Re: Tomcat SSL and Virtual Domains
I had a similar issue. I too had a doubt in servr.xml. Search the archives for the topic Virtual Hosting with WAR files. I've posted in detail what the configurations that helped me with virtual hosting. Hope it helps you too Regards Thanks Mahesh S Kudva -Original Message- From: Dawn Blaine [EMAIL PROTECTED] To: Dawn Blaine [EMAIL PROTECTED] Cc: tomcat-user@jakarta.apache.org Date: Sat, 03 Sep 2005 11:45:12 -0500 Subject: Tomcat SSL and Virtual Domains We are running tomcat 4 standalone. I have things running fine with one host but now we need to add two more virtual hosts. I am pretty sure the problem is with my server.xml file but I haven't been able to figure it out. I have read through the docs and looked through the postings and I'm still stuck. Can someone help me out here? Please? Here's the file: Server is running and the sterling domain is fine. Just the others that have problems. Thank you in advance D Blaine Server port=8005 shutdown=SHUTDOWN debug=0 Service name=Tomcat-Standalone Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8080 minProcessors=5 maxProcessors=75 enableLookups=false redirectPort=8443 acceptCount=100 debug=0 connectionTimeout=2 useURIValidationHack=false disableUploadTimeout=true / !-- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8009 minProcessors=5 maxProcessors=75 enableLookups=false redirectPort=8443 acceptCount=10 debug=0 connectionTimeout=0 useURIValidationHack=false protocolHandlerClassName=org.apache.jk.server.JkCoyoteHandler/ -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=/home/svhrs-1/keystore.kdb clientAuth=false protocol=TLS/ /Connector !-- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=false acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory keystoreFile=/home/kinres/ssl2/keystore1.kdb keystorePass=kinseth clientAuth=false protocol=TLS/ /Connector -- Engine name=Standalone defaultHost=sterling-vizcaya-hotel-reservations-sacramento.com debug=0 Logger className=org.apache.catalina.logger.FileLogger prefix=catalina_log. suffix=.txt timestamp=true/ Host appBase=/home/svhrs-1/sterling-vizcaya-hotel-reservations-sacramento-w ww/webapps unpackWARs=true autoDeploy=true debug=0 name=sterling-vizcaya-hotel-reservations-sacramento.com Valve className=org.apache.catalina.valves.AccessLogValve pattern=common prefix=access-log directory=/home/svhrs-1/sterling-vizcaya-hotel-reservations-sacramento -logs / Context path=/home/svhrs-1/sterling-vizcaya-hotel-reservations-sacramento-www/ webapps/hotel docBase=hotel privileged=true debug=0 Manager className=org.apache.catalina.session.PersistentManager debug=0 saveOnRestart=true maxActiveSessions=-1 minIdleSwap=-1 maxIdleSwap=-1 maxIdleBackup=-1 Store className=org.apache.catalina.session.FileStore/ /Manager Environment name=maxExemptions type=java.lang.Integer value=15/ /Context /Host Host appBase=/home/kinres/esavvy-reservations-www/webapps unpackWARs=true autoDeploy=true debug=0 name=esavvy-reservations.com Valve className=org.apache.catalina.valves.AccessLogValve pattern=common prefix=access-log directory=/home/kinres/esavvy-reservations-logs / Context path=/home/kinres/esavvy-reservations-www/webapps/esavvyres docBase=esavvyres privileged=true debug=0 Manager className=org.apache.catalina.session.PersistentManager debug=0 saveOnRestart=true maxActiveSessions=-1 minIdleSwap=-1 maxIdleSwap=-1 maxIdleBackup=-1 Store className=org.apache.catalina.session.FileStore/ /Manager Environment name=maxExemptions type=java.lang.Integer value=15/ /Context /Host Host appBase=/home/esavvy/esavvysystems-www/webapps unpackWARs=true autoDeploy=true debug=0 name=esavvysystems.com Valve className=org.apache.catalina.valves.AccessLogValve pattern=common prefix=access-log
Re: Tomcat SSL Cipher Configuration
Jojo Paderes wrote: Hi, I'm looking for some decent documentation and technical reference on how to configure Tomcat's SSL cipher. Say for example I want Tomcat to support a specific SSL cipher suite like Triple DES. Hope someone has done something like this already. I'm using Tomcat 5.5 btw. Thanks, Jojo I may be mistaken here, but I don't think Tomcat does provide config options for the actual ciphers used - at least not in server.xml. It relies on the ciphers provided by the JDK. I think those can be configured in the policy file. This might be useful for you: http://java.sun.com/j2se/1.5.0/docs/guide/security/CryptoSpec.html Edmund - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Cipher Configuration
Jojo Paderes wrote: I'm looking for some decent documentation and technical reference on how to configure Tomcat's SSL cipher. Say for example I want Tomcat to support a specific SSL cipher suite like Triple DES. Hope someone has done something like this already. I'm using Tomcat 5.5 btw. See http://jakarta.apache.org/tomcat/tomcat-5.5-doc/config/http.html You want the ciphers attribute. The ciphers need to be named as per the cipher suites in JSSE. See http://java.sun.com/j2se/1.4.2/docs/guide/security/jsse/JSSERefGuide.html Search the page for Supported Cipher Suites. Also, I am pretty sure they need to be comma separated. Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat, SSL, IE, and .pdf downloads
Mark Leone midnightjava at cox.net writes: BTW, switching gears, I should have mentioned the following in my previous email. I suspect that the IE workaround you described will only work for SSL connections. Tomcat (and presumably any other good HTTP server) will set the cache control headers to prevent caching of any response generated from a protected context (i.e. one in which there is a security-constraint element), whether the connection is made with HTTPS (i.e., SSL) or HTTP. The IE option you described seems to apply only to encrypted data, so it probably won't help IE users who are trying to download files from a protected context via HTTP. Correction to my previous post: The work-around apparently is not needed for non-SSL connections. I did a little experiment and found that IE doesn't have a problem with non-SSL responses that include headers with the no-cache cache directive. This alleviates the security concern I raised, since Tomcat can be configured to prohibit caching from protected contexts for non-SSL connections, and this behavior only needs to be overriden for SSL connections to satisfy IE, which I guess is not as problematic from a security standpoint. It's still a compatibility issue, IMO, since implementers will regularly encounter the problem with SSL connections and wonder what is going on. Also, Mary Beth, I was unable to duplicate your results with unchecking the don't allow encrypted data to be cached to disk option. I commented out the valve in server.xml so that IE was not working properly for SSL file downloads. Then I unchecked the aforementioned option in IE, and it did not fix the problem. I'm wondering if you're dealing with a different issue. I'd like to know if you apply the valve fix in server.xml, and if it solves your problem. Did you do anything else to make IE work without the valve in server.xml? -Mark - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat, SSL, IE, and .pdf downloads
I think that I'll be leaving the moral decisions to my network admins. They can decide what they feel is the right answer with regard to network security. But it's good to know that there is a way to fix the problem. Thanks again to everyone for all the input! -Mary Beth -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:24 PM To: Tomcat Users List Subject: Re: Tomcat, SSL, IE, and .pdf downloads Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat, SSL, IE, and .pdf downloads
Another newbie question -- how do I tell which authenticator we're using? Does tomcat use a default one? I was looking at the API, but there isn't enough explanation there. And I didn't see anything in the Tomcat doco. Thanks, -Mary Beth -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:24 PM To: Tomcat Users List Subject: Re: Tomcat, SSL, IE, and .pdf downloads Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat, SSL, IE, and .pdf downloads
You may have the following element in your web app's web.xml: login-config auth-methodsome_authentication_method/auth-method realm-namesome_realm_name/realm-name /login-config (If you don't, then you're probably not serving the content from a protected context, and this issue doesn't apply to you.) Possible values for some_authentication_method are BASIC, DIGEST, and FORM. BASIC authentication means the user agent (e.g. the browser) will send a cleartext username and password, which of course can be easily intercepted and therefore compromised. DIGEST authentication means the user agent will send a one way hash value that was created with the username, password, and some random data as inputs. The server has the same hash value stored, so it can determine that the user has properly authenticated; but since it's a one-way hash, an eavesdropper cannot work backwards and figure out the password. And because of the random data, coordinated between the client and server, no one can record and replay the hash value to spoof the authentication. It's fairly secure, but not as good as SSL or TLS. FORM authentication means the user enters authenticating information via an HTML form, which is encoded according to the content type specified in the enctype attribute of the HTML FORM element. You need to set the classname attribute of the valve element in server.xml appropriately, as described in the email referenced below. The attribute value must match the authentication method chosen from the above list. The three authenticator classes are located in package org.apache.catalina.authenticator, and the classnames are BasicAuthenticator, DigestAuthenticator, and FormAuthenticator.* *So, for example, if you're using DIGEST authentication, your valve element would look like this.* * Valve className=org.apache.catalina.authenticator.DigestAuthenticator disableProxyCaching=false / BTW, switching gears, I should have mentioned the following in my previous email. I suspect that the IE workaround you described will only work for SSL connections. Tomcat (and presumably any other good HTTP server) will set the cache control headers to prevent caching of any response generated from a protected context (i.e. one in which there is a security-constraint element), whether the connection is made with HTTPS (i.e., SSL) or HTTP. The IE option you described seems to apply only to encrypted data, so it probably won't help IE users who are trying to download files from a protected context via HTTP. This is a further irony, since cached SSL data is not as problematic. It's the plaintext data you want to purge, and that's precisely the data for which you have to permit caching because of the way IE is implemented. (However, it's possible that the IE check option is poorly worded. Perhaps it actually applies to any response for which the cache control headers are set to no-cache.) -Mark Panichi, Mary-Beth wrote: Another newbie question -- how do I tell which authenticator we're using? Does tomcat use a default one? I was looking at the API, but there isn't enough explanation there. And I didn't see anything in the Tomcat doco. Thanks, -Mary Beth -Original Message- From: Mark Leone [mailto:[EMAIL PROTECTED] Sent: Tuesday, June 07, 2005 9:24 PM To: Tomcat Users List Subject: Re: Tomcat, SSL, IE, and .pdf downloads Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote
Re: Tomcat, SSL, IE, and .pdf downloads
This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat, SSL, IE, and .pdf downloads
Ironically, I ran into this last week as well. However, I was running my app on Websphere, and the cause (and solution) was subtly different... It is a Struts-based application. I had the nocache RequestProcessor setting in effect. This caused PDF generation to fail under SSL, same as the referenced issue. Removing the setting resolved the issue, but I then had to create a quick filter that would set the same cache headers the nocache setting does but allows me to define a list of paths that they should NOT be set for. So, now everything in the app gets the cache headers set EXCEPT the three paths accessed to generate PDFs, and life is good again. The point is be sure that it's no Tomcat setting the headers... and even if it is and you turn that off, be sure they aren't getting set anywhere else, like Struts, or some other app code. -- Frank W. Zammetti Founder and Chief Software Architect Omnytex Technologies http://www.omnytex.com On Tue, June 7, 2005 2:46 pm, Mark Thomas said: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat, SSL, IE, and .pdf downloads
Mary-Beth, be advised that applying the fix in Tomcat is arguably the moral equivalent of what you said you didn't want to do (i.e., uncheck don't allow encrypted data to be cached to disk in IE). By inserting the valve that ensures that the cache-control headers are not set, you're not only permitting IE to cache the response, but you're also permitting any HTTP intermediaries to do so. I wouldn't be concerned about the former (since the user can control the browser cache), but the latter can be an issue if you have HTTP intermediaries in the path and you don't want any copies of the response hanging around. It would actually be more secure to just uncheck the setting in IE (since you indicated that works), and retain the no-cache behavior for the HTTP intermediaries; but that's probably unworkable from an interop standpoint. All IE users would have to configure their browser properly, or they will be told that your site is unavailable. The unfortunate reality is that because one particular user agent (IE) is applying more restrictive caching behavior than is warranted by the spec, the server has to relax the caching behavior where it really needs to be restricted in many cases, if IE compatibility with default settings is to be maintained. There's an important lesson here, but I don't think the party that needs to learn it is listening. -Mark Mark Thomas wrote: This seems to be a popular subject today. Try looking at http://marc.theaimsgroup.com/?l=tomcat-userm=111811136603781w=2 Mark Panichi, Mary-Beth wrote: Greetings ~ We're having issues downloading .pdf files in SSL. I've been all over the web trying to find solutions. The issue appears to be interaction between Tomcat and InternetExplorer. IE appears to be corrupting the pdf files. There's an IE patch out there, but we've patched past that. The fix that they list, to uncheck the don't allow encrypted data to be cached to disk, works, but it's a setting that for security reasons we don't want to leave unchecked. I've tried all manner of setting headers for cache-control, etc.. We're dynamically generating the .pdf files, and streaming them to the jsp page. I've tried also saving the pdf's physically to the server and then getting them, but that didn't work either. Has anyone run into this issue? Does anyone have a solution? I've seen lots of suggestions out there, but nothing that actually works. Thanks! Mary Beth Panichi - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Hi, Sorry if that didn't help. Here's what I have in server.xml (I don't remember if I had to change anything outside of server.xml to enable client authentication): !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector port=8443 className=org.apache.coyote.tomcat5.CoyoteConnector maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true clientAuth=true sslProtocol=TLS keystoreFile=e:\tomcat\jakart~1.27\ssl\servercertificate.keystore keystoreType=PKCS12 truststoreFile=C:\Documents and Settings\Administrator\.keystore truststorePass=XXX truststoreType=JKS / Jim P.S. When I was doing this (which was awhile ago), I didn't find any way to get Tomcat to check for client cert revocations (i.e., CRL checking). I don't know if that has changed at all since then. lercoli wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL Client Authentication
Tomcat version 5.5.9 (JDK 1.5.0_02 and Windows 2000 Professional). Client certificate username is a tomcat user (with which I've already successfully tested in DIGEST authentication). The strange thing is that when I set authClient to true I never see the the alert window of the server certificate (while instead appears with clientAuth = false). - Original Message - From: Darryl Wilburn [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 3:55 PM Subject: Re: Tomcat SSL Client Authentication What version of TC? I've read something about configuring the HTTPS connector to perform SSL client certificate authorization. I'm agree with Jim, in server.xml, the clientAuth should be set to true. That is the correct setting, if you get a page not found, that doesn't mean the cert didn't work... Also, the name on the client cert must be exactly the same as the one in the user database. I've also read that you don't need and security-constraints to use the CLIENT-CERT unless you're also using a separeat Realm. DW --- lercoli [EMAIL PROTECTED] wrote: Hi Jim I've tried with clientAuth = true but server certificate window doesn't appear and I get page not found error. - Original Message - From: ohaya [EMAIL PROTECTED] To: Tomcat Users List tomcat-user@jakarta.apache.org Sent: Wednesday, April 27, 2005 12:49 PM Subject: Re: Tomcat SSL Client Authentication Hi, I believe that the clientAuth needs to be set to true in the server.xml. Jim lercoli wrote: Hello I've configured Tomcat SSL Client Authentication with these settings : web.xml ... security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern http-methodGET/http-method http-methodPOST/http-method /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint login-config auth-methodCLIENT-CERT/auth-method /login-config . server.xml . Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=D:\jdk1.5.0_02\bin\keystore.jks keystorePass=changeit truststoreFile=D:\jdk1.5.0_02\bin\cacerts.jks / ... Client certificate (client.cer) is installed in my IE Browser (version 6.0.28). When I invoke htpps://localhost:8443/myweapp appears a window that asks me to accept the server certificate. I accept and my webapp index page appears. So why I don't see a window for client authentication ? And why I 've the same behaviour also when I remove the client.cer from my Browser ? It seems that client-certification doesn't work. Any help would be greatly appreciated. Thank You Luca Ercoli - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat ssl configuration
No i created it with the user which i installed tomcat on the machine, does it make difference? -Original Message- From: James T. Studebaker [mailto:[EMAIL PROTECTED] Sent: Tuesday, April 05, 2005 5:00 AM To: Tomcat Users List Subject: Re: tomcat ssl configuration Did you create the keystore while logged on as the root user? Thank you James T. Studebaker - Original Message - From: Mustafa BLKBA [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, April 04, 2005 8:24 AM Subject: tomcat ssl configuration I use tomcat 5.0.28 on linux, my j2se version is 1.4.02. I did all the steps in the document which is on this link but it's not working. Is there anybody who can help me with this issue? Thanx, Mustafa. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat ssl configuration
On Apr 4, 2005 6:06 PM, Mustafa BLKBA [EMAIL PROTECTED] wrote: I use tomcat 5.0.28 on linux, my j2se version is 1.4.02. I did all the steps in the document which is on this link http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html but it's not working. Is there anybody who can help me with this issue? Thanx, Mustafa. You will get some error messages if it is not working. Post the error messages. Then somebody can help. The log files are located in CATALINA_HOME/logs directory. -- Anto Paul www.benchmarksoft.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL Issues
Look at your java.security file Also which version of java are you using? Baltimore is working with java 1.3.1 not 1.4 so maybe that is a problem. Ap ...the journey IS the destination... -Original Message- From: LGM [mailto:[EMAIL PROTECTED] Sent: Friday, April 01, 2005 2:17 PM To: tomcat-user@jakarta.apache.org Subject: Tomcat SSL Issues Hello List, I am trying to configure tomcat for SSL on Red Hat 8.0 and I run the keytool script to obtain a CSR for my Certificate Authority. I am getting the following error: #$JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias tomcat -file /root/certreq.csr keytool error: java.security.cert.CertificateException: Error decoding X.509 certificate: com.baltimore.jcrypto.coders.CoderException: com.baltimore.jcrypto.asn1.ASN1Integer; com.baltimore.jcrypto.asn1.ASN1Exception: com.baltimore.jcrypto.asn1.ASN1Integer; java.lang.ClassCastException: com.baltimore.jcrypto.asn1.ASN1Integer Does anyone have any ideas what's going on here? Thanks in advance!! Luciano M. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat ssl configuration
Did you create the keystore while logged on as the root user? Thank you James T. Studebaker - Original Message - From: Mustafa BLKBA [EMAIL PROTECTED] To: tomcat-user@jakarta.apache.org Sent: Monday, April 04, 2005 8:24 AM Subject: tomcat ssl configuration I use tomcat 5.0.28 on linux, my j2se version is 1.4.02. I did all the steps in the document which is on this link but it's not working. Is there anybody who can help me with this issue? Thanx, Mustafa. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL.
