RE: SSL Help

2004-07-04 Thread Anju Murthy 
Hi,
(B
(BWe see that irrespective of the contents being secure or not, the browser
(Balert message comes up. We feel this is because the information about the
(Boption chosen in the alert message in the first window is not being passed
(Bto this new window.
(BIs there any way we can pass this information to this new window so that the
(Btwo alert messages don$B!G(Bt popup?
(B
(BThanks
(BAnju
(B
(B-Original Message-
(BFrom: Ariel Valentin [mailto:[EMAIL PROTECTED]
(BSent: Monday, July 05, 2004 10:30 AM
(BTo: [EMAIL PROTECTED]
(BSubject: RE: SSL Help
(B
(B
(BThat sounds like a browser specific issues, and they should have settings to
(B
(Bturn warning off.
(BOn your end I think you should move the  non-secure content in the pop up
(Bfrom outside of servlet/* to your secure area.
(B
(BHope that helps
(B
(BMr. Ariel S. Valentin
(Bmailto:[EMAIL PROTECTED]
(B
(B
(B
(B
(B
(B>From: "Anju Murthy" <[EMAIL PROTECTED]>
(B>Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]>
(B>To: <[EMAIL PROTECTED]>
(B>Subject: SSL Help
(B>Date: Mon, 5 Jul 2004 10:22:56 +0530
(B>
(B>Hi,
(B>
(B>I have configured my application to run over SSL. I am forcing all
(B>requests to route to https using the following code in web.xml
(B>
(B>
(B>   
(B>  LoginServlet
(B>  /servlet/*
(B>POST
(B>GET
(B>   
(B>   
(B>*
(B>  
(B>
(B> CONFIDENTIAL
(B> 
(B> 
(B>
(B>I have my internet browser setting "warn if change between secure and
(B>non secure mode" checked. When I log into my application for the first
(B>time, I get a browser alert message saying I am moving into secure
(B>area. After this, any navigation within the application does not
(B>display this alert message. But if a popup window is opened from this
(B>page, I get two alert messages. One says I am moving out of secure area
(B>and another saying I am moving into secure area.
(B>
(B>Is there a way to prevent these alert messages from coming up in popup
(B>windows?
(B>
(B>Thanks
(B>Anju
(B>
(B>
(B>-
(B>To unsubscribe, e-mail: [EMAIL PROTECTED]
(B>For additional commands, e-mail: [EMAIL PROTECTED]
(B>
(B
(B_
(BIs your PC infected? Get a FREE online computer virus scan from McAfee$B%g(B
(BSecurity. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
(B
(B
(B-
(BTo unsubscribe, e-mail: [EMAIL PROTECTED]
(BFor additional commands, e-mail: [EMAIL PROTECTED]
(B
(B
(B-
(BTo unsubscribe, e-mail: [EMAIL PROTECTED]
(BFor additional commands, e-mail: [EMAIL PROTECTED]

RE: SSL Help

2004-07-04 Thread Ariel Valentin 
That sounds like a browser specific issues, and they should have settings to 
turn warning off.
On your end I think you should move the  non-secure content in the pop up 
from outside of servlet/* to your secure area.

Hope that helps
Mr. Ariel S. Valentin
mailto:[EMAIL PROTECTED]


From: "Anju Murthy" <[EMAIL PROTECTED]>
Reply-To: "Tomcat Users List" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Subject: SSL Help
Date: Mon, 5 Jul 2004 10:22:56 +0530
Hi,
I have configured my application to run over SSL. I am forcing all requests
to route to https using the following code in web.xml

  
 LoginServlet
 /servlet/*
 POST
 GET
  
  
 *
 
 
CONFIDENTIAL


I have my internet browser setting "warn if change between secure and non
secure mode" checked. When I log into my application for the first time, I
get a browser alert message saying I am moving into secure area.
After this, any navigation within the application does not display this
alert message. But if a popup window is opened from this page, I get two
alert messages. One says I am moving out of secure area and another saying 
I
am moving into secure area.

Is there a way to prevent these alert messages from coming up in popup
windows?
Thanks
Anju
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
_
Is your PC infected? Get a FREE online computer virus scan from McAfee® 
Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: SSL Help

2001-02-05 Thread George Shafik 

Hi All,

After server months of development we are ready to implement security part
of the system and are very confused on how to go about it and hopefully
someone in this mailing list has tackled this issue successfully.
...

