Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 4823E10FA8 for ; Wed, 4 Dec 2013 13:15:22 +0000 (UTC) Received: (qmail 34651 invoked by uid 500); 4 Dec 2013 13:15:13 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 34609 invoked by uid 500); 4 Dec 2013 13:15:12 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 34577 invoked by uid 99); 4 Dec 2013 13:15:07 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2013 13:15:07 +0000 X-ASF-Spam-Status: No, hits=-0.7 required=5.0 tests=RCVD_IN_DNSWL_LOW,SPF_PASS,T_FRT_CONTACT X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of dmikusa@gopivotal.com designates 209.85.216.49 as permitted sender) Received: from [209.85.216.49] (HELO mail-qa0-f49.google.com) (209.85.216.49) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Dec 2013 13:15:01 +0000 Received: by mail-qa0-f49.google.com with SMTP id ii20so6581145qab.8 for ; Wed, 04 Dec 2013 05:14:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:content-type:mime-version:subject:from :in-reply-to:date:content-transfer-encoding:message-id:references:to; bh=GnW4k5JRsVnZ47xjPOhqYD8MK3WBuOPCn4Gv9AqH5h4=; b=CruZgswPbuEC/sIB2G9LbmUTy9RDEBJmGIL8UfNiXJ4hULVuQdAGTU8WGjbx73yy7u wQdDlQTDAYJhuhdnIZCPIbKSpW9fSSlXNAoBCG6mRNRc2mQYTyJDVdZE6j1IMfnaaSyd Oww3EYAwJDVgh+HnyICCwRF+fEfPFi3GE2jQORhTfkaXCMoAn+X6D2A4KhXPueGGV1CL XLRQLChGqfRisg7/fl5VCpdM283KK5ZZiojLZ9l9oBBzypypYQ9VwWgiTsKtG66XNPxZ 2rCVQ3ApyHiz3k54TjsSdxlAf82UqprwuCGOVm1gCYHUyyTWVmF04XL52I2bwNlI2jYC CKjg== X-Gm-Message-State: ALoCoQn7aJ2OY0/aTkZYHUAazVYprAR/5le/3MgzkhrXViAXNuXnSVrFJ6T/SmXjAgkF0J1XsdUh X-Received: by 10.224.7.10 with SMTP id b10mr138578584qab.12.1386162879829; Wed, 04 Dec 2013 05:14:39 -0800 (PST) Received: from [192.168.0.6] (d118-75-246-224.col.wideopenwest.com. [75.118.224.246]) by mx.google.com with ESMTPSA id lc1sm17565770qeb.5.2013.12.04.05.14.39 for (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Wed, 04 Dec 2013 05:14:39 -0800 (PST) Content-Type: text/plain; charset=utf-8 Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\)) Subject: Re: enable SSL for Tomcat From: Daniel Mikusa In-Reply-To: Date: Wed, 4 Dec 2013 08:14:40 -0500 Content-Transfer-Encoding: quoted-printable Message-Id: <7940BC92-7D7F-4DAD-B2B3-2F2AA10FBF44@gopivotal.com> References: <529F182F.6070505@gmail.com> To: "Tomcat Users List" X-Mailer: Apple Mail (2.1510) X-Virus-Checked: Checked by ClamAV on apache.org On Dec 4, 2013, at 7:40 AM, Sivakumar_Balaguru@contractor.amat.com = wrote: > Hi Ognjen, >=20 > I have tried this as well. >=20 > I have generated a new keystore. By default, keytool generates a = keystore with a private key. Good. You're half way there. >=20 > I have imported the trusted signed certificate to this keystore. Huh? Which signed certificate? The one that you had generated using = the MS tool? If so, that's not going to work. You need to generate a = new CSR based on the keystore's private cert and get a new signed = certificate from your CA. Then import the new signed cert into your = keystore. Dan >=20 > But Tomcat is using the unsigned key/certificate which has been = generated by default with keytool.=20 >=20 > The domain is not trusting this certificate as it is private = self-signed certificate not the trusted one and SSL is not accomplished. >=20 > As an alternative, I have deleted the self-signed private key from the = keystore so that the keystore contains only one certificate which is = signed by the certified authority(Entrust). >=20 > This couldn't help me in enabling SSL. >=20 >=20 > Regards!! > Siva Kumar Balaguru > SME | Identity, Security Access and Messaging Services (ISAMS) | = Applied Materials India Pvt. Ltd. | Chennai | India > Mobile : +91-8438569069|Extn : 