take a look here: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/ssl-howto.html On Sun, 27 Feb 2005 13:58:45 -0800 (PST), deepak suldhal [EMAIL PROTECTED] wrote: Hi I am using Tomcat 5.0.28, I need to have ssl configured, What are the steps in getting this. Any document and help is appreciated. Thanks __ Do you Yahoo!? Yahoo! Sports - Sign up for Fantasy Baseball. http://baseball.fantasysports.yahoo.com/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Adobati Omar [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat + SSL, apache
Don't think so. Apache takes on the connection and therefore is in charge of the SSL handshake. So you will have to confiure apache to support SSL. They only way to make tomcat handle the handshake is to make it directly available to the browser. But guess you allready kind of suspected it :) Regards, Wouter On Mon, 14 Feb 2005 15:25:59 +0200, Laurentiu Vasiescu [EMAIL PROTECTED] wrote: Is there any way to have the Tomcat with SSL and a front-end Apache, wich should only serve as a interface between client and tomcat? I mean tomcat should serve the certificates and do all the ssl, apache only to redirect traffic to it. thanks. Laurentiu Vasiescu Network Administrator S.A. Tri-Pen TravelMaster Technologies, SRL Eastern Europe - Bucharest (Romania) Office: +40 (31) 401 1152 +40 (31) 402 5027 Fax: +40 (21) 323 4357 E-mail: [EMAIL PROTECTED] Web: http://www.tri-pen.ro Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Tri-Pen TavelMaster Technologies at +40 (31) 401 1152 and destroy all copies of the original message. -- Regards, Wouter Boers business: http://www.abcdarium.nl personal: http://www.ikke.net - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat + SSL, apache
On Mon, 14 Feb 2005 15:25:59 +0200, Laurentiu Vasiescu [EMAIL PROTECTED] wrote: Is there any way to have the Tomcat with SSL and a front-end Apache, wich should only serve as a interface between client and tomcat? I mean tomcat should serve the certificates and do all the ssl, apache only to redirect traffic to it. thanks. Google for configuring Apache as a Forward Proxy, I think that should do what you want but not 100% sure. Regards, -- Jason Bainbridge KDE - Conquer Your Desktop - http://kde.org KDE Web Team - [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat + SSL, apache
Actually I believe its the opposite. Apache serves the certificate the communication between Tomcat and Apache shouldnt be public anyway. From: Laurentiu Vasiescu [EMAIL PROTECTED] Reply-To: Tomcat Users List tomcat-user@jakarta.apache.org To: tomcat-user@jakarta.apache.org Subject: tomcat + SSL, apache Date: Mon, 14 Feb 2005 15:25:59 +0200 Is there any way to have the Tomcat with SSL and a front-end Apache, wich should only serve as a interface between client and tomcat? I mean tomcat should serve the certificates and do all the ssl, apache only to redirect traffic to it. thanks. Laurentiu Vasiescu Network Administrator S.A. Tri-Pen TravelMaster Technologies, SRL Eastern Europe - Bucharest (Romania) Office: +40 (31) 401 1152 +40 (31) 402 5027 Fax: +40 (21) 323 4357 E-mail: [EMAIL PROTECTED] Web: http://www.tri-pen.ro Confidentiality Notice: This email message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please contact Tri-Pen TavelMaster Technologies at +40 (31) 401 1152 and destroy all copies of the original message. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: tomcat + SSL, apache
Didier McGillis wrote: Actually I believe its the opposite. Apache serves the certificate the communication between Tomcat and Apache shouldnt be public anyway. Apache makes the SSL handshake and passes any client certificate to Tomcat. Any servlet sees that like it came directly from Tomcat. Communication between apache and tomcat is not encrypted, so if you are concerned about the security, put the apache on the box with two NIC cards, and use the second for the apache-tomcat communication. AJP14 protocol will have encryption embedded, so until then :). Mladen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat, SSL and multiple urls
The SSL protocol demands that the domain recorded within the SSL certificate is the same as the domain thru which the SSL connection is obtained. Otherwise the SSL connection negotiation will fail. This is to avoid the nastiness of hijacking and whatnot. To use the 2 different domains that you have you will need 2 different SSL certificates, taking into account the limitations in the web server et all to handle multiple SSL certificates for different domains etc. My memory is a little fuzzy on this area as its been a while since I've had to think about it so take some salt with this :) Alternativly if you had a redirector or load balancer of some kind sitting in front of your web server you could have a SSL certifcate bound to a more generic domain like www.myserver.net, and have the redirector/balancer dish out the requests to www.myserver1.net and www.myserver2.net while still supporting the SSL. I don't know how Tomcats load balancing works with SSL... But then i'm not a network architect either... so more salt.. Regards, Shane. -Original Message- From: ian [mailto:[EMAIL PROTECTED] Sent: Wednesday, 12 May 2004 2:41 PM To: 'Tomcat Users List' Subject: tomcat, SSL and multiple urls Hi. Is it possible for tomcat to have multiple domain names connecting thru SSL? For example, my tomcat-5.0.19 is hosted on a server with 202.10.11.12 as its public IP. This IP can be accessed thru either www.myserver1.net or www.myserver2.net. All connections can only go thru SSL (https). Is this possible? If so, how do I configure tomcat's keystore? Thanks in advance. - ian - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: tomcat, SSL and multiple urls
This setup is actually not for load balancing. We just had a bad experience yesterday wherein a supposed world class data center here failed to pay their bills resulting to forfeit their registration for their domain names, 2 of which were ours. Because of this our services were inaccessible to all our clients. To prevent another event like this, I was thinking of having another domain name for our server hosted on a different DNS. I'm just not sure whether tomcat can handle multiple SSL certificates. If so, how do I configure it? Thanks for your reply. - ian -Original Message- From: Shane Linley [mailto:[EMAIL PROTECTED] Sent: Wednesday, May 12, 2004 2:53 PM To: Tomcat Users List Subject: RE: tomcat, SSL and multiple urls The SSL protocol demands that the domain recorded within the SSL certificate is the same as the domain thru which the SSL connection is obtained. Otherwise the SSL connection negotiation will fail. This is to avoid the nastiness of hijacking and whatnot. To use the 2 different domains that you have you will need 2 different SSL certificates, taking into account the limitations in the web server et all to handle multiple SSL certificates for different domains etc. My memory is a little fuzzy on this area as its been a while since I've had to think about it so take some salt with this :) Alternativly if you had a redirector or load balancer of some kind sitting in front of your web server you could have a SSL certifcate bound to a more generic domain like www.myserver.net, and have the redirector/balancer dish out the requests to www.myserver1.net and www.myserver2.net while still supporting the SSL. I don't know how Tomcats load balancing works with SSL... But then i'm not a network architect either... so more salt.. Regards, Shane. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL ... more
Hart, Justin wrote: Is there a way to use SSL in tomcat without having to type the password to your keystore in plaintext in the server.conf file? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] you could write a C program to prompt for the password, and then use the Invocation API to lunch an embedded version of tomcat, whereby passing the password to the java class. This way, the password does not appear on the process list either. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL ... more
TC 3.3 has the PasswordPrompter add-in for this purpose. I had thought that once upon a time that someone had written something similar for TC 4, but I've lost track of it. Hart, Justin [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Is there a way to use SSL in tomcat without having to type the password to your keystore in plaintext in the server.conf file? Justin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + SSL
Change keystrokeFile to keystoreFile and keystrokePass to keystorePass. Chris. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat + SSL
Ought! Thanks, this was really stupid mistake. Thanks for that. Honza S. Christopher Williams wrote: Change keystrokeFile to keystoreFile and keystrokePass to keystorePass. Chris. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL issues and looking for an expert
Any ideas as to when 4.1.28 will be out? Also, on my second question... still looking for an 'expert.' My customer wants someone with experience in using Tomcat in a largescale environment (1-2 million hits per day). There is a possibility of this being short term contract deal. thanks, -Randy -- | Randy Carpenter http://www.rune.net | The Rune Network Wapakoneta, OH - On Thu, 11 Sep 2003, Bill Barker wrote: Date: Thu, 11 Sep 2003 21:20:11 -0700 From: Bill Barker [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Tomcat SSL issues and looking for an expert Without more details, I'm guess the problem with the SSL standalone configuration is the same as http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21763. Fronting Tomcat with Apache avoids the bug above, but as anyone who has been on this list at least a day knows, it comes with its own worm-can ;-). Randy Carpenter [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a customer who is running Tomcat 4.1.27. We have been having a problem when using SSL (running the site on port 443). Periodically the server will stop responding on 443, but not on port 80. Restarting the Tomcat server is required to restore functionality. We are also looking at the possibility of using the standard Apache HTTP server as a front-end, and using tomcat as a JSP backend server. I have been asked to try to find someone, an expert at Tomcat, that could help out my customer in planning their implementation, and possibly figuring out the SSL hanging issue in the meantime. Is there anyone that may be able to help? Specs: Tomcat 4.1.27, Sun JDK 1.4.2, Red Hat Linux 9 thanks, Randy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL issues and looking for an expert
The SSL thing seemed to tickle my memory: http://nagoya.apache.org/bugzilla/show_bug.cgi?id=17323 If Randy wants to inspect his logs and try out the steps outlined in the bug report, we can make sure this bug is good and dead. -Original Message- From: Randy Carpenter [mailto:[EMAIL PROTECTED] Sent: Monday, September 15, 2003 1:47 PM To: Tomcat Users List Subject: Re: Tomcat SSL issues and looking for an expert Any ideas as to when 4.1.28 will be out? Also, on my second question... still looking for an 'expert.' My customer wants someone with experience in using Tomcat in a largescale environment (1-2 million hits per day). There is a possibility of this being short term contract deal. thanks, -Randy -- | Randy Carpenter http://www.rune.net | The Rune Network Wapakoneta, OH - On Thu, 11 Sep 2003, Bill Barker wrote: Date: Thu, 11 Sep 2003 21:20:11 -0700 From: Bill Barker [EMAIL PROTECTED] Reply-To: Tomcat Users List [EMAIL PROTECTED] To: [EMAIL PROTECTED] Subject: Re: Tomcat SSL issues and looking for an expert Without more details, I'm guess the problem with the SSL standalone configuration is the same as http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21763. Fronting Tomcat with Apache avoids the bug above, but as anyone who has been on this list at least a day knows, it comes with its own worm-can ;-). Randy Carpenter [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a customer who is running Tomcat 4.1.27. We have been having a problem when using SSL (running the site on port 443). Periodically the server will stop responding on 443, but not on port 80. Restarting the Tomcat server is required to restore functionality. We are also looking at the possibility of using the standard Apache HTTP server as a front-end, and using tomcat as a JSP backend server. I have been asked to try to find someone, an expert at Tomcat, that could help out my customer in planning their implementation, and possibly figuring out the SSL hanging issue in the meantime. Is there anyone that may be able to help? Specs: Tomcat 4.1.27, Sun JDK 1.4.2, Red Hat Linux 9 thanks, Randy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL
FAQ http://jakarta.apache.org/tomcat/faq/security.html#https -Tim Luc Foisy wrote: How do I enforce SSL on any given page? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL
Uhg. That tells me that I can make a whole context forced to SSL. By putting the URL path in there. So if I want to enforce any one particular page ( or multiples ) I would have to put each and every one in there? Is there not anything I could add to the jsp file itself to do this? -Original Message- From: Tim Funk [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 11:23 AM To: Tomcat Users List Subject: Re: Tomcat SSL FAQ http://jakarta.apache.org/tomcat/faq/security.html#https -Tim Luc Foisy wrote: How do I enforce SSL on any given page? - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL
Yes, but kludgy
%
if (!request.isSecure()) {
String qs = ;
if (null!=request.getQueryString())
qs = ? + request.getQueryString();
response.sendRedirect(https://; +
request.getServerName() +
request.getRequestURI() +
qs
);
return;
}
%
-Tim
Luc Foisy wrote:
Uhg. That tells me that I can make a whole context forced to SSL. By putting the URL
path in there.
So if I want to enforce any one particular page ( or multiples ) I would have to put
each and every one in there?
Is there not anything I could add to the jsp file itself to do this?
-Original Message-
From: Tim Funk [mailto:[EMAIL PROTECTED]
Sent: Thursday, September 11, 2003 11:23 AM
To: Tomcat Users List
Subject: Re: Tomcat SSL
FAQ
http://jakarta.apache.org/tomcat/faq/security.html#https
-Tim
Luc Foisy wrote:
How do I enforce SSL on any given page?