Our systems are:
 Linux Red Hat 6.2
Apache 1.12.? - Compiled/Built in our environment
Tomcat 3.2.1 - Compiled/Built in our environment
JDK 1.2.2
Oracle 8.1.6

As far as we understand you can apply SSL at:
1) OS level with a product like OpenSSL
2) Application Level with Sun's JSSE 1.0.2

Our main concern is performance, then portability of code between different
systems.

Performance
Do you get better system performance by applying SSL at the OS or at an
application layer ?
I would think at the OS level as the Security Software will be written in a
language like C making it very fast as it will be native to the process used
the target machine.

Code
IF you decided to use JSSE 1.0.2 implementation of SSL what impact will it
have when you port your code to a system that implements SSL at the OS level
?
If SSL Code is introduced correctly into the Framework then the impact will
be minimal between system implementations as it only should involve rippling
out a base class.

As mentioned performance is a very important issue and having several layers
of security from the firewall against the web server to the firewall against
the database to security sitting at the socket level encrypting and
decrypting everything that comes in its path not to mention getting Java to
do its magic through the interpreted bytecode!

At this stage in our development cycle we have a very superficial
understanding of the impact and possible solutions when it comes to
successfully implementing security and welcome any advise in this area.

Regards,
George


- Original Message -
From: "John Golubenko" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, February 06, 2001 3:14 AM
Subject: RE: SSL Help


> Hello,
>
> I have configured with OpenSSL (to Tomcat directly), made a key, etc. Now
> I can have a secure connections to my server, but browsers complains that
> my
> certificate isn't good, not signed, not knows, etc. Seems that browsers
> have to problems with Verisign or RSA (?) certificates, which cost
> 600-1000 dollars
> per each one. I'm don't have those kind of money to spend. So, how do I
> get my certificate, so the browser wouldn't ask to install it, or
> approval from the user.
>
> Thank you,
> John.
>
>
>
> >>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
>
> On 2/5/01, 4:59:46 AM, "Coetmeur, Alain"
> <[EMAIL PROTECTED]> wrote regarding RE: SSL Help:
>
>
> > browse the archive those recent days/weeks
>
> > the secret are:
>
> > it is advised to use apache with openssl (mod_ssl or apache+ssl)
> > as the SSL processor and just configure it
> > to delegate servlet and JSP to tomcat...
> > look at http://www.modssl.org/
> > or http://www.apache-ssl.org/
> > for explanations, install doc, binaries, advices...
>
> > anyway you can make tomcat able to serve SSL directly.
> > install JSSE from SUN as documented
> > (detail in some of my former messages here)
> > this include putting the.jar in a lib or lib/ext directory
> > as explaine, and twickle some security.properties
>
> > create private key in the java keystore, produce a
> > certificate (externaly or auto-certifies) with
> CN=the.dns.name.of.my.tomcat
> > and add the certificate to the java keystore...
>
> > modify the server.xml as explained
> > in come comments... (I've send here a working server.xml)
>
> > add some options in TOMCAT_OPTS (in tomcat.bat) so that URL Factory
> > supports SSL, and JSSE can find the truststore...
> > set TOMCAT_OPTS=%TOMCAT_OPTS%
> >   -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/../openssl/maui/cacerts"
> >   -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol
>
> > may the force be with you.
> > you can do it!
> > this can work, I've tested !
>
> > > -Message d'origine-
> > > De: venkatesan [mailto:[EMAIL PROTECTED]]
> > > Date: lundi 5 février 2001 12:50
> > > À: [EMAIL PROTECTED]
> > > Objet: SSL Help
> > >
> > >
> > > Hi All,
> > >  I am developing web applications using servlets,
> > > Rmi, Sql-server and
> > > Tomcat in Apache web server under Linux platform. I would
> > > like to use SSL. Can
> > > any body tell that where can i get SSL for tomcat. How can i
> > > do it using
> >

RE: SSL Help

2001-02-05 Thread GOMEZ Henri 

Take a look at www.modssl.org.

