet. I have no idea on how to
>> write
>>>>> the code for the httpClient and Servlet. Please help me on this , I'm
>>>> stuck
>>>>> at this for couple of weeks already.
>>>>
>>>> One of those is a question for the Apache Commons community.
>>>> Note: Commons HttpClient has been superceded by Http Components.
>>>>
>>>>   http://hc.apache.org/httpcomponents-client-ga/index.html
>>>>
>>>>
>>>> If you don't know how to write a Servlet, then you should have a look
>> at
>>>> the documentation site and examples shipped with your Tomcat version:
>>>>
>>>>   http://tomcat.apache.org/
>>>>
>>>>
>>>> p
>>>>
>>>>
>>>> --
>>>>
>>>> [key:62590808]
>>>>
>>>>
>>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message