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL issues and looking for an expert
Without more details, I'm guess the problem with the SSL standalone configuration is the same as http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21763. Fronting Tomcat with Apache avoids the bug above, but as anyone who has been on this list at least a day knows, it comes with its own worm-can ;-). Randy Carpenter [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] I have a customer who is running Tomcat 4.1.27. We have been having a problem when using SSL (running the site on port 443). Periodically the server will stop responding on 443, but not on port 80. Restarting the Tomcat server is required to restore functionality. We are also looking at the possibility of using the standard Apache HTTP server as a front-end, and using tomcat as a JSP backend server. I have been asked to try to find someone, an expert at Tomcat, that could help out my customer in planning their implementation, and possibly figuring out the SSL hanging issue in the meantime. Is there anyone that may be able to help? Specs: Tomcat 4.1.27, Sun JDK 1.4.2, Red Hat Linux 9 thanks, Randy - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL client authentication problem with Internet Explore
Hi again... CA cert is installed in MSIE's root certificates (also in Mozilla root certificates) but the box is still empty. Any idea? Thank you!!! -Mensaje original- De: Bill Barker [mailto:[EMAIL PROTECTED] Enviado el: viernes, 22 de agosto de 2003 6:17 Para: [EMAIL PROTECTED] Asunto: Re: Tomcat SSL client authentication problem with Internet Explore I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --- Incoming mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication
Re: Tomcat SSL client authentication problem with Internet Explore
I'm guessing that you didn't install your CA's cert in MSIE's root certificates. Since Tomcat will ask for certs signed by your CA, if MSIE can't find any (that it can verify the chain with), you get an empty box. Ratón Lacarcel, Antonio [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Hi! I have a problem with Tomcat 4.0.6 and SSL client authentication. When I use the Internet Explorer browser (v6.0) and I try to access the secure URL (for example https://whatever:8043), an empty list of certificates is presented. However, if I use Mozilla 1.4 or Netscape 4.76, the client certificates are presented and the secure pages are available. The following environment is used: + jdk1.3.1_08 + Microsoft Certificate Server + Tomcat 4.0.6 My server.xml file has the following element: Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=3 scheme=https secure=true connectionTimeout=2 useURIValidationHack=false Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true keystoreFile=C:\Documents and Settings\araton\.keystore keystorePass=changeit protocol=TLS/ /Connector I have also created the keystores and the cacerts (for trusted certificates) files. Tomcat also finds the cacerts file because I've added the following parameters in the Tomcat enviroment variables (and because I've seen it in the debug console): -Djavax.net.ssl.trustStore=c:\path_to_cacerts\cacerts -Djavax.net.ssl.trustStorePassword=changeit I have defined my own CA, my server-tomcat certificate signed by the CA and in order to create the client certificates, I've used the Certificate Server web tool, asking for a web certificate using each browser (Netscape-IE-Mozilla) and installing the client certificate from the browser. Could you help me please? If more info is needed, please tell it to me and I will try to explain the problem with higher detail. Thanks in advance and sorry if my english is too simple... Antonio Ratón --- Outgoing mail is certified Virus Free. Checked by AVG anti-virus system (http://www.grisoft.com). Version: 6.0.511 / Virus Database: 308 - Release Date: 18/08/2003 --- Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, contiene información de carácter confidencial exclusivamente dirigida a su destinatario o destinatarios. Queda prohibida su divulgación, copia o distribución a terceros sin la previa autorización escrita de Indra. En el caso de haber recibido este correo electrónico por error, se ruega notificar inmediatamente esta circunstancia mediante reenvío a la dirección electrónica del remitente. The information in this e-mail and in any attachments is confidential and solely for the attention and use of the named addressee(s). You are hereby notified that any dissemination, distribution or copy of this communication is prohibited without the prior written consent of Indra. If you have received this communication in error, please, notify the sender by reply e-mail - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat: SSL client authentication
You can't generally use a self-signed client cert with JSSE (you can
configure PureTLS to accept it, but another bug means that you'd have to
wait for 4.1.26). The work-around is way too much trouble for the sysadmin,
and I don't feel like being an enabler for a true hideous design. So,
you'll just have to read the JSSE docs for yourself ;-).
If you need to issue your own client-certs, I'd suggest setting up your own
CA (with OpenSSL or otherwise), and import your CA's cert into cacerts. You
can then hand out client certs, and Tomcat will accept them.
Dmitry S.Rogulin [EMAIL PROTECTED] wrote in message
news:[EMAIL PROTECTED]
Hello all,
Sorry for the previous e-mail. %)
This theme was discussed about month ago. I tried to use what I've
found but I'm still having a problem...
I'm trying to do SSL client authentication with Tomcat 4.1.18
(clientAuth=true).
1. I've generated a client certificate using keytool:
keytool -genkey -alias tomcat-cl -keyalg RSA -keystore client.keystore
2. Then I created Certificate Signing Request:
keytool -certreq -keyalg RSA -alias tomcat-cl -file
certreq.csr -keystore client.keystore
3. I sent it to CA and got a signed certificate and CA Certificate.
4. I imported them to the client keystore:
keytool -import -alias root -keystore client.keystore -file cacert
keytool -import -alias tomcat-cl -keystore client.keystore -file
usercert
5. I exported server certificate and imported it as a trusted to the
trusted keystore:
keytool -import -trustcacerts -alias tomcat -file server.cer -keystore
trust.keystore
6. I imported CA Certificate to \jre\lib\security\cacerts :
keytool -import -file cacert -keystore
%java_home%\jre\lib\security\cacerts -storepass changeit
I'm running Tomcat and test client on the same machine.
Server keystore: %USERHOME%\.keystore
Client keystore: %USERHOME%\client.keystore
Client trusted keystore: %USERHOME%\trust.keystore
Test Client:
import java.net.*;
import java.io.*;
import java.util.*;
import java.security.*;
import javax.net.ssl.*;
public class SimpleClient {
public static void main(String[] args) {
System.setProperty(javax.net.ssl.trustStore,
System.getProperty(user.home)+File.separator +trust.keystore);
System.setProperty(javax.net.ssl.keyStore,
System.getProperty(user.home)+File.separator +client.keystore);
System.setProperty(javax.net.ssl.keyStorePassword,
changeit);
InputStream is = null;
OutputStream os = new ByteArrayOutputStream();
try {
URL url = new
URL(https://localhost:8443/readme.txt;);
try {
is = url.openStream();
byte[] buffer = new byte[4096];
int bytes_read;
while((bytes_read = is.read(buffer))
!= -1)
os.write(buffer, 0, bytes_read);
System.out.println(os.toString());
} catch (Exception e) { e.printStackTrace(); }
finally {
try {
is.close();
os.close();
} catch (IOException e) {
e.printStackTrace(); }
}
} catch (Exception e) { e.printStackTrace(); }
}
}
With [clientAuth=false] it works fine, but with [clientAuth=true]
it gives an error:
java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:129)
at com.sun.net.ssl.internal.ssl.InputRecord.a(DashoA6275)
at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275)
What did I do in a wrong way?
Thanks in advance.
Best regards,
Dmitry.
-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
hi, it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat. the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ... i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again). i haven't used CRL's - i'm sure there are howtos 'out there'. and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual. cu, joe Mark Liu wrote: Hi, No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server. You have an idea about how to turn on client cert? --- Norris Shelton [EMAIL PROTECTED] wrote: That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
first of all: use jdk1.4.x !!! i found a bug in the old implementatin. if someone is interrested i can search in my archive to describe the bug. here is how to patch the tomcat 4.1.x to handle to make client authentication 'optional': in the java class: org.apache.tomcat.util.net.jsse.JSSESocketFactory you find 2 times this method call: .setNeedClientAuth(clientAuth); change this to: .setWantClientAuth(clientAuth); thats it! and don't forget to change your server.xml: !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !--^M -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=/root/certs/java.concrete-it.com.keystore keystorePass=changeit / /Connector here is my link collection for ssl: http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html http://developer.java.sun.com/developer/qow/archive/169/index.jsp http://www.catgen.com/developer/manual/ssl.html#jbosscatalina you can find a lot of howtos how to make your own CA , server cert and client certs. hope this helps, joe joe wrote: hi, it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat. the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ... i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again). i haven't used CRL's - i'm sure there are howtos 'out there'. and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual. cu, joe Mark Liu wrote: Hi, No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server. You have an idea about how to turn on client cert? --- Norris Shelton [EMAIL PROTECTED] wrote: That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL mutual authentication: Nobody's got a clue?
Joe, I've also been trying to do this for ages. I assume you import the client certificate into the server trustore. How does the server know where to look for this truststore ? Thanks Dave -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 08:49 To: Tomcat Users List Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue? first of all: use jdk1.4.x !!! i found a bug in the old implementatin. if someone is interrested i can search in my archive to describe the bug. here is how to patch the tomcat 4.1.x to handle to make client authentication 'optional': in the java class: org.apache.tomcat.util.net.jsse.JSSESocketFactory you find 2 times this method call: .setNeedClientAuth(clientAuth); change this to: .setWantClientAuth(clientAuth); thats it! and don't forget to change your server.xml: !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !--^M -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=/root/certs/java.concrete-it.com.keystore keystorePass=changeit / /Connector here is my link collection for ssl: http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html http://developer.java.sun.com/developer/qow/archive/169/index.jsp http://www.catgen.com/developer/manual/ssl.html#jbosscatalina you can find a lot of howtos how to make your own CA , server cert and client certs. hope this helps, joe joe wrote: hi, it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat. the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ... i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again). i haven't used CRL's - i'm sure there are howtos 'out there'. and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual. cu, joe Mark Liu wrote: Hi, No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server. You have an idea about how to turn on client cert? --- Norris Shelton [EMAIL PROTECTED] wrote: That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
hi dave, please don't import every client certificate into your server truststore! that's why you can use a 'certification chain'. you create your own CA and import this CA into your truststore. you can find your trust store there: [jdk-home]/jre/lib/security/cacerts (the default password is: changeit) then create a server certificate and sign it with your CA don't forget to set the naming correct in your server ssl certificate: What is your first and last name? [Unknown]: www.mydomain.com if you name it the wrong way the browser pops up a message to verify the server name. then create your client certificates and sign them with your CA. (you don't need to import them into your truststore. you trust your truststore and all 'children' of it!) you can export the CA certificate (make a .cer file) an import this into the browser. here you find a good howto to create certification chains for FreeS/WAN. in this howto you find everything you need (step-by-step) to use it with tomcat. just import the certs with the java keytool into the keystore and cacerts files. i hope this helps! cu, joe [EMAIL PROTECTED] wrote: Joe, I've also been trying to do this for ages. I assume you import the client certificate into the server trustore. How does the server know where to look for this truststore ? Thanks Dave -Original Message- From: joe [mailto:[EMAIL PROTECTED] Sent: 26 March 2003 08:49 To: Tomcat Users List Subject: Re: Tomcat SSL mutual authentication: Nobody's got a clue? first of all: use jdk1.4.x !!! i found a bug in the old implementatin. if someone is interrested i can search in my archive to describe the bug. here is how to patch the tomcat 4.1.x to handle to make client authentication 'optional': in the java class: org.apache.tomcat.util.net.jsse.JSSESocketFactory you find 2 times this method call: .setNeedClientAuth(clientAuth); change this to: .setWantClientAuth(clientAuth); thats it! and don't forget to change your server.xml: !-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -- !--^M -- Connector className=org.apache.coyote.tomcat4.CoyoteConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=100 debug=0 scheme=https secure=true useURIValidationHack=false disableUploadTimeout=true Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=/root/certs/java.concrete-it.com.keystore keystorePass=changeit / /Connector here is my link collection for ssl: http://www-106.ibm.com/developerworks/java/library/j-customssl/sidebar.html http://developer.java.sun.com/developer/qow/archive/169/index.jsp http://www.catgen.com/developer/manual/ssl.html#jbosscatalina you can find a lot of howtos how to make your own CA , server cert and client certs. hope this helps, joe joe wrote: hi, it's true that there is no 'step-by-step' howto for tomcat, but there are many other ssl (and client auth) howtos which you can use for tomcat. the only thing is just a little bit of searching and reading about ssl, CA, X509 certificates, certification chains ... i have succesfully established ssl connections with (mutual) client certificates. i'll try to find the howto's i've used and post it here (i hope i'll find them again). i haven't used CRL's - i'm sure there are howtos 'out there'. and: it's true that tomcat does NOT support mutual client auth ! but i've read a little bit of the doc's and the source code and pathed my tomcat 4.1.x to change the ssl client auth behavior to mutual. cu, joe Mark Liu wrote: Hi, No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server. You have an idea about how to turn on client cert? --- Norris Shelton [EMAIL PROTECTED] wrote: That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat SSL mutual authentication: Nobody's got a clue?
