SSL setup question
I'm having a problem setting up SSL with Tomcat. The situation is this: I have a system running IBM's Netcool/Portal software. We added SSL to the Portal a while back. I created a certificate for the machine. However, Netcool/Portal does not create a keystore file - you simply copy the certificate as a text file into a specific directory and it works from there. Netcool/Portal has its own version of the JDK. Now, on the same machine, I have installed a current JDK (v1.6) and my own installation of Tomcat (v6.0.16). Runs just fine on port 8080. I want to add SSL capability to the Tomcat setup so I can talk to it using https. I created a keystore file using the certificate we generated for Netcool, as follows: keytool -importcert -v -trustcacerts -alias tomcat -keystore path_to_keystore/keystore.kdb -file /opt/netcool/portal/path_to_cert/server.crt Then, keytool -list -keystore ./keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Nov 20, 2008, trustedCertEntry, Certificate fingerprint (MD5): 11:87:A8:7C:BB:55:AC:68:46:34:4F:45:7D:62:9C:AF So I have a keystore. I set up the tomcat server.xml file: Connector port=7443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false keystoreFile=/usr/path_to_keystore/keystore.kdb keystorePass=password sslProtocol=TLS / And when I start Tomcat, I get an infinite loop in the log file that looks like: Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 886 ms Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 Nov 20, 2008 1:40:18 PM com.sun.faces.config.ConfigureListener contextInitialize d INFO: Initializing Sun's JavaServer Faces implementation (1.2_04-b20-p03) for co ntext '/NCAdmin' Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.ContextListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.SessionListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed I'm not an SSL expert, so I'm not sure where to look. Am I missing an intermediate certificate somewhere? Or have I configured the keystore incorrectly? I'd appreciate any pointers or suggestions for getting this running. Thanks very much, nbc NAME: Neil B. Cohen (Verisign Inc.) PHONE: 703-948-4471 DOMAIN: [EMAIL PROTECTED]
Re: SSL setup question
the infinite loop is fixed in 6.0.18, the system will still not start, since the JVM you're running with doesn't support the type of cipher that you're keystore is trying to use search http://tomcat.markmail.org for the same error, it's been answered before Filip Neil B. Cohen wrote: I'm having a problem setting up SSL with Tomcat. The situation is this: I have a system running IBM's Netcool/Portal software. We added SSL to the Portal a while back. I created a certificate for the machine. However, Netcool/Portal does not create a keystore file - you simply copy the certificate as a text file into a specific directory and it works from there. Netcool/Portal has its own version of the JDK. Now, on the same machine, I have installed a current JDK (v1.6) and my own installation of Tomcat (v6.0.16). Runs just fine on port 8080. I want to add SSL capability to the Tomcat setup so I can talk to it using https. I created a keystore file using the certificate we generated for Netcool, as follows: keytool -importcert -v -trustcacerts -alias tomcat -keystore path_to_keystore/keystore.kdb -file /opt/netcool/portal/path_to_cert/server.crt Then, keytool -list -keystore ./keystore.kdb Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry tomcat, Nov 20, 2008, trustedCertEntry, Certificate fingerprint (MD5): 11:87:A8:7C:BB:55:AC:68:46:34:4F:45:7D:62:9C:AF So I have a keystore. I set up the tomcat server.xml file: Connector port=7443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false keystoreFile=/usr/path_to_keystore/keystore.kdb keystorePass=password sslProtocol=TLS / And when I start Tomcat, I get an infinite loop in the log file that looks like: Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:17 PM org.apache.coyote.http11.Http11Protocol init INFO: Initializing Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:17 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 886 ms Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 20, 2008 1:40:17 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/6.0.16 Nov 20, 2008 1:40:18 PM com.sun.faces.config.ConfigureListener contextInitialize d INFO: Initializing Sun's JavaServer Faces implementation (1.2_04-b20-p03) for co ntext '/NCAdmin' Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.ContextListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.catalina.core.StandardContext addApplicationL istener INFO: The listener listeners.SessionListener is already configured for this co ntext. The duplicate definition has been ignored. Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 20, 2008 1:40:20 PM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-7443 Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESo cketFactory.java:150) at org.apache.tomcat.util.net.JIoEndpoint$Acceptor.run(JIoEndpoint.java: 310) at java.lang.Thread.run(Thread.java:619) Nov 20, 2008 1:40:20 PM org.apache.tomcat.util.net.JIoEndpoint$Acceptor run SEVERE: Socket accept failed I'm not an SSL expert, so I'm not