tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Miguel González Castaños <miguel_3_gonza...@yahoo.es>
Subject Re: Javamelody and Struts
Date Fri, 27 Apr 2012 21:11:14 GMT
On 26/04/2012 15:51, Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Miguel,
>
> On 4/26/12 5:58 AM, Miguel González Castaños wrote:
>> On 26/04/2012 03:58, Christopher Schultz wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> Miguel,
>>>
>>> On 4/25/12 6:24 PM, Miguel González Castaños wrote:
>>>>> Please post your SSL<Connector>    configuration (cleansed of
>>>>> any passwords).
>> By the way, double checking the info from my web browser I get this
>> is a verisign class 3 secure server G3
> It looks like you were using the "EV" intermediate certificates
> before. This page[1] says that C3G3 certs are not frequently used
> except for client certificates... is that what you've got?
>
> [1] http://www.verisign.com/support/roots.html
>
>> I'm sorry but I come from the Apache world and I'm pretty new to
>> Tomcat. Also I have inherited this server and the configuration is
>> messy.
> When you use Java, you generally have to work with keystores. It's
> just a file full of keys and certificates. Think of a Java keystore as
> all of the following httpd directives mashed together into a single
> binary entity:
>
>    SSLCertificateKeyFile
>    SSLCertificateFile
>    SSLCertificateChainFile
>    SSLCACertificateFile
>
> Also, you have to use an "alias" that Tomcat uses (it's "tomcat") as
> the alias for the certificate to actually use for the server (as
> opposed to any other certificates you might have in the keystore).
>
>> Maybe I'm wrong but should I add the CAcert somewhere in the SSL
>> connector?
> There's no place to do that: the whole chain must be in the keystore,
> including the CA root all the way down to your own certificate. You
> may be able to get away with not having the very top-root CA
> certificate... I haven't worked too much with Java keystores so it's
> possible that there is a set of root, trusted certificates that are
> inherited by all keystores, but there are many ways to
> create/configure a ServerSocketFactory, so it's probably possible to
> set one up both with or without that globally-recognized set of root
> CA certs (i.e. those trusted by the JVM implicitly).
>
> If you are getting this error in Javamelody, then you need to
> configure Javamelody properly -- this isn't a Tomcat thing if web
> browsers can connect properly to Tomcat via HTTPS.
Thanks for your answers, they have lead me to (partly) the solution.

I found some clues here:

http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4164840&prodTypeId=18964&objectID=c03023432

<http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&taskId=110&prodSeriesId=4164840&prodTypeId=18964&objectID=c03023432>

I didn't have to add the certificate to the tomcat keystore, but to the 
java keystore of the JRE

Now I get a javamelody error reporting the app hasn't been configured to 
use javamelody, so no more SSL handshake errors

Many thanks,

Miguel



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message