tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: Resolution, Re: Help! Tomcat crashing on takeoff
Date Mon, 05 Jan 2015 22:33:58 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

James,

On 1/5/15 11:37 AM, James H. H. Lampert wrote:
> People on both the Tomcat and Java400-L Lists nailed the problem:
> it turned out to be a PTF issue.

For those playing-along at home: PTF = "Program Temporary Fix". It's
IBM's term for "patch", which just means that "having one's PTFs fully
in order" means "up-to-date on all patches".

> Once the customer got the box's PTFs fully in order, Tomcat started
> up without a problem, a self-signed certificate brought up their
> SSL, and our WAR file uploaded and deployed normally.
> 
> They still need to fix their firewall to plumb at least one more
> port to the outside world, and of course, they need to get their
> certificate signed by a well-known CA, but other than that, they
> seem to be fine now.

Glad to hear it. Any idea what the missing PTF(s) actually covered?

> One observation: it seems that for some reason, while Keystore
> Explorer (on my Mac) seems to work at least as well as Keytool for
> most keystore operations, for some reason, Java keystores that
> *originate* in Keystore Explorer get rejected (at least by Tomcat
> running on IBM Midrange boxes), whereas those orignating in Keytool
> work just fine (but Keytool, for some reason, doesn't seem to work
> at all on IBM Midrange boxes). Puzzling.

Does keytool show the same contents for both keystores -- the one
originating from within Keystore Explorer and the one created
initially using keytool?

I've had limited success using portecle -- you might try that as an
independent third-party for looking at the contents of the keystore files.

Honestly, I find the whole keystore thing to be a good idea, but one
that often seriously blurs the lines between what various things are.
When you use keytool to create a new server key, it automatically
creates a certificate paired with that key. In order to create a CSR
in "keytool", you use "certreq" but you can only create a CSR for an
existing certificate. Finally, when you get the certificate signed by
a CA, you import it into your keystore and it either overwrites or
aliases the existing certificate (I don't feel like going through all
the motions to check it all right now to see how it works). I like
being able to do things like have each artifact in a separate file and
use them separately.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: GPGTools - http://gpgtools.org

iQIcBAEBCAAGBQJUqxFWAAoJEBzwKT+lPKRYSNUQALCCyrW2QyUgKt6xb/PDoWTc
waIhBxgA0L9q67CPaYEHY5PSHbdWkqX7jOGFsBNVbGNqlUhyU8xJWZLPYi8Zy9aF
Yg8V+6N48YMXdHP703z9qHSWIMNP1peuOAUFuZTotlxoBjgcZTi/ggC+CWRh9XK9
dFIXvNIWJGs+AKDEWi4dOA7mGz/vDoiXHdcrfgExw9s+XgpQEhb1WmobuCAd0DWJ
UBimm7pWfjT338PnA+jFKZGzGKQu2wAnt0VmwayUQXoWWK8nrEqJEyZch1wNBJuL
5k2RbAogVYzoVGim+HwqBsBeyH0TnL6qL7Tqvl8hamAgg4wb4G/AVWLFpJTK2OTP
zObMHl8AwVN4ywyEqpTDHxvFQwtwyV8P0fVcDDOoQe28pjKJ68MpWkHT0lTySqFc
w3xvPIUXcXLfZ4QHIz2r8YmPJ2J2SjQ2BQ5tVQtp7+AdxmUX1c/uD9E3prUa22ZH
mSSqYWJGmxPPWE3cWfjkgHxEtSAULrzupBCXqFIZ+wfmB6Qim+CuXA7SkKE57jh9
RyRNAO5xvKVMcZmaDqLbSHXBb2BWQZrpdDo8hVTt8/2tavVqXuhNsVb9/zYzoWaz
tHemQguoN61NorKwWPeGq0xiCYam/+EXYrIk0+d9Q2QRNuqE1j8wfyYorEmh0kZY
/2O6Q5FeDRakZlnoOZb5
=iPFJ
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message