Installing IIS Certificates in Tomcat?
I'm running Tomcat inside of jboss-3.2.1_tomcat-4.1.24 but I think the issue will be the same independent of that. The platform is Win2K SP3. The plan is to use Tomcat's HTTP server instead of IIS with the AJP ISAPI connector. Since all requests are being handled by servlets with no static content why even get IIS involved? Anyway... I attempted to take an existing certificate whose request was generated by IIS and import it into a keystore and use that as the basis for my SSL crypto. When I attempted to connect via IE the connection failed (a site not found error) and the exception tree at the bottom of this message was generated. I spent a lot of time reading the JBoss SSL docs, reading the Tomcat SSL docs, searching the Tomcat and JBoss archives, playing with my configuration, trying to figure out what ciphers were installed, making sure that the CA certificate (for testing we use an internal CA) was imported into the keystore, etc., etc., etc. None of it worked. Everything resulted in the exception chain below or something similar. Finally I just decided to go through the instructions for generating a new local key, a new certificate request, get the certificate from my internal certificate authority and import everything into a new keystore. It worked with a minor warning saying that the machine name on the certificate did not match the actual machine name. I'm not sure how to resolve that immediately but I don't see that as a major issue right now since this is only for testing purposes. My big questions are: 1) Is there any way that I can import an existing certificate that was generated based on a request originated in IIS into my keystore and have that be accepted by Tomcat? 2) Or, do I have to go to my IT manager and tell him that he needs to go to Verisign and get additional certificates for IP addresses that we already have certificates for? 3) Or, should I just use IIS and the existing certificates to front Tomcat? Many thanks for the assist! rjsjr 2003-08-07 14:22:55,919 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor y.java:290) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:536) 2003-08-07 14:22:55,939 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor y.java:290) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:536) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Installing IIS Certificates in Tomcat?
"Robert J. Sanford, Jr." <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > That's great advice but it doesn't answer my basic question of whether or > not I can import a certificate that was issued based on a request generated > by IIS. Since I don't use IIS, I don't know the answer. However, if you can export the cert in pkcs12 format (which Windows usually does with the "export private key" option), then you should be able to use the resulting (either ".p12" or ".pfx") file as your keystore. You need to set 'keystoreType="pkcs12"' on the Factory element. Sun's support for pkcs12 is a bit limited, so make certain that you only export your server's cert, and *not* the signers as well. Since you are using a Verisign cert, this should be enough (since the signer is already in cacerts). Alternatively, once you have your ".p12" file, you can use OpenSSL or otherwise to split it out into a private-key and certificate file. You can then use the program at http://www.comu.de/docs/tomcat_ssl.htm to import them. > > rjsjr > > > My experience was using IIS with Tomcat was very slow > > and it is pain in the neck to use tackle with ISAPI > > connector and the rest.. It is better to have either > > Apache or directly use Tomcat servers > > > > -Original Message- > > From: Robert J. Sanford, Jr. [mailto:[EMAIL PROTECTED] > > Sent: Friday, August 08, 2003 6:11 PM > > To: [EMAIL PROTECTED] > > Subject: Installing IIS Certificates in Tomcat? > > > > > > > I'm running Tomcat inside of jboss-3.2.1_tomcat-4.1.24 > > > but I think the issue will be the same independent of > > > that. The platform is Win2K SP3. The plan is to use > > > Tomcat's HTTP server instead of IIS with the AJP ISAPI > > > connector. Since all requests are being handled by > > > servlets with no static content why even get IIS > > > involved? Anyway... > > > > > I attempted to take an existing certificate whose > > > request was generated by IIS and import it into a > > > keystore and use that as the basis for my SSL > > > crypto. When I attempted to connect via IE the > > > connection failed (a site not found error) and the > > > exception tree at the bottom of this message was > > > generated. I spent a lot of time reading the JBoss > > > SSL docs, reading the Tomcat SSL docs, searching > > > the Tomcat and JBoss archives, playing with my > > > configuration, trying to figure out what ciphers > > > were installed, making sure that the CA certificate > > > (for testing we use an internal CA) was imported > > > into the keystore, etc., etc., etc. None of it > > > worked. Everything resulted in the exception chain > > > below or something similar. > > > > > Finally I just decided to go through the instructions > > > for generating a new local key, a new certificate > > > request, get the certificate from my internal > > > certificate authority and import everything into a > > > new keystore. It worked with a minor warning saying > > > that the machine name on the certificate did not > > > match the actual machine name. I'm not sure how to > > > resolve that immediately but I don't see that as a > > > major issue right now since this is only for testing > > > purposes. > > > > > My big questions are: > > > 1) Is there any way that I can import an > > >existing certificate that was generated > > >based on a request originated in IIS > > >into my keystore and have that be > > >accepted by Tomcat? > > > 2) Or, do I have to go to my IT manager > > >and tell him that he needs to go to > > >Verisign and get additional > > >certificates for IP addresses that > > >we already have certificates for? > > > 3) Or, should I just use IIS and the > > >existing certificates to front Tomcat? > > > > > > Many thanks for the assist! > > > > > > rjsjr > > > > > > 2003-08-07 14:22:55,919 DEBUG > > > [org.apache.tomcat.util.net.PoolTcpEndpoint] > > > Handshake failed > > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > > at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > > at com.sun.net.ssl.inter
RE: Installing IIS Certificates in Tomcat?
