tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Justin Larose <Justin.Lar...@nexweb.org>
Subject Re: SSL Configuration Errors
Date Fri, 06 Jan 2012 19:56:09 GMT
Pid <pid@pidster.com> wrote on 01/06/2012 04:30:30 AM:

> From: Pid <pid@pidster.com>
> To: Tomcat Users List <users@tomcat.apache.org>
> Date: 01/06/2012 04:31 AM
> Subject: Re: SSL Configuration Errors
> 

> >      <Connector port="18080" protocol="HTTP/1.1"
> >                 connectionTimeout="20000"
> >                 redirectPort="8443" />
> >
> >   <Connector

> Are you actually using Client auth?

This Tomcat environment was setup long before I worked here, so I am just 
upgrading from an older version to 7.0.23 and trying to not use a self 
signed certificate.

> >     clientAuth="true" port="8443" minSpareThreads="5" 
maxSpareThreads="75"
> >     enableLookups="true" disableUploadTimeout="true"
> >     acceptCount="100" maxThreads="200"
> >     scheme="https" secure="true" SSLEnabled="true"
> >     keystoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat
> > 7.0\conf\wcmdev-ssl.jks"
> >     keystoreType="JKS" keystorePass="******"

> keystoreType has the default, you can remove it.
> I don't like the look of those paths, this is neater:
> keystoreFile="${catalina.base}\conf\wcmdev-ssl.jks"

> 
> >     truststoreFile="F:\Serena\Dimensions 2009 R2\Common Tools\Tomcat
> > 7.0\conf\wcmdev-ssl.jks"

> truststoreType has the default, you can remove it.

> >     truststoreType="JKS" truststorePass="******"
> >     SSLVerifyClient="require" SSLEngine="on" SSLVerifyDepth="2"
> > sslProtocol="TLS" />

> sslProtocol is also the default, you can remove it.

Removed.

> 
> >     <Connector port="8409" protocol="AJP/1.3" redirectPort="8443" />

> Are you actually using the AJP connector?

Removed.

> Can you remove all of the client auth config and just configure the
> keystore alone, first to try to get the SSL working?

Removed.

> Did you follow the steps here?

> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html

Yes.
I can get the sample-ssl.jks to work with the below connector port 
information. But when I edit the connector ports to add the new 
"wcmdev-ssl.jks" and imported
Certificate(s) I received from the CSR I get the error, 
"java.io.IOException: Alias name tomcat does not identify a key entry"

Weird because it is an alias. Is it looking for tomcat as the actual entry 
name or alias?



It seems like it is not reading the keystore properly. Should I just 
create a new CSR from the sample-ssl.jks keystore?

Here is the connector info for the sample-ssl.jks that works. 

<Service name="Catalina">

        <Connector port="18080" protocol="HTTP/1.1" 
connectionTimeout="20000" redirectPort="8443"/>

        <Connector port="8443" SSLEnabled="true" scheme="https" 
secure="true"
                maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" strategy="ms"
            keystoreFile="conf/sample-ssl.jks" keystorePass="***" 
keyAlias="tomcat"
            truststoreFile="conf/sample-ssl.jks" truststorePass="***"/>

        <Connector port="8543" SSLEnabled="true" scheme="https" 
secure="true"
                maxHttpHeaderSize="8192" maxThreads="150" 
minSpareThreads="25" maxSpareThreads="75"
                enableLookups="false" disableUploadTimeout="true" 
acceptCount="100" strategy="ms"
                keystoreFile="conf/sample-ssl.jks" keystorePass="***" 
keyAlias="tomcat"
                truststoreFile="conf/sample-ssl.jks" 
truststorePass="***"/>


******************************************************************************
This email and any files transmitted with it are intended solely for 
the use of the individual or agency to whom they are addressed. 
If you have received this email in error please notify the Navy 
Exchange Service Command e-mail administrator. This footnote 
also confirms that this email message has been scanned for the
presence of computer viruses.

Thank You!            
******************************************************************************


Mime
  • Unnamed multipart/related (inline, None, 0 bytes)
View raw message