Hi, No, the Tomcat docs only says how to turn on the *server* authentication, i.e., how to run Tomcat in SSL mode. It does not mention how to have the client also pass over its certificate to the Web server. You have an idea about how to turn on client cert? --- Norris Shelton [EMAIL PROTECTED] wrote: That about sums it up. We are looking at client certs also. The Tomcat docs say how to turn on client authentication, but there is not much out there on hooking up to a CA and verifying against a CRL. All of that is beyond the scope of this list and dives deep into the realm of JCE. We are looking into going with a vendor (probably VeriSign). --- Mark Liu [EMAIL PROTECTED] wrote: For over 1 week, I've been exploring about this. So far, I got no reply. Is this so professional, so tough that nobody's got a clue? __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] = Norris Shelton Software Engineer Sun Certified Java 1.1 Programmer Appriss, Inc. ICQ# 26487421 AIM NorrisEShelton YIM norrisshelton __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do you Yahoo!? Yahoo! Platinum - Watch CBS' NCAA March Madness, live on your desktop! http://platinum.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Tomcat SSL question (Emergency)
Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324) at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java: 428) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key LifecycleException: null.open: java.io.IOException: java.security.UnrecoverableKeyException: Cannot recover key at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessor Impl.java:25) at java.lang.reflect.Method.invoke(Method.java:324)
RE: Tomcat SSL question (Emergency)
Dave, Thank you for the quick response. I already put keystorePass attribute in factory node (shown below). Should I add keypass attribute in the node as well? Tomcat version that I currently running is 4.0.3 and Factory (server.xml) node which has explained at SSL Configuration HOW-TO (http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html) on Apache website does not have keypass attribute on it? Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ I am a bit confusing that I applied and received the server certificate from Verisign (i.e. verisign.cer) and it should be the public key and .keystore file (i.e. .keystore) that we generated using keytool will be the private key. Should I put public key on keystoreFile or private key on it? Also when you are using keytool to generate the .keystore file, you will be asked to provide the keystore password and tomcat password. Which password should I use for the keystorePass attribute? Thank you, Kevin -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 2:57 AM To: [EMAIL PROTECTED] Subject: RE: Tomcat SSL question (Emergency) Kevin, You might like to help Tomcat out by telling it the password. Try modifying the factory bit in server.xml to add the path to the keystore, and the password, something like this Factory className=org.apache.coyote.tomcat4.CoyoteServerSocketFactory clientAuth=true protocol=TLS keystoreFile=C:/Documents and Settings/Administrator/.keystore keypass=secret / Dave -Original Message- From: Kevin Hu [mailto:[EMAIL PROTECTED] Sent: 11 March 2003 08:13 To: [EMAIL PROTECTED] Subject:Tomcat SSL question (Emergency) Hi, I am currently implementing Verisign Server Certificate (128 bit) on Tomcat 4.0.3 at Windows 2000 Server platform with JDK 1.4.0 and do the following steps: 1. Create a local Certificate Signing Request (CSR) 2. Submit the CSR to Verisign and receive the certificate back 3. Import the Verisign Chain Certificate into you keystore 4. And import the new Certificate to keystore Note: I am creating different password for keystore and tomcat user other than the default one called changeit. (i.e. keystore password: secret1, key password for tomcat: secret2) 5. Stop tomcat 6. Modify the settings in server.xml file !-- Define an SSL HTTP/1.1 Connector on port 443 -- Connector className=org.apache.catalina.connector.http.HttpConnector port=443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory keystoreFile=C:\program files\Apache Tomcat 4.0\conf\.keystore keystorePass=secret1 clientAuth=false protocol=TLS/ /Connector 7. Start tomcat When I point to the secure website, I receive the following errors: Create Catalina server initProxy: java.security.UnrecoverableKeyException: Cannot recover key java.security.UnrecoverableKeyException: Cannot recover key at sun.security.provider.KeyProtector.recover(KeyProtector.java:301) at sun.security.provider.JavaKeyStore.engineGetKey(JavaKeyStore.java:103) at java.security.KeyStore.getKey(KeyStore.java:289) at com.sun.net.ssl.internal.ssl.X509KeyManagerImpl.init(DashoA6275) at com.sun.net.ssl.internal.ssl.KeyManagerFactoryImpl.engineInit(DashoA6275 ) at javax.net.ssl.KeyManagerFactory.init(DashoA6275) at com.sun.net.ssl.KeyManagerFactorySpiWrapper.engineInit(DashoA6275) at com.sun.net.ssl.KeyManagerFactory.init(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocket Factory.java:403) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocke tFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSoc ketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java :948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnecto r.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java :454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:5 53) at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:23 9) at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java :171) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.jav a:39
Re: Tomcat - SSL Question .. Certificate problem
Mufaddal wrote: Hi, I have followed the instructions at: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html to enable SSL. Problem: when i try to access the jsp page using : https://locahost:8443/login.jsp ... a dialogue pops up saying: Unable to establish a secure connection to 'localhost'. There is a problem with the security ceritificate from that site. (The identity of certificate issuer is unknown). The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page ? Stop Continue When i hit continue i can still access my jsp pae and everything works fine. The only problem is that SSL is not being used since the connection could not be established as warned by the dialogue box that popped up. The certificate i had generate was using keytool just like its explained on the howto webpage. I am using internet explorer 5.2 on Mac OS X. Can anybody please shed some light on where i am going wrong. ? Your problem is that you're using IE ! IE (on Macs, at least) will not accept a certificate unless it has been signed by an already-known certificate authority (eg Verisign). The quick solution is to switch to Netscape 7, which allows you to decide whether to accept the certificate or not. BTW Safari is as brain-dead as IE in this respect. HTH Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat - SSL Question .. Certificate problem
Yes, After posting my question i did find out that Microsoft is bad at doing what it says its doing. Even thought the dialogue pops up saying that an SSL connection could not be established it still does send the data encrypted and does connect thru SSL. Also Safari you can enable the debug menu and select do lax security check. Once you do that it works with a self signed certificate. IE on Mac does not give us an option to add a self signed certificate .. and this is wierd since its windows counterpart has this capability. thanks. On Friday, February 7, 2003, at 01:58 PM, Martin Jacobson wrote: Mufaddal wrote: Hi, I have followed the instructions at: http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html to enable SSL. Problem: when i try to access the jsp page using : https://locahost:8443/login.jsp ... a dialogue pops up saying: Unable to establish a secure connection to 'localhost'. There is a problem with the security ceritificate from that site. (The identity of certificate issuer is unknown). The information you view and send will be readable to others while in transit, and it may not go to the intended party. Continue loading this page ? Stop Continue When i hit continue i can still access my jsp pae and everything works fine. The only problem is that SSL is not being used since the connection could not be established as warned by the dialogue box that popped up. The certificate i had generate was using keytool just like its explained on the howto webpage. I am using internet explorer 5.2 on Mac OS X. Can anybody please shed some light on where i am going wrong. ? Your problem is that you're using IE ! IE (on Macs, at least) will not accept a certificate unless it has been signed by an already-known certificate authority (eg Verisign). The quick solution is to switch to Netscape 7, which allows you to decide whether to accept the certificate or not. BTW Safari is as brain-dead as IE in this respect. HTH Martin - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Tomcat-SSL: no cipher suites in common Exception
Dor Perl wrote: Hi All, Our site is running on Tomcat 3.3/Windows2k stand alone and we want to create a secured page on the Tomcat server (can be a different machine). We bought an SSL certificate from Comodo (after sending them our CSR that was created using keytool) afterwards we imported the received certificate to the keystore. The server starts ok, but when a web browser access it on the SSL port, we get the following exception: %% Created: [Session-1, SSL_NULL_WITH_NULL_NULL] Thread-56, SEND SSL v3.0 ALERT: fatal, description = handshake_failure Thread-56, WRITE: SSL v3.0 Alert, length = 2 PoolTcpEndpoint: Handshake failed javax.net.ssl.SSLException: no cipher suites in common at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.ServerHandshaker.a(DashoA6275) at com.sun.net.ssl.internal.ssl.ServerHandshaker.b(DashoA6275) at com.sun.net.ssl.internal.ssl.ServerHandshaker.processMessage(DashoA62 75) at com.sun.net.ssl.internal.ssl.Handshaker.process_record(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) PoolTcpEndpoint: Handshake failed at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at java.io.OutputStream.write(OutputStream.java:61) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.JSSESocketFactory.handshake(JSSESocketFact ory.java:270) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :479) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:516) at java.lang.Thread.run(Thread.java:484) ThreadPool: Caught exception executing org.apache.tomcat.util.net.TcpWorkerThrea d@19e15c, terminating thread javax.net.ssl.SSLException: Unsupported SSL v2.0 ClientHello at com.sun.net.ssl.internal.ssl.InputRecord.read(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) at com.sun.net.ssl.internal.ssl.AppOutputStream.write(DashoA6275) at java.io.OutputStream.write(OutputStream.java:61) at com.sun.net.ssl.internal.ssl.SSLSocketImpl.startHandshake(DashoA6275) at org.apache.tomcat.util.net.JSSESocketFactory.handshake(JSSESocketFact ory.java:270) at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :479) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:516) at java.lang.Thread.run(Thread.java:484) java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :498) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:516) at java.lang.Thread.run(Thread.java:484) ThreadPool: Caught exception executing org.apache.tomcat.util.net.TcpWorkerThrea d@19e15c, terminating thread java.lang.NullPointerException at org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java :498) at org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadP ool.java:516) at java.lang.Thread.run(Thread.java:484) I also did the following: * added javax.net.debug=all to the System properties to see the Debug information. * generated my own certificate using keytool (and it works ok. But the certificate is, of course, invalid) * Tried to access the server with different SSL protocols. * Searched every possible thing in the net ;-( I dedicated alot of time for this thing but no good. I would be grateful if somenoe could help us. Is it possible that the problem is in the certificate we got from the SSL provider? Thanks in advance for your help, Dor Perl - With Yahoo! Mail you can get a bigger mailbox -- choose a size that fits your needs When you use keytool to generate the keys and CSR, you should use the algoritm RSA , not the default DSA. and then the exception will dispear. keytool .. -keyalg RSA -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL Setup
One piece of information I forgot to mention: O/S: Red Hat Linux 7.2 Apache: Custom Compiled 1.3.26 Tomcat: 4.0.4 RPM installation JSDK: j2sdk1.4.0_01 Thanks again. Justin L. Spies -Original Message- From: Justin L. Spies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Setup Hello all, I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is: Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms. Here is what I have done so far: 1. I changed /etc/tomcat4/server.xml and uncommented the following: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false keystoreFile=keystores/mydomain.keystore keystorePass= protocol=TLS/ /Connector 2. I ran the following commands to import the Verisign key: /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /etc/verisign.key 3. I ran the following commands to import a previously created SSL certificate /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer 4. In /etc/tomcat4/server.xml, I noticed the following: * Download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following: ln -s $JAVA_HOME/jre/lib/jsse.jar $JAVA_HOME/jre/lib/ext/jsse.jar 5. I then restarted Tomcat and tried the following URL: http://www.mydomain.com:8080/examples/servlets/index.hml This was a test simply to make sure Tomcat started properly. In this it worked fine. 6. I then restarted Tomcat and tried the following URL: https://www.mydomain.com:8443/examples/servlets/index.html This test failed with the above error message. Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine. Thanks, Justin L. Spies -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL Setup
Have you considered the advantages of using one of the apache connectors instead of tomcat standalone for SSL support? I fought with Tomcat ssl support a couple years ago, and was unable to get it to work. I'm sure the support is there now, but ssl support is transparent if you use mod_jk or mod_webapp with Apache, and it's easier, since you already have all the cerificates in place. The downside is that the connection between apache and tomcat is NOT encrypted, so if you are running TC and Apache on different servers, this might be an issue. Ken A. Justin L. Spies wrote: One piece of information I forgot to mention: O/S: Red Hat Linux 7.2 Apache: Custom Compiled 1.3.26 Tomcat: 4.0.4 RPM installation JSDK: j2sdk1.4.0_01 Thanks again. Justin L. Spies -Original Message- From: Justin L. Spies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Setup Hello all, I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is: Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms. Here is what I have done so far: 1. I changed /etc/tomcat4/server.xml and uncommented the following: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false keystoreFile=keystores/mydomain.keystore keystorePass= protocol=TLS/ /Connector 2. I ran the following commands to import the Verisign key: /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /etc/verisign.key 3. I ran the following commands to import a previously created SSL certificate /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer 4. In /etc/tomcat4/server.xml, I noticed the following: * Download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following: ln -s $JAVA_HOME/jre/lib/jsse.jar $JAVA_HOME/jre/lib/ext/jsse.jar 5. I then restarted Tomcat and tried the following URL: http://www.mydomain.com:8080/examples/servlets/index.hml This was a test simply to make sure Tomcat started properly. In this it worked fine. 6. I then restarted Tomcat and tried the following URL: https://www.mydomain.com:8443/examples/servlets/index.html This test failed with the above error message. Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine. Thanks, Justin L. Spies -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL Setup
Ken, Thanks for the hints. Since they (Apache/Tomcat) are running on the same system at this point, that won't be an issue. Could you point me the direction of some documentation that would help me get this setup? I've setup mod_jk with standard Apache before and it has been straight forward. I am assuming that Apache handles the encryption/decryption and passes the requests off to Tomcat via the connector AFTER it decrypts the request--is this correct? Sincerely, Pantek Incorporated Justin L. Spies URI: http://www.pantek.com Ph 440.519.1802 Fax 440.248.5274 Cell 440.336.3317 -Original Message- From: Ken Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 4:51 PM To: Tomcat Users List Subject: Re: Tomcat SSL Setup Have you considered the advantages of using one of the apache connectors instead of tomcat standalone for SSL support? I fought with Tomcat ssl support a couple years ago, and was unable to get it to work. I'm sure the support is there now, but ssl support is transparent if you use mod_jk or mod_webapp with Apache, and it's easier, since you already have all the cerificates in place. The downside is that the connection between apache and tomcat is NOT encrypted, so if you are running TC and Apache on different servers, this might be an issue. Ken A. Justin L. Spies wrote: One piece of information I forgot to mention: O/S: Red Hat Linux 7.2 Apache: Custom Compiled 1.3.26 Tomcat: 4.0.4 RPM installation JSDK: j2sdk1.4.0_01 Thanks again. Justin L. Spies -Original Message- From: Justin L. Spies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Setup Hello all, I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is: Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms. Here is what I have done so far: 1.I changed /etc/tomcat4/server.xml and uncommented the following: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false keystoreFile=keystores/mydomain.keystore keystorePass= protocol=TLS/ /Connector 2.I ran the following commands to import the Verisign key: /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /etc/verisign.key 3.I ran the following commands to import a previously created SSL certificate /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer 4.In /etc/tomcat4/server.xml, I noticed the following: * Download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following: ln -s $JAVA_HOME/jre/lib/jsse.jar $JAVA_HOME/jre/lib/ext/jsse.jar 5.I then restarted Tomcat and tried the following URL: http://www.mydomain.com:8080/examples/servlets/index.hml This was a test simply to make sure Tomcat started properly. In this it worked fine. 6.I then restarted Tomcat and tried the following URL: https://www.mydomain.com:8443/examples/servlets/index.html This test failed with the above error message. Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine. Thanks, Justin L. Spies -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL Setup
In case you still want to run Tomcat Standalone The problem with your setup was that certificate was in the incorrect format. You need to conevert the certificate to der The following links give very detailed instructions on how to achive this. if you still face problems let me know. http://www.comu.de/docs/tomcat_ssl.htm http://www.openssl.org/docs/apps/pkcs8.html#COMMAND_OPTIONS Regards, Joe --- Justin L. Spies [EMAIL PROTECTED] wrote: Ken, Thanks for the hints. Since they (Apache/Tomcat) are running on the same system at this point, that won't be an issue. Could you point me the direction of some documentation that would help me get this setup? I've setup mod_jk with standard Apache before and it has been straight forward. I am assuming that Apache handles the encryption/decryption and passes the requests off to Tomcat via the connector AFTER it decrypts the request--is this correct? Sincerely, Pantek Incorporated Justin L. Spies URI: http://www.pantek.com Ph 440.519.1802 Fax 440.248.5274 Cell 440.336.3317 -Original Message- From: Ken Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 4:51 PM To: Tomcat Users List Subject: Re: Tomcat SSL Setup Have you considered the advantages of using one of the apache connectors instead of tomcat standalone for SSL support? I fought with Tomcat ssl support a couple years ago, and was unable to get it to work. I'm sure the support is there now, but ssl support is transparent if you use mod_jk or mod_webapp with Apache, and it's easier, since you already have all the cerificates in place. The downside is that the connection between apache and tomcat is NOT encrypted, so if you are running TC and Apache on different servers, this might be an issue. Ken A. Justin L. Spies wrote: One piece of information I forgot to mention: O/S: Red Hat Linux 7.2 Apache: Custom Compiled 1.3.26 Tomcat: 4.0.4 RPM installation JSDK: j2sdk1.4.0_01 Thanks again. Justin L. Spies -Original Message- From: Justin L. Spies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Setup Hello all, I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is: Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms. Here is what I have done so far: 1. I changed /etc/tomcat4/server.xml and uncommented the following: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false keystoreFile=keystores/mydomain.keystore keystorePass= protocol=TLS/ /Connector 2. I ran the following commands to import the Verisign key: /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /etc/verisign.key 3. I ran the following commands to import a previously created SSL certificate /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer 4. In /etc/tomcat4/server.xml, I noticed the following: * Download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following: ln -s $JAVA_HOME/jre/lib/jsse.jar $JAVA_HOME/jre/lib/ext/jsse.jar 5. I then restarted Tomcat and tried the following URL: http://www.mydomain.com:8080/examples/servlets/index.hml This was a test simply to make sure Tomcat started properly. In this it worked fine. 6. I then restarted Tomcat and tried the following URL: https://www.mydomain.com:8443/examples/servlets/index.html This test failed with the above error message. Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine. Thanks, Justin L. Spies -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED
Re: Tomcat SSL Setup
Justin L. Spies wrote: Ken, Thanks for the hints. Since they (Apache/Tomcat) are running on the same system at this point, that won't be an issue. Could you point me the direction of some documentation that would help me get this setup? I've setup mod_jk with standard Apache before and it has been straight forward. I am assuming that Apache handles the encryption/decryption and passes the requests off to Tomcat via the connector AFTER it decrypts the request--is this correct? That is correct. I have only set up ssl with mod_webapp, and it's just a matter of adding duplicate WebAppDeploy statements to the ssl Virtualhost xx.xx.xx.xx:443 section in httpd.conf I'd assume it's the same with mod_jk, since the autogenerated mod_jk.conf contains the non-ssl virtualhost section, you'd just need to mirror that with an ssl virtualhost section in the file by adding a duplicate Host hostname:443 Section to server.xml for the ssl virtualhost. There may be gotchas to this that I'm not aware of with jk, since I have not used it with apache ssl before. You'd also probably want to disable the coyote connector on port 8080 in server.xml too. Ken Sincerely, Pantek Incorporated Justin L. Spies URI: http://www.pantek.com Ph 440.519.1802 Fax 440.248.5274 Cell 440.336.3317 -Original Message- From: Ken Anderson [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 4:51 PM To: Tomcat Users List Subject: Re: Tomcat SSL Setup Have you considered the advantages of using one of the apache connectors instead of tomcat standalone for SSL support? I fought with Tomcat ssl support a couple years ago, and was unable to get it to work. I'm sure the support is there now, but ssl support is transparent if you use mod_jk or mod_webapp with Apache, and it's easier, since you already have all the cerificates in place. The downside is that the connection between apache and tomcat is NOT encrypted, so if you are running TC and Apache on different servers, this might be an issue. Ken A. Justin L. Spies wrote: One piece of information I forgot to mention: O/S: Red Hat Linux 7.2 Apache: Custom Compiled 1.3.26 Tomcat: 4.0.4 RPM installation JSDK: j2sdk1.4.0_01 Thanks again. Justin L. Spies -Original Message- From: Justin L. Spies [mailto:[EMAIL PROTECTED]] Sent: Wednesday, December 18, 2002 2:43 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Setup Hello all, I've been working on getting SSL configured for Tomcat and seem to be having a small problem. I must be mistyping something because the only thing I get back from Netscape 7.0 is: Netscape 7.0 and www.mydomain.com cannot communicate securely because they have no common encryption algorithms. Here is what I have done so far: 1. I changed /etc/tomcat4/server.xml and uncommented the following: Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=false keystoreFile=keystores/mydomain.keystore keystorePass= protocol=TLS/ /Connector 2. I ran the following commands to import the Verisign key: /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias root \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /etc/verisign.key 3. I ran the following commands to import a previously created SSL certificate /usr/java/j2sdk1.4.0_01/bin/keytool -import -alias tomcat \ -keystore /var/tomcat4/keystores/mydomain.keystore \ -trustcacerts -file /home/httpd/ssl/www.mydomain.com.cer 4. In /etc/tomcat4/server.xml, I noticed the following: * Download and install JSSE 1.0.2 or later, and put the JAR files into $JAVA_HOME/jre/lib/ext. I found jsse.jar in $JAVA_HOME/jre/lib so I ran the following: ln -s $JAVA_HOME/jre/lib/jsse.jar $JAVA_HOME/jre/lib/ext/jsse.jar 5. I then restarted Tomcat and tried the following URL: http://www.mydomain.com:8080/examples/servlets/index.hml This was a test simply to make sure Tomcat started properly. In this it worked fine. 6. I then restarted Tomcat and tried the following URL: https://www.mydomain.com:8443/examples/servlets/index.html This test failed with the above error message. Does anyone have any ideas? Oh, and BTW, I can visit https://www.mydomain.com/index.html and the home page for the site comes up in SSL mode without a problem, so I know that the SSL certificate, under Apache, is working fine. Thanks, Justin L. Spies -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail
RE: Tomcat SSL w/ Apache
If you are using Tomcat + Apache, the activity between Tomcat and Apache on
the connector is not secure. It is not encrypted.