There is allready done RPM for Redhat

On ne peut résoudre les problèmes les plus graves avec le même esprit qui
les a crées.
-- Albert Einstein 

>-Original Message-
>From: John Golubenko [mailto:[EMAIL PROTECTED]]
>Sent: Monday, February 05, 2001 5:17 PM
>To: [EMAIL PROTECTED]
>Subject: Re: SSL Help
>
>
>Look on OpenSSL.org or Apache-SSL.org, or do search for SSL on 
>apache.org 
>web server.
>
>>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<
>
>On 2/5/01, 3:49:47 AM, venkatesan <[EMAIL PROTECTED]> 
>wrote regarding 
>SSL Help:
>
>
>> Hi All,
>>  I am developing web applications using servlets, 
>Rmi, Sql-server 
>and
>> Tomcat in Apache web server under Linux platform. I would 
>like to use 
>SSL. Can
>> any body tell that where can i get SSL for tomcat. How can i 
>do it using
>> Tomcat..
>> Thanks in advance...
>
>> cheers
>> Venkateh
>
>
>
>> -
>> To unsubscribe, e-mail: [EMAIL PROTECTED]
>> For additional commands, email: [EMAIL PROTECTED]
>
>NOTICE:  This communication may contain confidential or other 
>privileged information.  If you are not the intended 
>recipient, or believe that you have received this 
>communication in error, please do not print, copy, retransmit, 
>disseminate, or otherwise use the information.  Also, please 
>indicate to the sender that you have received this email in 
>error, and delete the copy you received.  Any communication 
>that does not relate to official Columbia business is that of 
>the sender and is neither given nor endorsed by Columbia.  Thank you.
>
>
>
>-
>To unsubscribe, e-mail: [EMAIL PROTECTED]
>For additional commands, email: [EMAIL PROTECTED]
>

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

Re: SSL Help

2001-02-05 Thread John Golubenko 

Look on OpenSSL.org or Apache-SSL.org, or do search for SSL on apache.org 
web server.

>> Original Message <<

On 2/5/01, 3:49:47 AM, venkatesan <[EMAIL PROTECTED]> wrote regarding 
SSL Help:


> Hi All,
>  I am developing web applications using servlets, Rmi, Sql-server 
and
> Tomcat in Apache web server under Linux platform. I would like to use 
SSL. Can
> any body tell that where can i get SSL for tomcat. How can i do it using
> Tomcat..
> Thanks in advance...

> cheers
> Venkateh



> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]

NOTICE:  This communication may contain confidential or other privileged information.  
If you are not the intended recipient, or believe that you have received this 
communication in error, please do not print, copy, retransmit, disseminate, or 
otherwise use the information.  Also, please indicate to the sender that you have 
received this email in error, and delete the copy you received.  Any communication 
that does not relate to official Columbia business is that of the sender and is 
neither given nor endorsed by Columbia.  Thank you.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: SSL Help

2001-02-05 Thread John Golubenko 

Hello,
 
I have configured with OpenSSL (to Tomcat directly), made a key, etc. Now
I can have a secure connections to my server, but browsers complains that 
my
certificate isn't good, not signed, not knows, etc. Seems that browsers
have to problems with Verisign or RSA (?) certificates, which cost 
600-1000 dollars
per each one. I'm don't have those kind of money to spend. So, how do I 
get my certificate, so the browser wouldn't ask to install it, or 
approval from the user.

Thank you,
John.  



>>>>>>>>>>>>>>>>>> Original Message <<<<<<<<<<<<<<<<<<

On 2/5/01, 4:59:46 AM, "Coetmeur, Alain" 
<[EMAIL PROTECTED]> wrote regarding RE: SSL Help:


> browse the archive those recent days/weeks

> the secret are:

> it is advised to use apache with openssl (mod_ssl or apache+ssl)
> as the SSL processor and just configure it
> to delegate servlet and JSP to tomcat...
> look at http://www.modssl.org/
> or http://www.apache-ssl.org/
> for explanations, install doc, binaries, advices...

> anyway you can make tomcat able to serve SSL directly.
> install JSSE from SUN as documented
> (detail in some of my former messages here)
> this include putting the.jar in a lib or lib/ext directory
> as explaine, and twickle some security.properties

> create private key in the java keystore, produce a
> certificate (externaly or auto-certifies) with 
CN=the.dns.name.of.my.tomcat
> and add the certificate to the java keystore...

> modify the server.xml as explained
> in come comments... (I've send here a working server.xml)

> add some options in TOMCAT_OPTS (in tomcat.bat) so that URL Factory
> supports SSL, and JSSE can find the truststore...
> set TOMCAT_OPTS=%TOMCAT_OPTS%
>   -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/../openssl/maui/cacerts"
>   -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol

> may the force be with you.
> you can do it!
> this can work, I've tested !