That's great advice but it doesn't answer my basic question of whether or not I can import a certificate that was issued based on a request generated by IIS. rjsjr > My experience was using IIS with Tomcat was very slow > and it is pain in the neck to use tackle with ISAPI > connector and the rest.. It is better to have either > Apache or directly use Tomcat servers > > -Original Message- > From: Robert J. Sanford, Jr. [mailto:[EMAIL PROTECTED] > Sent: Friday, August 08, 2003 6:11 PM > To: [EMAIL PROTECTED] > Subject: Installing IIS Certificates in Tomcat? > > > > I'm running Tomcat inside of jboss-3.2.1_tomcat-4.1.24 > > but I think the issue will be the same independent of > > that. The platform is Win2K SP3. The plan is to use > > Tomcat's HTTP server instead of IIS with the AJP ISAPI > > connector. Since all requests are being handled by > > servlets with no static content why even get IIS > > involved? Anyway... > > > I attempted to take an existing certificate whose > > request was generated by IIS and import it into a > > keystore and use that as the basis for my SSL > > crypto. When I attempted to connect via IE the > > connection failed (a site not found error) and the > > exception tree at the bottom of this message was > > generated. I spent a lot of time reading the JBoss > > SSL docs, reading the Tomcat SSL docs, searching > > the Tomcat and JBoss archives, playing with my > > configuration, trying to figure out what ciphers > > were installed, making sure that the CA certificate > > (for testing we use an internal CA) was imported > > into the keystore, etc., etc., etc. None of it > > worked. Everything resulted in the exception chain > > below or something similar. > > > Finally I just decided to go through the instructions > > for generating a new local key, a new certificate > > request, get the certificate from my internal > > certificate authority and import everything into a > > new keystore. It worked with a minor warning saying > > that the machine name on the certificate did not > > match the actual machine name. I'm not sure how to > > resolve that immediately but I don't see that as a > > major issue right now since this is only for testing > > purposes. > > > My big questions are: > > 1) Is there any way that I can import an > >existing certificate that was generated > >based on a request originated in IIS > >into my keystore and have that be > >accepted by Tomcat? > > 2) Or, do I have to go to my IT manager > >and tell him that he needs to go to > >Verisign and get additional > >certificates for IP addresses that > >we already have certificates for? > > 3) Or, should I just use IIS and the > >existing certificates to front Tomcat? > > > > Many thanks for the assist! > > > > rjsjr > > > > 2003-08-07 14:22:55,919 DEBUG > > [org.apache.tomcat.util.net.PoolTcpEndpoint] > > Handshake failed > > javax.net.ssl.SSLHandshakeException: no cipher suites in common > > at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) > > at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JS > > SESocketFactor > > y.java:290) > > at > > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoi > > nt.java:540) > > at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > > ThreadPool.java:619) > > at java.lang.Thread.run(Thread.java:536) > > > > 2003-08-07 14:22:55,939 DEBUG > > [org.apache.tomcat.util.net.PoolTcpEndpoint] > > Handshake failed > > javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello > > at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275) > > at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) > > at > > com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) > > at > > org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JS > > SESocketFactory.java:290) > > at > > org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoi > > nt.java:540) > > at > > org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run( > > ThreadPool.java:619) > > at java.lang.Thread.run(Thread.java:536) > > - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Installing IIS Certificates in Tomcat?
