tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Resolution, Re: Help! Tomcat crashing on takeoff
Date Mon, 05 Jan 2015 22:33:58 GMT
Hash: SHA256


On 1/5/15 11:37 AM, James H. H. Lampert wrote:
> People on both the Tomcat and Java400-L Lists nailed the problem:
> it turned out to be a PTF issue.

For those playing-along at home: PTF = "Program Temporary Fix". It's
IBM's term for "patch", which just means that "having one's PTFs fully
in order" means "up-to-date on all patches".

> Once the customer got the box's PTFs fully in order, Tomcat started
> up without a problem, a self-signed certificate brought up their
> SSL, and our WAR file uploaded and deployed normally.
> They still need to fix their firewall to plumb at least one more
> port to the outside world, and of course, they need to get their
> certificate signed by a well-known CA, but other than that, they
> seem to be fine now.

Glad to hear it. Any idea what the missing PTF(s) actually covered?

> One observation: it seems that for some reason, while Keystore
> Explorer (on my Mac) seems to work at least as well as Keytool for
> most keystore operations, for some reason, Java keystores that
> *originate* in Keystore Explorer get rejected (at least by Tomcat
> running on IBM Midrange boxes), whereas those orignating in Keytool
> work just fine (but Keytool, for some reason, doesn't seem to work
> at all on IBM Midrange boxes). Puzzling.

Does keytool show the same contents for both keystores -- the one
originating from within Keystore Explorer and the one created
initially using keytool?

I've had limited success using portecle -- you might try that as an
independent third-party for looking at the contents of the keystore files.

Honestly, I find the whole keystore thing to be a good idea, but one
that often seriously blurs the lines between what various things are.
When you use keytool to create a new server key, it automatically
creates a certificate paired with that key. In order to create a CSR
in "keytool", you use "certreq" but you can only create a CSR for an
existing certificate. Finally, when you get the certificate signed by
a CA, you import it into your keystore and it either overwrites or
aliases the existing certificate (I don't feel like going through all
the motions to check it all right now to see how it works). I like
being able to do things like have each artifact in a separate file and
use them separately.

- -chris
Version: GnuPG v1
Comment: GPGTools -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message