SSL Request - Apache - Decrypted by Apache - Sent to Connector - Sent to
Tomcat on Connector port - reply back to Apache - Response encrypted by
Apache - SSL Response to Client
As far as Tomcat is concerned, the request isn't secure...all Tomcat sees is
a typical request on a connector port. Perhaps there is some code in
isSecure() that can differentiate, but I would be surprised if there was.
John
-Original Message-
From: Randy Secrist [mailto:tomcat;secristfamily.com]
Sent: Wednesday, October 30, 2002 5:24 PM
To: Tomcat Users List
Subject: Re: Tomcat SSL w/ Apache
I played around with the config for a few hours today - didn't get any
results. Having read that about name based hosting before, I
switched to IP
based vhosting... - after poping in a few network cards...
What happens now is the same as before...
1)
I switch to HTTPS - and I get the standard warning about
self signed
certificates...
2)
I accept it...
3)
Tomcat get's and compiles the request...showing isSecure
is false...when
it should be true
4)
And apache feeds me the page via https, and the browser,
and the browser
reports secure transmission.
5)
I check Apache's logs... (No errors in SSL via apache side..)
Tomcat's logs were garbled until I cleaned up my virtual
host files -
but now they appear to be fine... - no errors.
Somewhere in there, Tomcat is getting the request - because
it compiles the
JSP directives, and returns false when calling %=request.isSecure()%
However as noted above - this happens when using https! If I
do the same
thing on my linux box - it works just fine - (albeit I didn't
compile apache
myself on that thing... - but that shouldn't matter - because SSL does
work - just NOT with Tomcat...)
Here is the relevant part of my httpd.conf...
- note - NameVirtualHost * is commented out prior to this... - does
_default_:443 - mean it is still trying to use a default
named Vhost, or a
default IP?
IfModule mod_ssl.c
VirtualHost _default_:443
DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/myDomain.cert
SSLCertificateKeyFile conf/ssl/myDomain.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
RewriteEngine On
RewriteOptions inherit
/VirtualHost
/IfModule
- Original Message -
From: Robert L Sowders [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, October 30, 2002 12:51 AM
Subject: Re: Tomcat SSL w/ Apache
The configuration you describe for virtual hosts is correct
except that
for SSL to work correctly in Apache you have to use IP based virtual
hosting. Name based virtual hosting will give you errors. See
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
rls
Randy Secrist [EMAIL PROTECTED]
10/29/2002 07:58 PM
Please respond to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:Tomcat SSL w/ Apache
I have an interesting problem that I don't know much about. I am
integrating Apache with Tomcat using mod_jk - and I have it mostly
working. The only real problem I have left - is getting SSL - which
appears to be working with Apache - to work with Tomcat.
I have both HTTP connector's disabled in Tomcat. The only
connector I
have up is Coyote's AJP on 8009. (Via tomcat 4.1.12).
When I switch to https and accept my self generated certificate, the
browser returns the compiled jsp page, without any non
secure warnings...
- but if I call %=request.isSecure()% - it returns FALSE
- even though I
am using HTTPS. I'm not sure why this could be happening.
In Apache - I have 2 virtual hosts mapped to the same
domain name - on
different ports - because I couldn't get it to work right
with just one.
mydomain.com:80
and
mydomain.com:443 (with all my SSL directives...)
Could anyone offer advise?
Randy
--
To unsubscribe, e-mail:
mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail:
mailto:tomcat-user-help;jakarta.apache.org
--
To unsubscribe, e-mail:
mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail:
mailto:tomcat-user-help;jakarta.apache.org
--
To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
RE: Tomcat SSL w/ Apache
On Thu, 31 Oct 2002, Turner, John wrote:
If you are using Tomcat + Apache, the activity between Tomcat and
Apache on the connector is not secure. It is not encrypted.
SSL Request - Apache - Decrypted by Apache - Sent to Connector -
Sent to Tomcat on Connector port - reply back to Apache - Response
encrypted by Apache - SSL Response to Client
As far as Tomcat is concerned, the request isn't secure...all Tomcat
sees is a typical request on a connector port. Perhaps there is
some code in isSecure() that can differentiate, but I would be
surprised if there was.
Surprise!
The isSecure() check (as well as getScheme()) refers to the original
request. So, all of what you say otherwise is correct, but isSecure()
(and getScheme()) should reflect what was true of the original
request, whether it came to Apache or Tomcat.
I verified this using SnoopServlet in the Tomcat distrib examples
context. On a machine I have, I have that available to both my http
and https web server hosts/instances. Then I tried the URLs:
http://www.machinename.com//examples/snoop
https://www.machinename.com//examples/snoop
(snoop is mapped to SnoopServlet in the examples context web.xml file.)
For the first URL, Scheme (which shows the value of getScheme()) was
http, and Request Is Secure (which shows the value of isSecure())
was false. For the second, the values were https and true,
respectively.
Now, one caveat I'll add is that this is with 4.0.4. I imagine it's
possible that this behavior changed between versions. But it would
seem an odd change, because it's a major change to a basic behavior
(and one that I think goes against the spec). Further, some
tomcat-dev people post to this list, so I would've thought they'd have
commented if this were the case.
I didn't respond directly to Randy's note because I didn't have any
idea what might be causing the problem. It's possible that there is
some configuration that needs to be set to get this behavior. But
from a quick glance at my configuration, I didn't see what that might
be.
Oh, I just did a search of the archives (at marc.theaimsgroup.com),
and looks like someone brought up this same issue quite recently (and
I think I was combining/confusing the two threads). There was only
one followup to the initial response there (the subject was Possible
bug with isSecure()/getScheme() methods in tomcat 4.), which said:
IIRC there is a bug in the coyote connector in TC 4.1.10.
You have to use the org.apache.ajp.tomcat4.Ajp13Connector connector
and set an attribute tomcatAuthentication=false to achieve the
result you desire.
In fact, I am using the Ajp13Connector, and I do have
tomcatAuthentication set to false (that's to allow the authentication
to be done by Apache, but maybe there's some interaction there). So
there are a couple of things to try to see if it has any effect.
-Original Message-
From: Randy Secrist [mailto:tomcat;secristfamily.com]
Sent: Wednesday, October 30, 2002 5:24 PM
To: Tomcat Users List
Subject: Re: Tomcat SSL w/ Apache
I played around with the config for a few hours today - didn't get any
results. Having read that about name based hosting before, I
switched to IP
based vhosting... - after poping in a few network cards...
What happens now is the same as before...
1)
I switch to HTTPS - and I get the standard warning about
self signed
certificates...
2)
I accept it...
3)
Tomcat get's and compiles the request...showing isSecure
is false...when
it should be true
4)
And apache feeds me the page via https, and the browser,
and the browser
reports secure transmission.
5)
I check Apache's logs... (No errors in SSL via apache side..)
Tomcat's logs were garbled until I cleaned up my virtual
host files -
but now they appear to be fine... - no errors.
Somewhere in there, Tomcat is getting the request - because
it compiles the
JSP directives, and returns false when calling %=request.isSecure()%
However as noted above - this happens when using https! If I
do the same
thing on my linux box - it works just fine - (albeit I didn't
compile apache
myself on that thing... - but that shouldn't matter - because SSL does
work - just NOT with Tomcat...)
Here is the relevant part of my httpd.conf...
- note - NameVirtualHost * is commented out prior to this... - does
_default_:443 - mean it is still trying to use a default
named Vhost, or a
default IP?
IfModule mod_ssl.c
VirtualHost _default_:443
DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/myDomain.cert
SSLCertificateKeyFile conf/ssl/myDomain.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL
RE: Tomcat SSL w/ Apache
Cool! I didn't have time this morning to do a test, so I was winging it. Thanks for the verification. John -Original Message- From: Milt Epstein [mailto:mepstein;uiuc.edu] Sent: Thursday, October 31, 2002 12:22 PM To: Tomcat Users List Subject: RE: Tomcat SSL w/ Apache On Thu, 31 Oct 2002, Turner, John wrote: If you are using Tomcat + Apache, the activity between Tomcat and Apache on the connector is not secure. It is not encrypted. SSL Request - Apache - Decrypted by Apache - Sent to Connector - Sent to Tomcat on Connector port - reply back to Apache - Response encrypted by Apache - SSL Response to Client As far as Tomcat is concerned, the request isn't secure...all Tomcat sees is a typical request on a connector port. Perhaps there is some code in isSecure() that can differentiate, but I would be surprised if there was. Surprise! The isSecure() check (as well as getScheme()) refers to the original request. So, all of what you say otherwise is correct, but isSecure() (and getScheme()) should reflect what was true of the original request, whether it came to Apache or Tomcat. I verified this using SnoopServlet in the Tomcat distrib examples context. On a machine I have, I have that available to both my http and https web server hosts/instances. Then I tried the URLs: http://www.machinename.com//examples/snoop https://www.machinename.com//examples/snoop (snoop is mapped to SnoopServlet in the examples context web.xml file.) For the first URL, Scheme (which shows the value of getScheme()) was http, and Request Is Secure (which shows the value of isSecure()) was false. For the second, the values were https and true, respectively. Now, one caveat I'll add is that this is with 4.0.4. I imagine it's possible that this behavior changed between versions. But it would seem an odd change, because it's a major change to a basic behavior (and one that I think goes against the spec). Further, some tomcat-dev people post to this list, so I would've thought they'd have commented if this were the case. I didn't respond directly to Randy's note because I didn't have any idea what might be causing the problem. It's possible that there is some configuration that needs to be set to get this behavior. But from a quick glance at my configuration, I didn't see what that might be. Oh, I just did a search of the archives (at marc.theaimsgroup.com), and looks like someone brought up this same issue quite recently (and I think I was combining/confusing the two threads). There was only one followup to the initial response there (the subject was Possible bug with isSecure()/getScheme() methods in tomcat 4.), which said: IIRC there is a bug in the coyote connector in TC 4.1.10. You have to use the org.apache.ajp.tomcat4.Ajp13Connector connector and set an attribute tomcatAuthentication=false to achieve the result you desire. In fact, I am using the Ajp13Connector, and I do have tomcatAuthentication set to false (that's to allow the authentication to be done by Apache, but maybe there's some interaction there). So there are a couple of things to try to see if it has any effect. -Original Message- From: Randy Secrist [mailto:tomcat;secristfamily.com] Sent: Wednesday, October 30, 2002 5:24 PM To: Tomcat Users List Subject: Re: Tomcat SSL w/ Apache I played around with the config for a few hours today - didn't get any results. Having read that about name based hosting before, I switched to IP based vhosting... - after poping in a few network cards... What happens now is the same as before... 1) I switch to HTTPS - and I get the standard warning about self signed certificates... 2) I accept it... 3) Tomcat get's and compiles the request...showing isSecure is false...when it should be true 4) And apache feeds me the page via https, and the browser, and the browser reports secure transmission. 5) I check Apache's logs... (No errors in SSL via apache side..) Tomcat's logs were garbled until I cleaned up my virtual host files - but now they appear to be fine... - no errors. Somewhere in there, Tomcat is getting the request - because it compiles the JSP directives, and returns false when calling %=request.isSecure()% However as noted above - this happens when using https! If I do the same thing on my linux box - it works just fine - (albeit I didn't compile apache myself on that thing... - but that shouldn't matter - because SSL does work - just NOT with Tomcat...) Here is the relevant part of my httpd.conf... - note - NameVirtualHost * is commented out prior to this... - does _default_:443 - mean it is still trying to use a default named Vhost, or a default IP? IfModule mod_ssl.c VirtualHost _default_:443
Re: Tomcat SSL w/ Apache
I played around with the config for a few hours today - didn't get any
results. Having read that about name based hosting before, I switched to IP
based vhosting... - after poping in a few network cards...
What happens now is the same as before...
1)
I switch to HTTPS - and I get the standard warning about self signed
certificates...
2)
I accept it...
3)
Tomcat get's and compiles the request...showing isSecure is false...when
it should be true
4)
And apache feeds me the page via https, and the browser, and the browser
reports secure transmission.
5)
I check Apache's logs... (No errors in SSL via apache side..)
Tomcat's logs were garbled until I cleaned up my virtual host files -
but now they appear to be fine... - no errors.
Somewhere in there, Tomcat is getting the request - because it compiles the
JSP directives, and returns false when calling %=request.isSecure()%
However as noted above - this happens when using https! If I do the same
thing on my linux box - it works just fine - (albeit I didn't compile apache
myself on that thing... - but that shouldn't matter - because SSL does
work - just NOT with Tomcat...)
Here is the relevant part of my httpd.conf...
- note - NameVirtualHost * is commented out prior to this... - does
_default_:443 - mean it is still trying to use a default named Vhost, or a
default IP?
