Re: TC5 + SSL: Keystore password bound to default changeit?
Am Mittwoch, 10. Dezember 2003 06:59 schrieb Bill Barker: Ankur Shah [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. This is a true fact :(. At the moment, the keystore password must match the password for the target-key. It would be nice to be able to specify different passwords, and someday it may even happen :). If this feature is important to you, patches are always welcome (since this is the only way that it will move up in my development queue). Hi, thanks again for your valuable assistance. (1) Thanks, Remy, for the hint with the changed SSL attributes. I already had removed a FACTORY tag for the SSL factory class, but I had overlooked that an attribute name was changed from Protocol to sslProtocol. That was it! (2) I agree with you, Ankur. I also think that the key should be allowed to have another password than the keystore. This would be a prerequisite to store more than one key in a keystore. It's not a big problem, though... Best wishes, Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 + SSL: Keystore password bound to default changeit?
Am Dienstag, 9. Dezember 2003 20:54 schrieb Ankur Shah: Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. Thoughts Just an idea server.xml is an XML file. It used to be XML in TC4, and it ist still XML in TC5. Shouldn't it be possible, then, to write an XSL-T stylesheet converting old config files into newer formats? That would considerably ease migration/upgrade pains... /Just an idea Just an idea If we had an XML schema definition (be it W3C XML schema, Relax NG or whatever), an XML editor like Pollo or XML Spy could validate the config file. This would help to avoid and reveal mistakes and thus speed up Tomcat configuration... /Just an idea /Thoughts Regards Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 + SSL: Keystore password bound to default changeit?
Baer Peter Christoph Alexander wrote: Am Dienstag, 9. Dezember 2003 20:54 schrieb Ankur Shah: Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. Thoughts Just an idea server.xml is an XML file. It used to be XML in TC4, and it ist still XML in TC5. Shouldn't it be possible, then, to write an XSL-T stylesheet converting old config files into newer formats? That would considerably ease migration/upgrade pains... /Just an idea Yes, it could. You're more than Welcome to submit a patch :-) Just an idea If we had an XML schema definition (be it W3C XML schema, Relax NG or whatever), an XML editor like Pollo or XML Spy could validate the config file. This would help to avoid and reveal mistakes and thus speed up Tomcat configuration... /Just an idea Just search that list on the topic ;-) It is not possible at the moment to have a DTD or schema for the server.xml (due to its complexity). If you have time and think you can come with something, a second patch is welcome! -- Jeanfrancois /Thoughts Regards Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
XSL-T migration stylesheet [was: RE: TC5 + SSL: Keystore password bound to default changeit?]
Hi Jeanfrancois, not that I want to deny my responsibility. If I felt being able to do one of the patches, I would not hesitate. I wouldn't post my thoughts here, but the ready-made patches instead, of course. ;-) But: I think the only persons who really have the knowledge required to create a migration stylesheet are the Tomcat developers, as they are the only persons knowing what tags there actually are, and how they were changed over the time. People like me could derive this kind of information from a DTD or schema, but there is none... Vicious circle, here! ;-) But I'll think about starting the XSL-T migration thing. Maybe we can persuade the Tomcat developers to add there wisdom. In fact, I think, it would be possible to start very simple. The migration wouldn't be completely done by the stylesheet, but some conversion would already be done automatically, that has not to be done by hand. Like removing Factory tags and changing attribute name Protocol to sslProtocol. What do you think? Do you think it could be done, and lead to a really useful result? I'm optimistic, but I'm only a Tomcat user, not a Tomcat developer, and so I might overlook the big rock right in my way... ;-) Regards Alex -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 3:21 PM To: Tomcat Users List Cc: Ankur Shah Subject: Re: TC5 + SSL: Keystore password bound to default changeit? Baer Peter Christoph Alexander wrote: Am Dienstag, 9. Dezember 2003 20:54 schrieb Ankur Shah: Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. Thoughts Just an idea server.xml is an XML file. It used to be XML in TC4, and it ist still XML in TC5. Shouldn't it be possible, then, to write an XSL-T stylesheet converting old config files into newer formats? That would considerably ease migration/upgrade pains... /Just an idea Yes, it could. You're more than Welcome to submit a patch :-) Just an idea If we had an XML schema definition (be it W3C XML schema, Relax NG or whatever), an XML editor like Pollo or XML Spy could validate the config file. This would help to avoid and reveal mistakes and thus speed up Tomcat configuration... /Just an idea Just search that list on the topic ;-) It is not possible at the moment to have a DTD or schema for the server.xml (due to its complexity). If you have time and think you can come with something, a second patch is welcome! -- Jeanfrancois /Thoughts Regards Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: XSL-T migration stylesheet [was: RE: TC5 + SSL: Keystore password bound to default changeit?]
