Re: Yup, SSL question
Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
RE: Yup, SSL question
use a virtual-hosts attribute in your web-site tag...I also use the EXACT ip address in host: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" virtual-host="secure.simpledevices.com or whatever the ssl certificate supports" display-name="SMS WebSite" regards, the elephantwalker www.elephantwalker.com .ps I am glad your Alteonloadbalancer works, because the orion loadbalancer.jar can't use ssl ;(...its broken in 1.5.2. My main question is ... aren't you using Alteon as you ssl accelerator...and if so, why are the backends in ssl? -Original Message-From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of Steve BestSent: Thursday, October 18, 2001 11:36 AMTo: Orion-InterestSubject: Re: Yup, SSL question Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
Fw: Yup, SSL question
- Original Message - From: Steve Best To: Orion-Interest Sent: Thursday, October 18, 2001 11:35 AM Subject: Re: Yup, SSL question Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
Re: Yup, SSL question
sorry if i'm off track here??, but last time i checked, orion couldn't cluster + SSL at the same time. ithink it's orion bugzilla defect 525 from memory, since i spent some time investigating it. i think elephantwalker is a bit of an expert on this particular issue. you can cluster, and you can setup SSL, but just not at the same time. - Original Message - From: Steve Best To: Orion-Interest Sent: Friday, October 19, 2001 4:35 AM Subject: Re: Yup, SSL question Nevermind, I have found the keystore and have imported the certificate. I believe my problems now have to do with our clustering/load balancing configuration. We are currently using an Alteon Acedirector 3 for our load balancer. We are also using clustering to maintain sessions. I think the error I have been getting: "Error listening to SSLServerSocket: No available certificate corresponds to the SSL cipher suites which are enabled." is because our certificate is for our virtual IP, and not for our local machine, and therefore Orion is unable to load the certificate correctly because it isnt for the local host. The question is, how do I configure Orion to load a certificate for our virtual site? Here is my configuration, with some entries modified to protect the innocent: web-site host="localhost.simpledevices.com" port="8443" cluster-island="1" secure="true" display-name="SMS WebSite" default-web-app application="sms" name="sms-web" shared="true" load-on-startup="false" / ssl-config keystore="../keys/keystore" keystore-password="123456" / frontend host="virtual.simpledevices.com" port="443"/ access-log path="../log/sms-web-access.log" //web-site I have tried setting the web-site host="[ALL]", but I get an error saying I cannot cluster with that configuration. Though I no longer get the SSLServerSocket error. Thanks for any help, Steve - Original Message - From: Steve Best To: Orion-Interest Sent: Wednesday, October 17, 2001 3:43 PM Subject: Yup, SSL question So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
Yup, SSL question
So, I do not have the original keystore file generated during the certificate request, but I have the original certificate request private key file, as well as the certificate file from Thawte. How do I get them both into a working keystore? Steve
RE: SSL Question: Possibly Offtopic
You might be able to use a SSL terminator. In this case, a seperate machine acts as a proxy to your sites and handles SSL for you. The ssl load is handled by the proxy machine and your web servers are somewhat protected. This is commonly used when you want to use SSL, and you still want your Intrusion Detection System (IDS) to be able to read the traffic. SSL between the client and terminator, clear text between the terminator - IDS - web server. You MIGHT be able to use the tunnel servlet and ssl to do this. /Jason -Original Message- From: John McGowan [mailto:[EMAIL PROTECTED]] Sent: Monday, May 21, 2001 3:57 PM To: Orion-Interest Subject: SSL Question: Possibly Offtopic Is it possible to set up two different sites using Orion with only 1 IP address, and set up SSL for each of them. I didn't have any problems setting up the two non-secure virtual hosts, but when I tried to setup up SSL virtual hosts, I couldn't get the server to send the right Certificates. Is this even possible? Is there some SSL limitation that only allows 1 Certificate per IP address? /John
SSL Question: Possibly Offtopic
Is it possible to set up two different sites using Orion with only 1 IP address, and set up SSL for each of them. I didn't have any problems setting up the two non-secure virtual hosts, but when I tried to setup up SSL virtual hosts, I couldn't get the server to send the right Certificates. Is this even possible? Is there some SSL limitation that only allows 1 Certificate per IP address? /John
Re: SSL Question: Possibly Offtopic
Is there some SSL limitation that only allows 1 Certificate per IP address? Yes, or at least that's my understanding. The SSL negotiation is done before the Host: header can be sent. James
Re: SSL question
Hello, Yeah, that's a good text, I'll add it. Thanks Mike! Regards, Karl Avedal David Ekholm wrote: That's what I call an answer! It explained a lot. Orion guys, pleas add that to your SSL howto. You can also retrieve a cert+CAcert already chained right from Thawte. Select an SSL type test cert and also check the chaining setting on the web page for test cert generation. /David - Original Message - From: Mike Atkin [mailto:[EMAIL PROTECTED]] To: "Orion-Interest" [EMAIL PROTECTED] Subject: SSL question The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
Re: SSL question
- Original Message - From: "Kit" [EMAIL PROTECTED] To: "Orion-Interest" [EMAIL PROTECTED] Sent: Thursday, October 12, 2000 4:54 PM Subject: SSL question Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
RE: SSL question
That's what I call an answer! It explained a lot. Orion guys, pleas add that to your SSL howto. You can also retrieve a cert+CAcert already chained right from Thawte. Select an SSL type test cert and also check the chaining setting on the web page for test cert generation. /David - Original Message - From: Mike Atkin [mailto:[EMAIL PROTECTED]] To: "Orion-Interest" [EMAIL PROTECTED] Subject: SSL question The problem with the first command is that keytool can't find the root ca certificates in your keystore and therefore can't build up the certificate chain from your server key to the trusted root certificate authority. With the second example, keytool is using the system keystore and can locate the root ca certs in jdk-dir/jre/lib/security/cacerts. When I created my keystore I used a certificate from bt trustwise which is an intermediate ca so I had yet another cert to add. The commands went something like this (assume keystore does not yet exist): keytool -keystore keystore -import -alias cacert -file cacert.cer keytool -keystore keystore -import -alias intercert -file inter.cer // Only need this if you are using an intermediate signing authority like BT Trustwise keytool -keystore keystore -genkey -keyalg RSA -alias serverkey keytool -keystore keystore -certreq -file my.host.com.csr Get cert from csr then: keytool -keystore keystore -import -file my.host.com.cer -alias serverkey That should be that. You can do a keytool -keystore keystore -v -list and check that a cert chain has been built. You can probably get round your problem just by importing the ca certs into your keystore and then trying to re-add your server cert. HTH Mike
SSL question
Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit
Re: SSL question
the first line is correct. it's telling you that this certificate does not match the private key (which you made with -genkey first, right?) in your keystore. in the second one you didn't specify where your keystore is. this this and see if you have both the private key and the certificate in your keystore. keytool -keystore keystore -v -list cheers, sach On Thu, 12 Oct 2000, Kit wrote: Hi all I have a problem using the command below. keytool -keystore keystore -keyalg "RSA" -import -trustcacerts -file my.host.com.cer I get this error: keytool error: Failed to establish chain from reply But, this command worked fine keytool -import -trustcacerts -file my.host.com.cer Is there any problem using the second command, since it's missing some arguments as indicated in the ssl-how-to documentation. Thanks -kit
Yet Another SSL Question.
On the topic of keystores, is it possible to have a 128bit key and a 56bit key installed on the same store, and have it configured as such, to allow the client to connect at 128bit, if possible, and then fall back to 56bit if not? cheers, sach