Re: Yup, SSL question
Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
RE: Yup, SSL question
use a virtual-hosts attribute in your web-site tag...I also use the EXACT ip address in host: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" virtual-host="secure.simpledevices.com or whatever the ssl certificate supports" display-name="SMS WebSite" regards, the elephantwalker www.elephantwalker.com .ps I am glad your Alteonloadbalancer works, because the orion loadbalancer.jar can't use ssl ;(...its broken in 1.5.2. My main question is ... aren't you using Alteon as you ssl accelerator...and if so, why are the backends in ssl? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve BestSent: Thursday, October 18, 2001 11:36 AMTo: Orion-InterestSubject: Re: Yup, SSL question Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
Fw: Yup, SSL question
- Original Message - From: Steve Best To: Orion-Interest Sent: Thursday, October 18, 2001 11:35 AM Subject: Re: Yup, SSL question Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
Re: Yup, SSL question
sorry if i'm off track here??, but last time i
checked, orion couldn't cluster + SSL at the same time.
ithink it's orion bugzilla defect 525 from
memory, since i spent some time investigating it. i think elephantwalker is a
bit of an expert on this particular issue.
you can cluster, and you can setup SSL, but just
not at the same time.
- Original Message -
From:
Steve
Best
To: Orion-Interest
Sent: Friday, October 19, 2001 4:35
AM
Subject: Re: Yup, SSL question
Nevermind, I have found the keystore and have
imported the certificate. I believe my problems now have to do with our
clustering/load balancing configuration. We are currently using an
Alteon Acedirector 3 for our load balancer. We are also using clustering
to maintain sessions. I think the error I have been
getting:
"Error listening to SSLServerSocket: No available
certificate corresponds to the SSL cipher suites which are
enabled."
is because our certificate is for our virtual IP,
and not for our local machine, and therefore Orion is unable to load the
certificate correctly because it isnt for the local host. The question
is, how do I configure Orion to load a certificate for our virtual site?
Here is my configuration, with some entries modified to protect the
innocent:
web-site host="localhost.simpledevices.com"
port="8443" cluster-island="1" secure="true" display-name="SMS
WebSite" default-web-app
application="sms" name="sms-web"
shared="true"
load-on-startup="false" /
ssl-config keystore="../keys/keystore" keystore-password="123456"
/ frontend
host="virtual.simpledevices.com"
port="443"/ access-log
path="../log/sms-web-access.log" //web-site
I have tried setting the web-site host="[ALL]",
but I get an error saying I cannot cluster with that configuration.
Though I no longer get the SSLServerSocket error.
Thanks for any help,
Steve
- Original Message -
From:
Steve
Best
To: Orion-Interest
Sent: Wednesday, October 17, 2001 3:43
PM
Subject: Yup, SSL question
So, I do not have the original keystore file
generated during the certificate request, but I have the original
certificate request private key file, as well as the certificate file from
Thawte. How do I get them both into a working keystore?
Steve
Yup, SSL question
So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
RE: SSL Question: Possibly Offtopic
You might be able to use a SSL terminator. In this case, a seperate machine acts as a proxy to your sites and handles SSL for you. The ssl load is handled by the proxy machine and your web servers are somewhat protected. This is commonly used when you want to use SSL, and you still want your Intrusion Detection System (IDS) to be able to read the traffic. SSL between the client and terminator, clear text between the terminator - IDS - web server. You MIGHT be able to use the tunnel servlet and ssl to do this. /Jason -Original Message- From: John McGowan [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 3:57 PM To: Orion-Interest Subject: SSL Question: Possibly Offtopic Is it possible to set up two different sites using Orion with only 1 IP address, and set up SSL for each of them. I didn't have any problems setting up the two non-secure virtual hosts, but when I tried to setup up SSL virtual hosts, I couldn't get the server to send the right Certificates. Is this even possible? Is there some SSL limitation that only allows 1 Certificate per IP address? /John
SSL Question: Possibly Offtopic
Is it possible to set up two different sites using Orion with only 1 IP address, and set up SSL for each of them. I didn't have any problems setting up the two non-secure virtual hosts, but when I tried to setup up SSL virtual hosts, I couldn't get the server to send the right Certificates. Is this even possible? Is there some SSL limitation that only allows 1 Certificate per IP address? /John
Re: SSL Question: Possibly Offtopic
Is there some SSL limitation that only allows 1 Certificate per IP address? Yes, or at least that's my understanding. The SSL negotiation is done before the Host: header can be sent. James
Re: SSL question
Hello, Yeah, that's a good text, I'll add it. Thanks Mike! Regards, Karl Avedal David Ekholm wrote: That's what I call an answer! It explained a lot. Orion guys, pleas add that to your SSL howto. You can also retrieve a cert+CAcert already chained right from Thawte. Select an SSL type test cert and also check the chaining setting on the web page for test cert generation. /David - Original Message - From: Mike Atkin [mailto:[EMAIL PROTECTED]] To: "Orion-Interest" [EMAIL PROTECTED] Subject: SSL question The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
Re: SSL question
- Original Message - From: "Kit" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Thursday, October 12, 2000 4:54 PM Subject: SSL question Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
RE: SSL question
That's what I call an answer! It explained a lot. Orion guys, pleas add that to your SSL howto. You can also retrieve a cert+CAcert already chained right from Thawte. Select an SSL type test cert and also check the chaining setting on the web page for test cert generation. /David - Original Message - From: Mike Atkin [mailto:[EMAIL PROTECTED]] To: "Orion-Interest" [EMAIL PROTECTED] Subject: SSL question The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
SSL question
Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit
Re: SSL question
the first line is correct. it's telling you that this certificate does not match the private key (which you made with -genkey first, right?) in your keystore. in the second one you didn't specify where your keystore is. this this and see if you have both the private key and the certificate in your keystore. keytool -keystore keystore -v -list cheers, sach On Thu, 12 Oct 2000, Kit wrote: Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit
Yet Another SSL Question.
On the topic of keystores, is it possible to have a 128bit key and a 56bit key installed on the same store, and have it configured as such, to allow the client to connect at 128bit, if possible, and then fall back to 56bit if not? cheers, sach