Baer Peter Christoph Alexander wrote: Hi Jeanfrancois, not that I want to deny my responsibility. If I felt being able to do one of the patches, I would not hesitate. I wouldn't post my thoughts here, but the ready-made patches instead, of course. ;-) But: I think the only persons who really have the knowledge required to create a migration stylesheet are the Tomcat developers, as they are the only persons knowing what tags there actually are, and how they were changed over the time. People like me could derive this kind of information from a DTD or schema, but there is none... Vicious circle, here! ;-) But I'll think about starting the XSL-T migration thing. Maybe we can persuade the Tomcat developers to add there wisdom. In fact, I think, it would be possible to start very simple. The migration wouldn't be completely done by the stylesheet, but some conversion would already be done automatically, that has not to be done by hand. Like removing Factory tags and changing attribute name Protocol to sslProtocol. What do you think? Do you think it could be done, and lead to a really useful result? I'm optimistic, but I'm only a Tomcat user, not a Tomcat developer, and so I might overlook the big rock right in my way... ;-) Yes, it could be done, but that needs a lot of works and as a developper, I have more critical things to do right now (and I'm sure most of the developper has). But I agree, we are very bad sometimes when user experience come into the picture (or I'm very bad...). -- Jeanfrancois Regards Alex -Original Message- From: Jeanfrancois Arcand [mailto:[EMAIL PROTECTED] Sent: Wednesday, December 10, 2003 3:21 PM To: Tomcat Users List Cc: Ankur Shah Subject: Re: TC5 + SSL: Keystore password bound to default changeit? Baer Peter Christoph Alexander wrote: Am Dienstag, 9. Dezember 2003 20:54 schrieb Ankur Shah: Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. Thoughts Just an idea server.xml is an XML file. It used to be XML in TC4, and it ist still XML in TC5. Shouldn't it be possible, then, to write an XSL-T stylesheet converting old config files into newer formats? That would considerably ease migration/upgrade pains... /Just an idea Yes, it could. You're more than Welcome to submit a patch :-) Just an idea If we had an XML schema definition (be it W3C XML schema, Relax NG or whatever), an XML editor like Pollo or XML Spy could validate the config file. This would help to avoid and reveal mistakes and thus speed up Tomcat configuration... /Just an idea Just search that list on the topic ;-) It is not possible at the moment to have a DTD or schema for the server.xml (due to its complexity). If you have time and think you can come with something, a second patch is welcome! -- Jeanfrancois /Thoughts Regards Alex - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
TC5 + SSL: Keystore password bound to default changeit?
Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? Alex -- Using M2, Opera's revolutionary e-mail client: http://www.opera.com/m2/ - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 + SSL: Keystore password bound to default changeit?
Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. -- x Rémy Maucherat Senior Developer Consultant JBoss Group (Europe) SàRL x - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 + SSL: Keystore password bound to default changeit?
Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: TC5 + SSL: Keystore password bound to default changeit?
Ankur Shah [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED] Remy Maucherat wrote: Baer Peter Christoph Alexander wrote: Hi! I have a question about something, I observe, but don't want to believe... ;-) Tomcat 5 can use my keystore, but only if the password is changeit, the default password. Now, the docs say, one should use this, but with TC 4.0.6 it was possible to change it. Is the password hard coded in TC 5? I didn't test that particular feature myself, but I believe this works ok. The way connectors parameters (and in particular SSL parameters) are defined changed in TC 5.0.x. Look there: http://jakarta.apache.org/tomcat/tomcat-5.0-doc/config/coyote.html There's the SSL howto also. Also, you might want to make sure that the password of your *target key* matches your keystore password. I'm not sure how that plays out in tomcat world, but I can see that to be a problem if the server assumes the key's password to be the same as that of the keystore. This is a true fact :(. At the moment, the keystore password must match the password for the target-key. It would be nice to be able to specify different passwords, and someday it may even happen :). If this feature is important to you, patches are always welcome (since this is the only way that it will move up in my development queue). - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]