IfModule mod_ssl.c
VirtualHost _default_:443
DocumentRoot c:/web/Tomcat-4-1/webapps/ROOT
ErrorLog logs/ssl-error_log
TransferLog logs/ssl-access_log
SSLEngine on
SSLCipherSuite
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
SSLCertificateFile conf/ssl/myDomain.cert
SSLCertificateKeyFile conf/ssl/myDomain.key
SetEnvIf User-Agent .*MSIE.* nokeepalive ssl-unclean-shutdown
CustomLog logs/ssl_request_log \
%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \%r\ %b
RewriteEngine On
RewriteOptions inherit
/VirtualHost
/IfModule
- Original Message -
From: Robert L Sowders [EMAIL PROTECTED]
To: Tomcat Users List [EMAIL PROTECTED]
Sent: Wednesday, October 30, 2002 12:51 AM
Subject: Re: Tomcat SSL w/ Apache
The configuration you describe for virtual hosts is correct except that
for SSL to work correctly in Apache you have to use IP based virtual
hosting. Name based virtual hosting will give you errors. See
http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47
rls
Randy Secrist [EMAIL PROTECTED]
10/29/2002 07:58 PM
Please respond to Tomcat Users List
To: Tomcat Users List [EMAIL PROTECTED]
cc:
Subject:Tomcat SSL w/ Apache
I have an interesting problem that I don't know much about. I am
integrating Apache with Tomcat using mod_jk - and I have it mostly
working. The only real problem I have left - is getting SSL - which
appears to be working with Apache - to work with Tomcat.
I have both HTTP connector's disabled in Tomcat. The only connector I
have up is Coyote's AJP on 8009. (Via tomcat 4.1.12).
When I switch to https and accept my self generated certificate, the
browser returns the compiled jsp page, without any non secure warnings...
- but if I call %=request.isSecure()% - it returns FALSE - even though I
am using HTTPS. I'm not sure why this could be happening.
In Apache - I have 2 virtual hosts mapped to the same domain name - on
different ports - because I couldn't get it to work right with just one.
mydomain.com:80
and
mydomain.com:443 (with all my SSL directives...)
Could anyone offer advise?
Randy
--
To unsubscribe, e-mail:
mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail:
mailto:tomcat-user-help;jakarta.apache.org
--
To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org
For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Tomcat SSL w/ Apache
The configuration you describe for virtual hosts is correct except that for SSL to work correctly in Apache you have to use IP based virtual hosting. Name based virtual hosting will give you errors. See http://www.modssl.org/docs/2.8/ssl_faq.html#ToC47 rls Randy Secrist [EMAIL PROTECTED] 10/29/2002 07:58 PM Please respond to Tomcat Users List To: Tomcat Users List [EMAIL PROTECTED] cc: Subject:Tomcat SSL w/ Apache I have an interesting problem that I don't know much about. I am integrating Apache with Tomcat using mod_jk - and I have it mostly working. The only real problem I have left - is getting SSL - which appears to be working with Apache - to work with Tomcat. I have both HTTP connector's disabled in Tomcat. The only connector I have up is Coyote's AJP on 8009. (Via tomcat 4.1.12). When I switch to https and accept my self generated certificate, the browser returns the compiled jsp page, without any non secure warnings... - but if I call %=request.isSecure()% - it returns FALSE - even though I am using HTTPS. I'm not sure why this could be happening. In Apache - I have 2 virtual hosts mapped to the same domain name - on different ports - because I couldn't get it to work right with just one. mydomain.com:80 and mydomain.com:443 (with all my SSL directives...) Could anyone offer advise? Randy -- To unsubscribe, e-mail: mailto:tomcat-user-unsubscribe;jakarta.apache.org For additional commands, e-mail: mailto:tomcat-user-help;jakarta.apache.org
Re: Tomcat SSL IBM JSSE
Hi again I manage to find ibmjsse.jar (I had to download the wsdk 100MB nice???) and put it int the java_home/jre/lib/ext directory i also left there the suns jsse jcert.jar,jnet,jar ,jsse.jar i change the java.security file and put the provider snip security.provider.1=sun.security.provider.Sun security.provider.2=com.ibm.jsse.JSSEProvider /snip i restart Tomcat and i get !-- initProxy: java.security.NoSuchAlgorithmException: Class com.ibm.jsse.SSLContextImpl configured for SSLContext not a SSLContext java.security.NoSuchAlgorithmException: Class com.ibm.jsse.SSLContextImpl configured for SSLContext not a SSLContext at java.security.NoSuchAlgorithmException.init(NoSuchAlgorithmException.java:47) at com.sun.net.ssl.SunJSSE_b.a(DashoA6275) at com.sun.net.ssl.SSLContext.getInstance(DashoA6275) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:398) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java:454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:553) at org.apache.catalina.startup.Catalina.start(Catalina.java:780) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) Catalina.start: LifecycleException: null.open: java.io.IOException: java.security.NoSuchAlgorithmException: Class com.ibm.jsse.SSLContextImpl configured for SSLContext not a SSLContext LifecycleException: null.open: java.io.IOException: java.security.NoSuchAlgorithmException: Class com.ibm.jsse.SSLContextImpl configured for SSLContext not a SSLContext at java.lang.Exception.init(Exception.java:35) at org.apache.catalina.LifecycleException.init(LifecycleException.java:126) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1130) at org.apache.catalina.core.StandardService.initialize(StandardService.java:454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:553) at org.apache.catalina.startup.Catalina.start(Catalina.java:780) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) - Root Cause - java.io.IOException: java.security.NoSuchAlgorithmException: Class com.ibm.jsse.SSLContextImpl configured for SSLContext not a SSLContext at java.lang.Exception.init(Exception.java:44) at java.io.IOException.init(IOException.java:49) at org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:422) at org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:334) at org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:287) at org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:948) at org.apache.catalina.connector.http.HttpConnector.initialize(HttpConnector.java:1128) at org.apache.catalina.core.StandardService.initialize(StandardService.java:454) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:553) at org.apache.catalina.startup.Catalina.start(Catalina.java:780) at org.apache.catalina.startup.Catalina.execute(Catalina.java:681) at org.apache.catalina.startup.Catalina.process(Catalina.java:179) at java.lang.reflect.Method.invoke(Native Method) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:243) -- When i delete the suns jar i get com.sun.net class not found and other errors has anyone tried something like this before.. thx in advance -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL - Changing URL https to http
thanks very much. does CONFIDENTIAL a keyword? - Original Message - From: Ralph Einfeldt [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 10:34 AM Subject: AW: Tomcat SSL - Changing URL https to http Forgot to mention that this belongs in web.xml. -Ursprüngliche Nachricht- Von: Ralph Einfeldt Gesendet: Donnerstag, 10. Oktober 2002 10:29 An: Tomcat Users List Betreff: AW: Tomcat SSL - Changing URL https to http security-constraint web-resource-collection web-resource-nameSecure Portion Of The Site/web-resource-name url-pattern/importantData.html/url-pattern /web-resource-collection user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint -Ursprüngliche Nachricht- Von: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]] Gesendet: Donnerstag, 10. Oktober 2002 10:04 An: [EMAIL PROTECTED] Betreff: Tomcat SSL - Changing URL https to http This page has the following URL : https://localhost:8443/importantData.html We only have to change manually the URL with http://localhost:8080/importantData.html to avoid the SSL connection? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL - Changing URL https to http
Disable the connector on 8080 in server.xml if you don't want requests going to that port. In production, you should only have the connectors enabled that you are actually using...anything else should be disabled. Simply comment out the entry in server.xml and restart Tomcat. John -Original Message- From: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 4:04 AM To: [EMAIL PROTECTED] Subject: Tomcat SSL - Changing URL https to http I've secure my website with Apache, using the SSL connector. But I have a problem : Imagine I have a page with confidential data to send. This page has the following URL : https://localhost:8443/importantData.html We only have to change manually the URL with http://localhost:8080/importantData.html to avoid the SSL connection? It's not very secure. please give me a hand Thanks Steph -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL - Changing URL https to http
thanks a lot - Original Message - From: Turner, John [EMAIL PROTECTED] To: 'Tomcat Users List' [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 2:57 PM Subject: RE: Tomcat SSL - Changing URL https to http Disable the connector on 8080 in server.xml if you don't want requests going to that port. In production, you should only have the connectors enabled that you are actually using...anything else should be disabled. Simply comment out the entry in server.xml and restart Tomcat. John -Original Message- From: Frédéric LE MAISTRE [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 10, 2002 4:04 AM To: [EMAIL PROTECTED] Subject: Tomcat SSL - Changing URL https to http I've secure my website with Apache, using the SSL connector. But I have a problem : Imagine I have a page with confidential data to send. This page has the following URL : https://localhost:8443/importantData.html We only have to change manually the URL with http://localhost:8080/importantData.html to avoid the SSL connection? It's not very secure. please give me a hand Thanks Steph -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL
The server certificate must be where you set it up in your server.xml (for details, see the tomcat-ssl-howto). This will enable Tomcat to identify itself to the client. The client certificate's CA's public key (or just the whole certificate) must be imported into %JAVA_HOME%/jre/lib/security/cacerts (the default truststore that Tomcat uses), or, you have to define the system property for the truststore in Tomcat's JVM if you want to use another truststore than the default. This will enable Tomcat to trust the client. cheers, memo - Original Message - From: Panos Skondras [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 08:50 Subject: Tomcat SSL Hi all I am trying to start Tomcat using https with client auth but so far nothing. I have downloades JSSE put the jar in the right place(https works if i put clientauth=false in server.xml). I have created a key with keytool and also export a key to put it in the IE trusted root dir. But when i enable client auth=true and ty again i get The page cannot be displayed page from tomcat no logging is done.. Can anyone give me some hints.. The client certificate is not from a CA but it is created by me with keytool The client certificate and the server certificate must exist somewhere in tomcat path? thx inadvance -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL
hi panos, Tomcat uses the standart java truststore to authenticate the client cert, not it's keystore. See below for corrections: - Original Message - From: Panos Skondras [EMAIL PROTECTED] To: Tomcat Users [EMAIL PROTECTED] Sent: Thursday, October 03, 2002 12:06 Subject: Tomcat SSL Hi all again I am trying to work with tomcat and ssl with clientauth=true. I am trying to access the Tomcat on localhost and supply the client certificate through IE In tomcat i have a servlet which will print the certificate eventually. Here are the steps i take 1.snip server.xml Connector className=org.apache.catalina.connector.http.HttpConnector port=8443 minProcessors=5 maxProcessors=75 enableLookups=true acceptCount=10 debug=0 scheme=https secure=true Factory className=org.apache.catalina.net.SSLServerSocketFactory clientAuth=auth protocol=TLS keystoreFile=c:\keystore\server.keystore keystorePass=771652/ /Connector /snip 2. Create the server.keystore keytool -genkey -alias pask -keyalg rsa -keystore c:\keystore\server.keystore 3.export the key to be put in IE Trust Root Dir keytool -export -alias pask -keystore c:\keystore\server.keystore -file server.cer 4.In IE Content import the server.cer into Trust Root Dir providers Up to here if i put clientauth=false in server xml i have https connection to tomcat with the IE showing it is SECURE the lock appears. 5.Now on the same machine i create the client certificate keytool -genkey -alias pskon -keyalg rsa -keystore c:\keystore\client.keystore keytool -export -alias pskon -keystore c:\keystore\client.keystore -file cl.cer keytool -import -alias pskon -keystore c:\keystore\server.keystore -file cl.cer this is the important thing: try keytool -import -alias pskon -keystore %JAVA_HOME%\jre\lib\security\cacerts -file cl.cer I think that the password for cacerts is changeit, but I am not sure, check the docs for JSSE by Sun if it does not work. Good luck, memo I also copy the server.keystore in jre/lib/security just in case The attributes of the keys are CN=localhost ,ATHENS,ATHENS,ATHENS,GR When i put back clientauth=true restart catalina 4.0.4 on WINDOWS XP i get a page cannot displayed sign. Am i doing somethig wrong..? Any ideas are welcome.. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL without plaintext Certificate-Keyphrase
Henning Meyer [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Hello, I want to set up a Tomcat Server, without having the SSL keyphrase a plaintext readable for the Tomcat-running user. At this time I think it has to be in the config.xml-file. Is there a solution like having to type in the keyphrase every time the server starts up? Is there a soulution like having the passphrase only readable for root and letting the server automaticly starting up? e.g. root starts the server, and then the server is switching its userid? I hope you will help me! For Tomcat 3.3.x, you can use the PasswordPrompter from the add-ons (under the usual download link). I had thought that this one was originally back-ported from 4.x, but I'm afraid that I can't find where the 4.x version lives at the moment. Thanks a lot. Henning Meyer Lisa Simpson: Why do I have the feeling that someday I'll be describing this to a psychiatrist? -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat + SSL + IO Taglib
I'm afraid your server doesn't have a certificate for itself (i.e. localhost), from which it is requesting a resource. At least it doesn't know itself under this name (localhost). You have to import your server certificate (or the certificate of the CA that signed it) with keytool into your java keystore to get rid of this problem. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:37 AM To: Tomcat Subject: Tomcat + SSL + IO Taglib Hello, I'am connecting to Tomcat using SSL, but without client authentification (clientAuth=false in server.xml). When I try to use io taglib, here is an JSP example : ... url = https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName% io:request url=%=url%/ ... I always got this message : javax.servlet.ServletException: Couldn't find trusted certificate Is there a way to use IO Taglib with a secure website without client authentification ? Thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat + SSL + IO Taglib
And to finish my own thought (this time before sending the message ;-): You should then use your official server-name instead of localhost, i.e. the name which is set in the certificate. Java is really picky about the certificates it trusts. By the way: This has nothing to do with client authentification, since your server does seem to communicate only with itself at this point. Hope it works Andreas Mohrig -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:47 AM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib I'm afraid your server doesn't have a certificate for itself (i.e. localhost), from which it is requesting a resource. At least it doesn't know itself under this name (localhost). You have to import your server certificate (or the certificate of the CA that signed it) with keytool into your java keystore to get rid of this problem. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:37 AM To: Tomcat Subject: Tomcat + SSL + IO Taglib Hello, I'am connecting to Tomcat using SSL, but without client authentification (clientAuth=false in server.xml). When I try to use io taglib, here is an JSP example : ... url = https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName% io:request url=%=url%/ ... I always got this message : javax.servlet.ServletException: Couldn't find trusted certificate Is there a way to use IO Taglib with a secure website without client authentification ? Thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat + SSL + IO Taglib
Thanks for your quick answer ! But I have never work with SSL before, so I am getting a little confused. How can I get a certificate for my server ? The only thing I have done so far is creating a keystore (keytool -genkey -alias tomcat -keyalg RSA). Every thing works fine except for the taglibs ? -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: mercredi 21 août 2002 11:52 To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib And to finish my own thought (this time before sending the message ;-): You should then use your official server-name instead of localhost, i.e. the name which is set in the certificate. Java is really picky about the certificates it trusts. By the way: This has nothing to do with client authentification, since your server does seem to communicate only with itself at this point. Hope it works Andreas Mohrig -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:47 AM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib I'm afraid your server doesn't have a certificate for itself (i.e. localhost), from which it is requesting a resource. At least it doesn't know itself under this name (localhost). You have to import your server certificate (or the certificate of the CA that signed it) with keytool into your java keystore to get rid of this problem. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:37 AM To: Tomcat Subject: Tomcat + SSL + IO Taglib Hello, I'am connecting to Tomcat using SSL, but without client authentification (clientAuth=false in server.xml). When I try to use io taglib, here is an JSP example : ... url = https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName% io:request url=%=url%/ ... I always got this message : javax.servlet.ServletException: Couldn't find trusted certificate Is there a way to use IO Taglib with a secure website without client authentification ? Thanks. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED] -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: Tomcat + SSL + IO Taglib
First of all, since you are trying to get a resource from the server itself, it might be completely sufficient to use http instead of https, i.e. the url http://localhost:8080//Cache?newsServer=moreover_newsnewsFeedName should work (assuming standard configuration). You won't have to bother with ssl then, which should be acceptable, because the data in questiong will be send over the server's loopback interface only (and therefor should not be in danger of beeing monitored, as long as your server hasn't been hacked). If you still want to use ssl, though, there is quite a long way to go: It seems you have tomcat configured to accept ssl at port 8443, and now you want to get something from it from within a jsp page with this url: https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName In order for this to succeed, the code executing your jsp will act quite similar to a normal webbrowser and attempts to connect to the server given in the url (which could as well be any other server reachable over your network). What follows is a ssl-handshake: The server presents it's certificate and a key to encrypt the datatransfer is exchanged. This key is normally signed by some CA (certificate authority, like Thawte or verisign) so that the client can trust that no one just pretends to be who he says to be (e.g. a bank or something like this) and can decide upon that if he wants to transfer confidential information (like a credit card number for example) to this server. I'm sure you have seen warnings from your browser when these certificates are not perfectly ok, when they have expired or are not issued for the right server(-name). Your browser will ask if you wish to accept this and continue to connect nevertheless. (What do you see if you enter the above URL into your browser, with localhost replaced by whatever address your server is reachable at). This is what happens to your jsp-code too, because your selfgenerated server-key (which you created with keytool -genkey -alias tomcat -keyalg RSA, -genkey creates a key, not a keystore) is not signed by anyone trusted by normal java distributions. But instead of giving the opportunity to accept this nevertheless, the process fails, because there is noone there to interactively give his ok. This is all the background I can give you in realtively short time, since the process to sign such a key and to import the certificate is quite complex (if you do not want to spend money for someone officially signing your key). And I'm afraid I don't know how to accept such certificates nevertheless. If you need advice on how to become your own CA, how to sign your key and import the CA's key into your keystore, I could provide you with some notes, but don't expect this will be easy. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 12:02 PM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib Thanks for your quick answer ! But I have never work with SSL before, so I am getting a little confused. How can I get a certificate for my server ? The only thing I have done so far is creating a keystore (keytool -genkey -alias tomcat -keyalg RSA). Every thing works fine except for the taglibs ? -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: mercredi 21 août 2002 11:52 To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib And to finish my own thought (this time before sending the message ;-): You should then use your official server-name instead of localhost, i.e. the name which is set in the certificate. Java is really picky about the certificates it trusts. By the way: This has nothing to do with client authentification, since your server does seem to communicate only with itself at this point. Hope it works Andreas Mohrig -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:47 AM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib I'm afraid your server doesn't have a certificate for itself (i.e. localhost), from which it is requesting a resource. At least it doesn't know itself under this name (localhost). You have to import your server certificate (or the certificate of the CA that signed it) with keytool into your java keystore to get rid of this problem. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:37 AM To: Tomcat Subject: Tomcat + SSL + IO Taglib Hello, I'am connecting to Tomcat using SSL, but without client authentification (clientAuth=false in server.xml). When I try to use io taglib, here is an JSP example : ... url = https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName% io:request url=%=url%/ ... I always got this message : javax.servlet.ServletException: Couldn't find trusted certificate Is there a way to use IO