Thanks for the info. I got the key exported from IIS in the PKCS12 format and used OpenSSL to generate a .pem file containing the private key and site certificate from that (for testing purposes I'm using an internal CA so the CA certificate was in there as well). The issue that I'm running into now is that the SDK keytool will not import a private key. Sigh. I was hoping to avoid using something other than keytool since I have a hard enough time convincing my production IT staff to get rid of IIS so minimizing the number of conversion apps is a good thing. I'll try playing with the keystore type to use the PKCS file directly. If that fails then I'll have to try the other stuff. Thanks for the advice. rjsjr > > That's great advice but it doesn't answer my > > basic question of whether or not I can import > > a certificate that was issued based on a > > request generated by IIS. > > Since I don't use IIS, I don't know the answer. > However, if you can export the cert in pkcs12 > format (which Windows usually does with the > "export private key" option), then you should > be able to use the resulting (either ".p12" or > ".pfx") file as your keystore. You need to > set 'keystoreType="pkcs12"' on the Factory > element. Sun's support for pkcs12 is a bit > limited, so make certain that you only export > your server's cert, and *not* the signers as > well. > > Since you are using a Verisign cert, this > should be enough (since the signer is already > in cacerts). > > Alternatively, once you have your ".p12" file, > you can use OpenSSL or otherwise to split it > out into a private-key and certificate file. > You can then use the program at > http://www.comu.de/docs/tomcat_ssl.htm to > import them. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Installing IIS Certificates in Tomcat?
Okay, using the .pfx file directly and the keystoreType="PKCS12" worked with no hitches. Well, one minor hitch but that was pilot error on my part. Many thanks! rjsjr > > That's great advice but it doesn't answer my > > basic question of whether or not I can import > > a certificate that was issued based on a > > request generated by IIS. > > Since I don't use IIS, I don't know the answer. > However, if you can export the cert in pkcs12 > format (which Windows usually does with the > "export private key" option), then you should > be able to use the resulting (either ".p12" or > ".pfx") file as your keystore. You need to > set 'keystoreType="pkcs12"' on the Factory > element. Sun's support for pkcs12 is a bit > limited, so make certain that you only export > your server's cert, and *not* the signers as > well. > > Since you are using a Verisign cert, this > should be enough (since the signer is already > in cacerts). > > Alternatively, once you have your ".p12" file, > you can use OpenSSL or otherwise to split it > out into a private-key and certificate file. > You can then use the program at > http://www.comu.de/docs/tomcat_ssl.htm to > import them. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Installing IIS Certificates in Tomcat?
My experience was using IIS with Tomcat was very slow and it is pain in the neck to use tackle with ISAPI connector and the rest.. It is better to have either Apache or directly use Tomcat servers -Original Message- From: Robert J. Sanford, Jr. [mailto:[EMAIL PROTECTED] Sent: Friday, August 08, 2003 6:11 PM To: [EMAIL PROTECTED] Subject: Installing IIS Certificates in Tomcat? I'm running Tomcat inside of jboss-3.2.1_tomcat-4.1.24 but I think the issue will be the same independent of that. The platform is Win2K SP3. The plan is to use Tomcat's HTTP server instead of IIS with the AJP ISAPI connector. Since all requests are being handled by servlets with no static content why even get IIS involved? Anyway... I attempted to take an existing certificate whose request was generated by IIS and import it into a keystore and use that as the basis for my SSL crypto. When I attempted to connect via IE the connection failed (a site not found error) and the exception tree at the bottom of this message was generated. I spent a lot of time reading the JBoss SSL docs, reading the Tomcat SSL docs, searching the Tomcat and JBoss archives, playing with my configuration, trying to figure out what ciphers were installed, making sure that the CA certificate (for testing we use an internal CA) was imported into the keystore, etc., etc., etc. None of it worked. Everything resulted in the exception chain below or something similar. Finally I just decided to go through the instructions for generating a new local key, a new certificate request, get the certificate from my internal certificate authority and import everything into a new keystore. It worked with a minor warning saying that the machine name on the certificate did not match the actual machine name. I'm not sure how to resolve that immediately but I don't see that as a major issue right now since this is only for testing purposes. My big questions are: 1) Is there any way that I can import an existing certificate that was generated based on a request originated in IIS into my keystore and have that be accepted by Tomcat? 2) Or, do I have to go to my IT manager and tell him that he needs to go to Verisign and get additional certificates for IP addresses that we already have certificates for? 3) Or, should I just use IIS and the existing certificates to front Tomcat? Many thanks for the assist! rjsjr 2003-08-07 14:22:55,919 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed javax.net.ssl.SSLHandshakeException: no cipher suites in common at com.sun.net.ssl.internal.ssl.BaseSSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.b(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_aw.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SunJSSE_ax.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor y.java:290) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:536) 2003-08-07 14:22:55,939 DEBUG [org.apache.tomcat.util.net.PoolTcpEndpoint] Handshake failed javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello at com.sun.net.ssl.internal.ssl.InputRecord.b(DashoA6275) at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.j(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.handshake(JSSESocketFactor y.java:290) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:540) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav a:619) at java.lang.Thread.run(Thread.java:536) - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]