> > -Message d'origine-
> > De: venkatesan [mailto:[EMAIL PROTECTED]]
> > Date: lundi 5 février 2001 12:50
> > À: [EMAIL PROTECTED]
> > Objet: SSL Help
> >
> >
> > Hi All,
> >  I am developing web applications using servlets,
> > Rmi, Sql-server and
> > Tomcat in Apache web server under Linux platform. I would
> > like to use SSL. Can
> > any body tell that where can i get SSL for tomcat. How can i
> > do it using
> > Tomcat..
> > Thanks in advance...
> >
> > cheers
> > Venkateh
> >
> >
> >
> > -
> > To unsubscribe, e-mail: [EMAIL PROTECTED]
> > For additional commands, email: [EMAIL PROTECTED]
> >

> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]

NOTICE:  This communication may contain confidential or other privileged information.  
If you are not the intended recipient, or believe that you have received this 
communication in error, please do not print, copy, retransmit, disseminate, or 
otherwise use the information.  Also, please indicate to the sender that you have 
received this email in error, and delete the copy you received.  Any communication 
that does not relate to official Columbia business is that of the sender and is 
neither given nor endorsed by Columbia.  Thank you.



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: SSL Help

2001-02-05 Thread Coetmeur, Alain 



browse the archive those recent days/weeks

the secret are:

it is advised to use apache with openssl (mod_ssl or apache+ssl)
as the SSL processor and just configure it
to delegate servlet and JSP to tomcat...
look at http://www.modssl.org/
or http://www.apache-ssl.org/
for explanations, install doc, binaries, advices...

anyway you can make tomcat able to serve SSL directly.
install JSSE from SUN as documented
(detail in some of my former messages here)
this include putting the.jar in a lib or lib/ext directory
as explaine, and twickle some security.properties

create private key in the java keystore, produce a 
certificate (externaly or auto-certifies) with CN=the.dns.name.of.my.tomcat
and add the certificate to the java keystore...

modify the server.xml as explained
in come comments... (I've send here a working server.xml)

add some options in TOMCAT_OPTS (in tomcat.bat) so that URL Factory
supports SSL, and JSSE can find the truststore...
set TOMCAT_OPTS=%TOMCAT_OPTS% 
  -Djavax.net.ssl.trustStore="%TOMCAT_HOME%/../openssl/maui/cacerts" 
  -Djava.protocol.handler.pkgs=com.sun.net.ssl.internal.www.protocol 

may the force be with you.
you can do it!
this can work, I've tested !

> -Message d'origine-
> De: venkatesan [mailto:[EMAIL PROTECTED]]
> Date: lundi 5 février 2001 12:50
> À: [EMAIL PROTECTED]
> Objet: SSL Help
> 
> 
> Hi All,
>  I am developing web applications using servlets, 
> Rmi, Sql-server and
> Tomcat in Apache web server under Linux platform. I would 
> like to use SSL. Can
> any body tell that where can i get SSL for tomcat. How can i 
> do it using
> Tomcat..
> Thanks in advance...
> 
> cheers
> Venkateh
> 
> 
> 
> -
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, email: [EMAIL PROTECTED]
> 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, email: [EMAIL PROTECTED]

RE: SSL help..

2000-10-24 Thread David Oxley 

On this question:
Am I right in thinking that you only need to do special SSL config in tomcat
when not connected to a webserver (i.e. port 8080).

-Original Message-
From: Trevor Little [mailto:[EMAIL PROTECTED]]
Sent: 24 October 2000 14:11
To: [EMAIL PROTECTED]
Subject: Re: SSL help..


Read server.xml in the conf/ directory.  It explains how to do it.



[EMAIL PROTECTED] wrote:
> 
> Hi all,
>Just I downloaded Tomcat3.2. Could any one help me, how to configure
SSL and where can I get jsse.jar. Is any other jar files are required to add
in classpath.
> Any help would be gratly appreciated.
> 
> Thanks,
> nell
> 
> ___
> CoolEmail -- Now you're talking.
> Get Free Email-By-Phone Today.
> http://www.CoolEmail.com

Re: SSL help..

2000-10-24 Thread Trevor Little 

Read server.xml in the conf/ directory.  It explains how to do it.



[EMAIL PROTECTED] wrote:
> 
> Hi all,
>Just I downloaded Tomcat3.2. Could any one help me, how to configure SSL and 
>where can I get jsse.jar. Is any other jar files are required to add in classpath.
> Any help would be gratly appreciated.
> 
> Thanks,
> nell
> 
> ___
> CoolEmail -- Now you're talking.
> Get Free Email-By-Phone Today.
> http://www.CoolEmail.com