RE: Tomcat + SSL + IO Taglib
Great, thanks a lot for your help !!! -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: mercredi 21 août 2002 12:28 To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib First of all, since you are trying to get a resource from the server itself, it might be completely sufficient to use http instead of https, i.e. the url http://localhost:8080//Cache?newsServer=moreover_newsnewsFeedName should work (assuming standard configuration). You won't have to bother with ssl then, which should be acceptable, because the data in questiong will be send over the server's loopback interface only (and therefor should not be in danger of beeing monitored, as long as your server hasn't been hacked). If you still want to use ssl, though, there is quite a long way to go: It seems you have tomcat configured to accept ssl at port 8443, and now you want to get something from it from within a jsp page with this url: https://localhost:8443//Cache?newsServer=moreover_newsnewsFeedName In order for this to succeed, the code executing your jsp will act quite similar to a normal webbrowser and attempts to connect to the server given in the url (which could as well be any other server reachable over your network). What follows is a ssl-handshake: The server presents it's certificate and a key to encrypt the datatransfer is exchanged. This key is normally signed by some CA (certificate authority, like Thawte or verisign) so that the client can trust that no one just pretends to be who he says to be (e.g. a bank or something like this) and can decide upon that if he wants to transfer confidential information (like a credit card number for example) to this server. I'm sure you have seen warnings from your browser when these certificates are not perfectly ok, when they have expired or are not issued for the right server(-name). Your browser will ask if you wish to accept this and continue to connect nevertheless. (What do you see if you enter the above URL into your browser, with localhost replaced by whatever address your server is reachable at). This is what happens to your jsp-code too, because your selfgenerated server-key (which you created with keytool -genkey -alias tomcat -keyalg RSA, -genkey creates a key, not a keystore) is not signed by anyone trusted by normal java distributions. But instead of giving the opportunity to accept this nevertheless, the process fails, because there is noone there to interactively give his ok. This is all the background I can give you in realtively short time, since the process to sign such a key and to import the certificate is quite complex (if you do not want to spend money for someone officially signing your key). And I'm afraid I don't know how to accept such certificates nevertheless. If you need advice on how to become your own CA, how to sign your key and import the CA's key into your keystore, I could provide you with some notes, but don't expect this will be easy. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 12:02 PM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib Thanks for your quick answer ! But I have never work with SSL before, so I am getting a little confused. How can I get a certificate for my server ? The only thing I have done so far is creating a keystore (keytool -genkey -alias tomcat -keyalg RSA). Every thing works fine except for the taglibs ? -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: mercredi 21 août 2002 11:52 To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib And to finish my own thought (this time before sending the message ;-): You should then use your official server-name instead of localhost, i.e. the name which is set in the certificate. Java is really picky about the certificates it trusts. By the way: This has nothing to do with client authentification, since your server does seem to communicate only with itself at this point. Hope it works Andreas Mohrig -Original Message- From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:47 AM To: 'Tomcat Users List' Subject: RE: Tomcat + SSL + IO Taglib I'm afraid your server doesn't have a certificate for itself (i.e. localhost), from which it is requesting a resource. At least it doesn't know itself under this name (localhost). You have to import your server certificate (or the certificate of the CA that signed it) with keytool into your java keystore to get rid of this problem. greetings Andreas Mohrig -Original Message- From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 21, 2002 11:37 AM To: Tomcat Subject: Tomcat + SSL + IO Taglib Hello, I'am connecting to Tomcat using SSL, but without client authentification (clientAuth=false in server.xml). When I try to use io taglib, here is an JSP example : ... url
RE: TOMCAT SSL !!!
Hi Steve, I had included the security constraint in web.xml, but still the request goes thru without ssl. what mistake am i making? what is the login-config? do i have to include that too. i was also not clear abt the redirectPort bit - where cud i get more help? thanx, Ritesh -Original Message- From: Steve D George [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 3:48 PM To: Tomcat Users List Subject: Re: TOMCAT SSL !!! Hi, have a look for postings titled 'How to enforce SSL' that were posted over the last few days. Assuming you have gone through the How-to-SSL document in the tomcat docs and set up a certificate, to enforce SSL for a certain directory in your context, you need something like this in your web.xml. !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nametrackeruser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameLocation Tracker Application/realm-name /login-config The important piece is the user-data-constraint and the transport-guarantee. This tells tomcat that all requests to the url pattern (in my case it is the whole of my context) should be sent over HTTPS. If a request is received over HTTP, tomcat will redirect the request at whatever port is defined in server.xml as the 'redirectPort' for the HTTP connector. This is probably 8443. You then need to make sure that you have an SSL only connector on that port but I guess you should already have that if you've got the SSL working already. Cheers. Steve. t.riteshmenon@iflexso lutions.com To: [EMAIL PROTECTED] cc: 30/04/2002 11:10 Subject: TOMCAT SSL !!! Please respond to Tomcat Users List Hi All, My application requires that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Also i'm using cookies - so i wanted to know whether these cookies will be visible in both the http https contexts. Thanks in advance, Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
RE: TOMCAT SSL !!!
Hi, I was looking for the postigs under How to enforce SSL - if anybody cud throw some light, as iwas unable to locate it. thanx! -Original Message- From: Steve D George [mailto:[EMAIL PROTECTED]] Sent: Tuesday, April 30, 2002 3:48 PM To: Tomcat Users List Subject: Re: TOMCAT SSL !!! Hi, have a look for postings titled 'How to enforce SSL' that were posted over the last few days. Assuming you have gone through the How-to-SSL document in the tomcat docs and set up a certificate, to enforce SSL for a certain directory in your context, you need something like this in your web.xml. !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nametrackeruser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameLocation Tracker Application/realm-name /login-config The important piece is the user-data-constraint and the transport-guarantee. This tells tomcat that all requests to the url pattern (in my case it is the whole of my context) should be sent over HTTPS. If a request is received over HTTP, tomcat will redirect the request at whatever port is defined in server.xml as the 'redirectPort' for the HTTP connector. This is probably 8443. You then need to make sure that you have an SSL only connector on that port but I guess you should already have that if you've got the SSL working already. Cheers. Steve. t.riteshmenon@iflexso lutions.com To: [EMAIL PROTECTED] cc: 30/04/2002 11:10 Subject: TOMCAT SSL !!! Please respond to Tomcat Users List Hi All, My application requires that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Also i'm using cookies - so i wanted to know whether these cookies will be visible in both the http https contexts. Thanks in advance, Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe, e-mail: mailto:[EMAIL PROTECTED] For additional commands, e-mail: mailto:[EMAIL PROTECTED]
Re: TOMCAT SSL !!!
Hi, have a look for postings titled 'How to enforce SSL' that were posted over the last few days. Assuming you have gone through the How-to-SSL document in the tomcat docs and set up a certificate, to enforce SSL for a certain directory in your context, you need something like this in your web.xml. !-- Define a Security Constraint on this Application -- security-constraint web-resource-collection web-resource-nameEntire Application/web-resource-name url-pattern/*/url-pattern /web-resource-collection auth-constraint role-nametrackeruser/role-name /auth-constraint user-data-constraint transport-guaranteeCONFIDENTIAL/transport-guarantee /user-data-constraint /security-constraint !-- Define the Login Configuration for this Application -- login-config auth-methodBASIC/auth-method realm-nameLocation Tracker Application/realm-name /login-config The important piece is the user-data-constraint and the transport-guarantee. This tells tomcat that all requests to the url pattern (in my case it is the whole of my context) should be sent over HTTPS. If a request is received over HTTP, tomcat will redirect the request at whatever port is defined in server.xml as the 'redirectPort' for the HTTP connector. This is probably 8443. You then need to make sure that you have an SSL only connector on that port but I guess you should already have that if you've got the SSL working already. Cheers. Steve. t.riteshmenon@iflexso lutions.com To: [EMAIL PROTECTED] cc: 30/04/2002 11:10 Subject: TOMCAT SSL !!! Please respond to Tomcat Users List Hi All, My application requires that certain pages on the site are accessed via SSL, is there a way in tomcat to reject the connection of http to a specific page (ie securePage.jsp) but still allow http access to other pages (ie. standardPage.jsp). Also i'm using cookies - so i wanted to know whether these cookies will be visible in both the http https contexts. Thanks in advance, Ritesh This message contains privileged and confidential information and is intended only for the individual named.If you are not the intended recipient you should not disseminate,distribute,store,print, copy or deliver this message.Please notify the sender immediately by e-mail if you have received this e-mail by mistake and delete this e-mail from your system.E-mail transmission cannot be guaranteed to be secure or error-free as information could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or contain viruses.The sender therefore does not accept liability for any errors or omissions in the contents of this message which arise as a result of e-mail transmission. If verification is required please request a hard-copy version. -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: TOMCAT SSL !!!
Looks like Steve D. George already answered the SSL setup question, but as far as cookies go. No, you cannot share cookies between http and https. The reason is not a deficiency in Tomcat or Apache, the reason is security. Actually, you might be able to read cookies set in http while in https, but most certainly *not* vice-vera. Take a look at the Netscape Cookie Spec for more info: http://www.netscape.com/newsref/std/cookie_spec.html Jake Tuesday, April 30, 2002, 5:10:45 AM, you wrote: tric Hi All, tric My application requires that certain pages on the site are accessed via SSL, tric is tric there a way in tomcat to reject the connection of http to a specific page tric (ie securePage.jsp) but still allow http access to other pages (ie. tric standardPage.jsp). tric Also i'm using cookies - so i wanted to know whether these cookies will tric be visible in both the http https contexts. tric Thanks in advance, tric Ritesh tric tric This message contains privileged and confidential information and is tric intended only for the individual named.If you are not the intended recipient tric you should not disseminate,distribute,store,print, copy or deliver this tric message.Please notify the sender immediately by e-mail if you have received tric this e-mail by mistake and delete this e-mail from your system.E-mail tric transmission cannot be guaranteed to be secure or error-free as information tric could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or tric contain viruses.The sender therefore does not accept liability for any tric errors or omissions in the contents of this message which arise as a result tric of e-mail transmission. If verification is required please request a tric hard-copy version. tric tric -- tric To unsubscribe: mailto:[EMAIL PROTECTED] tric For additional commands: mailto:[EMAIL PROTECTED] tric Troubles with the list: mailto:[EMAIL PROTECTED] -- Best regards, Jacobmailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
Re: Tomcat SSL
Among many other articles, you can read the keytool description from sun site. Pae Hi, I can't create a SSL connection in my Tomcat server. It always says: C:\Documents and Settings\Default User\.keytool is not found. How to create .keytool in that directory? An article about this would also be helpful. Rama _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL
http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html about a third of the way down, do a browser find on Keystore. Jim -Original Message- From: Rama [mailto:[EMAIL PROTECTED]] Sent: Thursday, December 27, 2001 4:01 AM To: [EMAIL PROTECTED] Subject: Tomcat SSL Hi, I can't create a SSL connection in my Tomcat server. It always says: C:\Documents and Settings\Default User\.keytool is not found. How to create .keytool in that directory? An article about this would also be helpful. Rama _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED] -- To unsubscribe: mailto:[EMAIL PROTECTED] For additional commands: mailto:[EMAIL PROTECTED] Troubles with the list: mailto:[EMAIL PROTECTED]
RE: Tomcat SSL Only 40 Bit
Do you have a 128-bit encryption version of IE? Bill -Original Message- From: Jim Urban [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 4:12 PM To: Tomcat-User Subject: Tomcat SSL Only 40 Bit I created a certificate and set up Tomcat SSL (stand-a-lone on NT) and it works! However, according to IE, HTTPS is only using 40 bit encryption. How do I get 128 bit encryption? Jim Urban Product Manager Netsteps Inc. Suite 505E 1 Pierce Pl. Itasca, IL 60143 Voice: (630) 250-3045 x2164 Fax: (630) 250-3046
RE: Tomcat SSL Only 40 Bit
Yes, and when I go to other HTTPS sites the little lock on the bottom of the browser says 128 bit encryption. Jim -Original Message- From: Riner Bill Contr AEDC/SVT [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 4:28 PM To: '[EMAIL PROTECTED]' Subject: RE: Tomcat SSL Only 40 Bit Do you have a 128-bit encryption version of IE? Bill -Original Message- From: Jim Urban [mailto:[EMAIL PROTECTED]] Sent: Thursday, October 18, 2001 4:12 PM To: Tomcat-User Subject: Tomcat SSL Only 40 Bit I created a certificate and set up Tomcat SSL (stand-a-lone on NT) and it works! However, according to IE, HTTPS is only using 40 bit encryption. How do I get 128 bit encryption? Jim Urban Product Manager Netsteps Inc. Suite 505E 1 Pierce Pl. Itasca, IL 60143 Voice: (630) 250-3045 x2164 Fax: (630) 250-3046
RE: Tomcat+SSL+IBM Java
Hi, things that come to mind: - are the JSSE-jars in the classpath? - could it be that you have to define an IBM security-provider? good luck Alexander -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Monday, September 03, 2001 11:14 AM To: [EMAIL PROTECTED] Subject: Tomcat+SSL+IBM Java Hi, we are bound to use Tomcat with IBM Java, and we try to start it with SSL, the result is: Exception during startup processing java.lang.reflect.InvocationTargetException: java.lang.NoClassDefFoundError: com/sun/net/ssl/SSLContext It seems to be natural, for the relevant class in IBM extension is com/ibm/net/ssl/SSLContext. Can anybody give a tip, what to do now? (To use Sun's software not an option here...) Thanks Agnes Sipos Hungaria Insurance
Re: Tomcat SSL Encryption Level
On Mon, 27 Aug 2001, Colin Freas wrote: Date: Mon, 27 Aug 2001 17:10:41 -0400 From: Colin Freas [EMAIL PROTECTED] Reply-To: [EMAIL PROTECTED] To: Tomcat Users List [EMAIL PROTECTED] Subject: Tomcat SSL Encryption Level I wrote this class some time ago to determine the security level of user connections before allowing them to login. It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't working. Is there some relatively painless way of accessing the key length of SSL connections? In Servlet 2.3 (i.e. Tomcat 4.0) there is -- there's a new request attribute that returns the key size: javax.servlet.request.cipher_suite Unfortunately, this won't help you on Tomcat 3.2.3. Thanks, Colin Freas Craig
RE: tomcat-SSL
The jsse classes do on part of you. no need for u to do anything even in case of client authentication, as we do nothing in server Authentication. lf u r connecting as client to other severs and they need client Authentication. u should have ur client cert in ur keystore. Am l making sense? --Rams -Original Message- From: Mehul S Dave [mailto:[EMAIL PROTECTED]] Sent: Tuesday, August 21, 2001 12:32 PM To: Tomcat User archive Subject: tomcat-SSL Hi I have configured tomcat-SSL as an Standalone. Its working Fine I have used JSSE Well i need some more step-by step dtails for more Secured Authentication. In the Server.XML in the SSL phase if i set parameter=clientAuth value=true then it will expect clients Certificate too from the Client side. I wanna know on the Server side how do i have the clients Certificate for Authentication. Or any other Steps for Client Authentication with respect to Certificates. Thanking you. Bye * Mehul S Dave Scientific Officer, (STCS Dept.), Tata Institute of Fundamental Research Phone - 2152971 Extn - 2372 Mumbai . webpage:- http://www.ecom.tifr.res.in/~mehul *
RE: tomcat-SSL
Hello Thanks for the reply . Well i get some problems I have my Personal Certificate . When i click on Security of Netscape Browser see Certificates Yours i can view my Certificates. its fine. But now i connect to my ssl tomcat enabled site it gives me message that The site has requested client authentication, but you do not have a Personal Certificate to authenticate yourself. The site may choose not to give you access without one. But i got my Personal Certificate already . I also manually import the certi in keystore by keytool. Please give the solution. Thanks. * Mehul S Dave Scientific Officer, (STCS Dept.), Tata Institute of Fundamental Research Phone - 2152971 Extn - 2372 Mumbai . webpage:- http://www.ecom.tifr.res.in/~mehul *
Re: tomcat ssl direct help
Tan WeeSiong wrote: hi i am facing a lot of problems with tomcat 3.2.1 the ssl direct has alreadi cause me a lot of problems i tried to import certs of v3 and try to let it run as a server cert but it doesn't work the default tomcat webpage cannot be display and the tomcat shows these error msg 2001-03-22 03:47:18 - Ctx( ): 400 R( /) null 2001-03-22 03:47:18 - Ctx( ): IOException in: R( /) Socket closed but when i try keytool -genkey -alias tomcat -keyalg RSA the v1 cert works and ssl can be working please reply me as soon as possible because i have alreadi dwell on this problem for a very long time and i think i am going mad alreadi.The internet doesn't really help much... please give me the solutions in detail and as simple to understand as possible please i really appreciate your helpthanks Tan, I do not have a detailed answer but I do suggest that you use the latest release version of Tomcat. Are you certain that SSL v3 is supported by Tomcat 3.2.1? -- John Alex Hebert [EMAIL PROTECTED] System Engineer
Re: Tomcat SSL
Now I want to configure out how to confirm that the contents send between tomcat and apache are really encrypted. Why do you want to do that? Is Apache and Tomcat running on two different machines?
