tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Javamelody and Struts
Date Thu, 26 Apr 2012 13:51:26 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Miguel,

On 4/26/12 5:58 AM, Miguel González Castaños wrote:
> On 26/04/2012 03:58, Christopher Schultz wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> Miguel,
>> 
>> On 4/25/12 6:24 PM, Miguel González Castaños wrote:
>>>> Please post your SSL<Connector>   configuration (cleansed of
>>>> any passwords).
> By the way, double checking the info from my web browser I get this
> is a verisign class 3 secure server G3

It looks like you were using the "EV" intermediate certificates
before. This page[1] says that C3G3 certs are not frequently used
except for client certificates... is that what you've got?

[1] http://www.verisign.com/support/roots.html

> I'm sorry but I come from the Apache world and I'm pretty new to
> Tomcat. Also I have inherited this server and the configuration is
> messy.

When you use Java, you generally have to work with keystores. It's
just a file full of keys and certificates. Think of a Java keystore as
all of the following httpd directives mashed together into a single
binary entity:

  SSLCertificateKeyFile
  SSLCertificateFile
  SSLCertificateChainFile
  SSLCACertificateFile

Also, you have to use an "alias" that Tomcat uses (it's "tomcat") as
the alias for the certificate to actually use for the server (as
opposed to any other certificates you might have in the keystore).

> Maybe I'm wrong but should I add the CAcert somewhere in the SSL
> connector?

There's no place to do that: the whole chain must be in the keystore,
including the CA root all the way down to your own certificate. You
may be able to get away with not having the very top-root CA
certificate... I haven't worked too much with Java keystores so it's
possible that there is a set of root, trusted certificates that are
inherited by all keystores, but there are many ways to
create/configure a ServerSocketFactory, so it's probably possible to
set one up both with or without that globally-recognized set of root
CA certs (i.e. those trusted by the JVM implicitly).

If you are getting this error in Javamelody, then you need to
configure Javamelody properly -- this isn't a Tomcat thing if web
browsers can connect properly to Tomcat via HTTPS.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk+ZUt4ACgkQ9CaO5/Lv0PDr1ACgrTdE7YioyGAbGGUU6wzJJOSL
vFsAoI1pjrU1YPs/hH4QMGaWYSlDLEzN
=47Nf
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message