7002 | Tie Line: #9575 7002 >=20 > What is ISAMS? Please see our site to learn more: isams.amat.com > =20 > The content of this message is Applied Materials Confidential. If you = are not the intended recipient and have received this message in error, = any use or distribution is prohibited. Please notify me immediately by = reply e-mail and delete this message from your computer system. Thank = you=20 > ** Save a tree. Please don't print this e-mail unless needed. >=20 > -----Original Message----- > From: Ognjen Blagojevic [mailto:ognjen.d.blagojevic@gmail.com]=20 > Sent: Wednesday, December 04, 2013 5:25 PM > To: Tomcat Users List > Subject: Re: enable SSL for Tomcat >=20 > Sivakumar, >=20 > On 4.12.2013 12:11, Sivakumar_Balaguru@contractor.amat.com wrote: >> I need to enable SSL for tomcat in a windows server 2008. I have=20 >> generated a certificate using the csr generated by this command:=20 >> certreq -new request.inf request.req > (...) >> I have imported this certificate to CACERTS using keytool and = uncommented the connector configuration in servers.xml in APACHE conf = folder. >=20 > You used Microsoft tool (certreq) to generate the private key and CSR, = and Java tool (keytool) to import the certificate into Java keystore.=20 > That is your problem. >=20 > You need to, *either*: >=20 > 1. Start from the beginning: Use Java keytool to generate private key = in Java keystore, to create CSR, and to import certificate into that = SAME Java keystore. You should not use "cacerts" file as you keystore, = but other file for that purpose (e.g. c:\users\sivakumar\server.jks). >=20 > 2. Reuse what you have so far: Find where certreq stored private key; = export private key; import private key and certificate into PKCS = keystore; convert PKCS keystore into new keystore in JKS format. >=20 > You should consider which one is easier for you, and then we can help = you along the way. >=20 >=20 >> Connector port=3D"8443" = protocol=3D"org.apache.coyote.http11.Http11NioProtocol" = SSLEnabled=3D"true" keystoreFile=3D"C:\Program = Files\Java\jre7\lib\security\CACERTS" keystorePass=3D"changeit" = maxThreads=3D"300" scheme=3D"https" secure=3D"true" clientAuth=3D"false" = sslProtocol=3D"TLS" >=20 > Whatever you do, you will have to change keystoreFile attribute from=20= > "C:\Program Files\Java\jre7\lib\security\CACERTS" to e.g.=20 > "c:\users\sivakumar\server.jks." >=20 >=20 >> I didn't find any error on startup of Tomcat but still ssl is not = enabled. >=20 > That is strange. What you described would result in cacerts file=20 > containing server certificate without the private key. Therefore I = would=20 > expect that Tomcat complains about inability to find the private key. >=20 > Either way, cacerts file is not the right place to store server = private=20 > key and certificate. That file should contain only certificates from=20= > trusted CA. >=20 > -Ognjen >=20 > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org > For additional commands, e-mail: users-help@tomcat.apache.org >=20 > = =03B=EF=BF=BDKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKKK= KKKKKKKCB=EF=BF=BD=1B=EF=BF=BD=1D[=EF=BF=BD=EF=BF=BDX=EF=BF=BD=EF=BF=BD=DC= =9AX=EF=BF=BDK=08=19K[XZ[=0E=EF=BF=BD=1D\=EF=BF=BD\=EF=BF=BD=EF=BF=BD][=EF= =BF=BD=EF=BF=BDX=EF=BF=BD=EF=BF=BD=DC=9AX=EF=BF=BDP=1D=1B=EF=BF=BDX=EF=BF=BD= ]=0B= =EF=BF=BD\=18X=EF=BF=BD=19K=EF=BF=BD=DC=99=EF=BF=BDB=EF=BF=BD=EF=BF=BD=DC=88= =18Y=19=1A]=1A[=DB=98[=08=18=EF=BF=BD=EF=BF=BD[X[=EF=BF=BD=1C=EF=BF=BD=08=19= K[XZ[=0E=EF=BF=BD=1D\=EF=BF=BD\=EF=BF=BD=EF=BF=BDZ=19[=1C=10=1D=1B=EF=BF=BD= X=EF=BF=BD]=0B=EF=BF=BD\=18X=EF=BF=BD=19K=EF=BF=BD=DC=99=EF=BF=BDB=EF=BF=BD= --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org