RE: Tomcat SSL
http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ssl-howto.html Your link is a combination of cvs checkout and the above ;-)) Mvgr, Martin -Original Message- From: Abhijat Thakur [mailto:[EMAIL PROTECTED]] Sent: Monday, June 04, 2001 8:24 PM To: [EMAIL PROTECTED] Subject: Tomcat SSL Hi, If anybody can forward me to some documentation where i can get started on how to configure Tomcat with SSL. The site http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl -howto.htm l does not work. Other than that on the Archives i could find specific questions related to Tomcat SSL problems but i have not reached that far. Thanks in advance Abhijat Thakur
RE: Tomcat + SSL Certificates
Sean, Tim, Thanks for your feedback. I've checked my JSSE version, and it's 1.0.2 global version. Which according to the accompanying user guide has the same level of cryptography as the domestic US version, so I don't think it's the jars that are causing the problem. My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE didn't support the use of SGC certificates, which I still suspect. Tim; can you confirm the Tomcat version with which you are successfully connecting at 128-bits? I was aware of the 128-bit standard Thawte certs, but I never got a connection at 128 via the test cert. They switch down to 40 dependant on the browser and server according to Thawte. However the versions of Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible according to them, which again points to the old version of Tomcat I'm using ! Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this problem, but until then I need all the help I can get. Cheers, Alan
RE: Tomcat + SSL Certificates
Sean, Tim, Thanks for your feedback. I've checked my JSSE version, and it's 1.0.2 global version. Which according to the accompanying user guide has the same level of cryptography as the domestic US version, so I don't think it's the jars that are causing the problem. My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE didn't support the use of SGC certificates, which I still suspect. Tim; can you confirm the Tomcat version with which you are successfully connecting at 128-bits? I was aware of the 128-bit standard Thawte certs, but I never got a connection at 128 via the test cert. They switch down to 40 dependant on the browser and server according to Thawte. However the versions of Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible according to them, which again points to the old version of Tomcat I'm using ! Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this problem, but until then I need all the help I can get. Cheers, Alan
RE: Tomcat + SSL Certificates
Sean, Tim, Thanks for your feedback. I've checked my JSSE version, and it's 1.0.2 global version. Which according to the accompanying user guide has the same level of cryptography as the domestic US version, so I don't think it's the jars that are causing the problem. My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE didn't support the use of SGC certificates, which I still suspect. Tim; can you confirm the Tomcat version with which you are successfully connecting at 128-bits? I was aware of the 128-bit standard Thawte certs, but I never got a connection at 128 via the test cert. They switch down to 40 dependant on the browser and server according to Thawte. However the versions of Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible according to them, which again points to the old version of Tomcat I'm using ! Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this problem, but until then I need all the help I can get. Cheers, Alan
RE: Tomcat + SSL Certificates
I'm using Tomcat 3.2.1, the US JSSE version, and the US version of IE 5.0. -Original Message- From: Alan Williamson [mailto:[EMAIL PROTECTED]] Sent: Friday, May 11, 2001 7:49 AM To: '[EMAIL PROTECTED]' Subject: RE: Tomcat + SSL Certificates Sean, Tim, Thanks for your feedback. I've checked my JSSE version, and it's 1.0.2 global version. Which according to the accompanying user guide has the same level of cryptography as the domestic US version, so I don't think it's the jars that are causing the problem. My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE didn't support the use of SGC certificates, which I still suspect. Tim; can you confirm the Tomcat version with which you are successfully connecting at 128-bits? I was aware of the 128-bit standard Thawte certs, but I never got a connection at 128 via the test cert. They switch down to 40 dependant on the browser and server according to Thawte. However the versions of Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible according to them, which again points to the old version of Tomcat I'm using ! Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this problem, but until then I need all the help I can get. Cheers, Alan
RE: Tomcat + SSL Certificates
At 10:16 AM 5/11/2001 -0400, you wrote: My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE didn't support the use of SGC certificates, which I still suspect. Tim; can you confirm the Tomcat version with which you are successfully connecting at 128-bits? 3.2.1.
RE: Tomcat + SSL Certificates
Ylan, Sean, Thank you for your replies. I do have SSL working through Tomcat directly using a test certificate that I got from the CA Thawte, however it only seems to work with a standard x509 certificate (40-bit)! I'd really like to be able to make use of the latest SGC SuperCerts (as Thawte badge them) which are 128-bit. But I'm unsure of what Tomcat version supports them, if it actually does and this is what I'm really trying to find out. Cheers, Alan
RE: Tomcat + SSL Certificates
I generated a self-signed certificate using the keytool as discussed in the tomcat doc. It seems to be encrypting at 128-bit (according to my browser). You will need a version of the security extensions (JSSE I think) that supports 128 bit encryption. I don't know whether the international version supports that. I have not tried to import a third party certificate yet. Sean -Original Message- From: Alan Williamson [mailto:[EMAIL PROTECTED]] Sent: Thursday, May 10, 2001 4:58 AM To: '[EMAIL PROTECTED]' Subject: RE: Tomcat + SSL Certificates Ylan, Sean, Thank you for your replies. I do have SSL working through Tomcat directly using a test certificate that I got from the CA Thawte, however it only seems to work with a standard x509 certificate (40-bit)! I'd really like to be able to make use of the latest SGC SuperCerts (as Thawte badge them) which are 128-bit. But I'm unsure of what Tomcat version supports them, if it actually does and this is what I'm really trying to find out. Cheers, Alan
RE: Tomcat + SSL Certificates
As I understand it, tomcat by itself does not support any certificates. If you want to use SSL then you need to integrate it with another webserver. I user tomcat with apache-modssl and it works great. Ylan |-Original Message- |From: Alan Williamson [mailto:[EMAIL PROTECTED]] |Sent: Wednesday, May 09, 2001 5:30 AM |To: '[EMAIL PROTECTED]' |Subject: Tomcat + SSL Certificates | | |Hi, | |Could somone please tell me what version of Tomcat (if any) |supports 128-bit |Server-Gated Crypto (SGC) certificates. | |I'm currently using Java J2EE 1.2.1 and Tomcat v3.0 which comes along with |it without much luck. With a test 128-bit cert installed Tomcat fails to |locate my test jsp, but it works fine with a x 509 cert. | |Cheers, | |Alan |
RE: Tomcat + SSL Certificates
I have been able to get Tomcat to support SSL in standalone mode just fine. There is a very brief write-up of the procedure in the Tomcat documentation and an example connector in the example web.xml file. I was initially concerned because the write-up is so short, but it turned out that following the steps as outlined worked fine. No long write-up was needed. You do need to download the security extensions from Sun but this is all covered in the documentation. Sean -Original Message- From: Ylan Segal [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 09, 2001 1:48 PM To: [EMAIL PROTECTED] Subject: RE: Tomcat + SSL Certificates As I understand it, tomcat by itself does not support any certificates. If you want to use SSL then you need to integrate it with another webserver. I user tomcat with apache-modssl and it works great. Ylan |-Original Message- |From: Alan Williamson [mailto:[EMAIL PROTECTED]] |Sent: Wednesday, May 09, 2001 5:30 AM |To: '[EMAIL PROTECTED]' |Subject: Tomcat + SSL Certificates | | |Hi, | |Could somone please tell me what version of Tomcat (if any) |supports 128-bit |Server-Gated Crypto (SGC) certificates. | |I'm currently using Java J2EE 1.2.1 and Tomcat v3.0 which comes along with |it without much luck. With a test 128-bit cert installed Tomcat fails to |locate my test jsp, but it works fine with a x 509 cert. | |Cheers, | |Alan |
RE: Tomcat SSL
When I've had to kill Tomcat on my setup, Apache locks up and requires a restart, even after restarting Tomcat. Also, according to the mod_jk FAQ: http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk- howto.html#s8 Q. Whenever I restart Tomcat, Apache locks up! A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When you restart Tomcat, you need to restart Apache as well. which was pretty much my own experience, Regards, Joel Parramore It's no more true with the latest mod_jk/ajp13 found in TC 3.3 cvs. I commited two patches in ajp13 worker (C side) which fixes that. But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes are delicate and Marc ask us to avoid touching sensible code in TC 3.2.x. Even if I'm convident with the ajp13 worker patch we need many testers to put it back in TC 3.2.
Re: Tomcat SSL
So, the latest mod_jk/ajp13 in Tomcat 3.3 fixes this? Nice to know... thanks. Regards, Joel Parramore - Original Message - From: GOMEZ Henri [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Thursday, April 26, 2001 4:02 PM Subject: RE: Tomcat SSL When I've had to kill Tomcat on my setup, Apache locks up and requires a restart, even after restarting Tomcat. Also, according to the mod_jk FAQ: http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk- howto.html#s8 Q. Whenever I restart Tomcat, Apache locks up! A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When you restart Tomcat, you need to restart Apache as well. which was pretty much my own experience, Regards, Joel Parramore It's no more true with the latest mod_jk/ajp13 found in TC 3.3 cvs. I commited two patches in ajp13 worker (C side) which fixes that. But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes are delicate and Marc ask us to avoid touching sensible code in TC 3.2.x. Even if I'm convident with the ajp13 worker patch we need many testers to put it back in TC 3.2.
Re: Tomcat SSL
That's means, when you build your own mod_jk, you get a change that Apache will not hang up ? This could be the reason why this has no happend in my case. Greetings, Wolle GOMEZ Henri wrote: When I've had to kill Tomcat on my setup, Apache locks up and requires a restart, even after restarting Tomcat. Also, according to the mod_jk FAQ: http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk- howto.html#s8 Q. Whenever I restart Tomcat, Apache locks up! A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When you restart Tomcat, you need to restart Apache as well. which was pretty much my own experience, Regards, Joel Parramore It's no more true with the latest mod_jk/ajp13 found in TC 3.3 cvs. I commited two patches in ajp13 worker (C side) which fixes that. But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes are delicate and Marc ask us to avoid touching sensible code in TC 3.2.x. Even if I'm convident with the ajp13 worker patch we need many testers to put it back in TC 3.2. --
Re: Tomcat SSL
On Tue, 24 Apr 2001, Jeff Kilbride wrote: Correct. Apache stops serving mod_jk requests. However, apache itself doesn't die. It will go on happily serving .html, .php, mod_perl, etc... Just don't want to give anyone the impression that the entire apache server locks up when Tomcat is restarted. Then why do you say correct in response to someone who says it *does* lockup? :-). I'm confused ... :-). - Original Message - From: Joel Parramore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 3:47 PM Subject: Re: Tomcat SSL When I've had to kill Tomcat on my setup, Apache locks up and requires a restart, even after restarting Tomcat. Also, according to the mod_jk FAQ: http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html#s8 Q. Whenever I restart Tomcat, Apache locks up! A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When you restart Tomcat, you need to restart Apache as well. which was pretty much my own experience, Regards, Joel Parramore - Original Message - From: Jeff Kilbride [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 6:38 PM Subject: Re: Tomcat SSL Well, apache doesn't die, per se -- it just doesn't respond to connections from Tomcat until restarted. --jeff - Original Message - From: Joel Parramore [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, April 24, 2001 3:31 PM Subject: Re: Tomcat SSL Using ajp13 with Apache and Tomcat holds open a socket for requests between the two as opposed to opening a socket for every request (ajp12). Shutting down Tomcat apparently does not gracefully allow Apache to deal with the socket suddenly closing, so Apache dies as well. Regards, Joel Parramore [ ... ] Milt Epstein Research Programmer Software/Systems Development Group Computing and Communications Services Office (CCSO) University of Illinois at Urbana-Champaign (UIUC) [EMAIL PROTECTED]
