Apache Tomcat SSL

[Bernhard Blasen]

Hello,

I succeeded connecting tomcat 4.0.4 with apache 2.0.40 with mod-jk.

If i call an application with https://luna.draft.de/hvb-immoplus I get a 
404 error
The same call with http://... works fine.
Other https://-connections, that do not need tomcat work fine either.

My log-files and the configuration files can be found on 
http://luna.draft.de/tomcat

System is linux Distribution is SuSE 7.3.

Thank you for Help

Bernhard Blasen



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Tomcat SSL without plaintext Certificate-Keyphrase

[Bill Barker]

"Henning Meyer" <[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
> Hello,
>
> I want to set up a Tomcat Server, without having the SSL keyphrase a
> plaintext readable for the Tomcat-running user.
> At this time I think it has to be in the config.xml-file.
> Is there a solution like having to type in the keyphrase every time the
> server starts up?
> Is there a soulution like having the passphrase only readable for root and
> letting the server automaticly starting up?
> e.g. root starts the server, and then the server is switching its userid?
>
> I hope you will help me!

For Tomcat 3.3.x, you can use the PasswordPrompter from the add-ons (under
the usual download link).

I had thought that this one was originally back-ported from 4.x, but I'm
afraid that I can't find where the 4.x version lives at the moment.

>
> Thanks a lot.
>
>
>
> Henning Meyer
> 
> Lisa Simpson: Why do I have the feeling that someday I'll be describing
this
> to a psychiatrist?





--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Tomcat SSL without plaintext Certificate-Keyphrase

[Henning Meyer]

Hello,

I want to set up a Tomcat Server, without having the SSL keyphrase a
plaintext readable for the Tomcat-running user.
At this time I think it has to be in the config.xml-file.
Is there a solution like having to type in the keyphrase every time the
server starts up?
Is there a soulution like having the passphrase only readable for root and
letting the server automaticly starting up?
e.g. root starts the server, and then the server is switching its userid?

I hope you will help me!

Thanks a lot.



Henning Meyer

Lisa Simpson: Why do I have the feeling that someday I'll be describing this
to a psychiatrist?


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Apache & Tomcat SSL Integration

[Turner, John]

http://www.modssl.org

John Turner
[EMAIL PROTECTED]


> -Original Message-
> From: Tyrone Buckle [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 27, 2002 8:40 AM
> To: Tomcat Users List
> Subject: Re: Apache & Tomcat SSL Integration
> 
> 
> Cool, is there some good documentation for this somewhere.
> Thanks for the quick response!
> 
> Peter Choe wrote:
> 
> > you can use mod_ssl and have apache handle the ssl 
> connections to tomcat.
> >
> > At 08:30 AM 8/27/2002, you wrote:
> > >Hi all. I have an Apache install that serves all my static 
> html pages
> > >and a Tomcat install that serves a JSP user registration 
> system. I have
> > >the two talking to one another using mod_webapp and 
> everything is fine.
> > >The thing is I need to use SSL for my user registration 
> system. How do I
> > >tell Apache to tell Tomcat to use SSL when it serves from a certain
> > >directory?
> > >
> > >Please help :(
> > >
> > >Thanking  you in advance,
> > >Tyrone
> > >
> > >
> > >
> > >--
> > >To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> > >For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> >
> > --
> > To unsubscribe, e-mail:   
<mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Re: Apache & Tomcat SSL Integration

[Peter Choe]

www.mod_ssl.org

At 08:39 AM 8/27/2002, you wrote:
>Cool, is there some good documentation for this somewhere.
>Thanks for the quick response!
>
>Peter Choe wrote:
>
> > you can use mod_ssl and have apache handle the ssl connections to tomcat.
> >
> > At 08:30 AM 8/27/2002, you wrote:
> > >Hi all. I have an Apache install that serves all my static html pages
> > >and a Tomcat install that serves a JSP user registration system. I have
> > >the two talking to one another using mod_webapp and everything is fine.
> > >The thing is I need to use SSL for my user registration system. How do I
> > >tell Apache to tell Tomcat to use SSL when it serves from a certain
> > >directory?
> > >
> > >Please help :(
> > >
> > >Thanking  you in advance,
> > >Tyrone
> > >
> > >
> > >
> > >--
> > >To unsubscribe, 
> e-mail:   
> > >For additional commands, e-mail: 
> 
> >
> > --
> > To unsubscribe, 
> e-mail:   
> > For additional commands, e-mail: 
> 
>
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Apache & Tomcat SSL Integration

[Tyrone Buckle]

Cool, is there some good documentation for this somewhere.
Thanks for the quick response!

Peter Choe wrote:

> you can use mod_ssl and have apache handle the ssl connections to tomcat.
>
> At 08:30 AM 8/27/2002, you wrote:
> >Hi all. I have an Apache install that serves all my static html pages
> >and a Tomcat install that serves a JSP user registration system. I have
> >the two talking to one another using mod_webapp and everything is fine.
> >The thing is I need to use SSL for my user registration system. How do I
> >tell Apache to tell Tomcat to use SSL when it serves from a certain
> >directory?
> >
> >Please help :(
> >
> >Thanking  you in advance,
> >Tyrone
> >
> >
> >
> >--
> >To unsubscribe, e-mail:   
> >For additional commands, e-mail: 
>
> --
> To unsubscribe, e-mail:   
> For additional commands, e-mail: 



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Re: Apache & Tomcat SSL Integration

[Peter Choe]

you can use mod_ssl and have apache handle the ssl connections to tomcat.

At 08:30 AM 8/27/2002, you wrote:
>Hi all. I have an Apache install that serves all my static html pages
>and a Tomcat install that serves a JSP user registration system. I have
>the two talking to one another using mod_webapp and everything is fine.
>The thing is I need to use SSL for my user registration system. How do I
>tell Apache to tell Tomcat to use SSL when it serves from a certain
>directory?
>
>Please help :(
>
>Thanking  you in advance,
>Tyrone
>
>
>
>--
>To unsubscribe, e-mail:   
>For additional commands, e-mail: 


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Apache & Tomcat SSL Integration

[Turner, John]

You don't need to.  Just setup SSL on Apache.  You only need SSL on tomcat
if you are using tomcat in stand-alone mode.

John Turner
[EMAIL PROTECTED]

> -Original Message-
> From: Tyrone Buckle [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 27, 2002 8:31 AM
> To: [EMAIL PROTECTED]
> Subject: Apache & Tomcat SSL Integration
> 
> 
> Hi all. I have an Apache install that serves all my static html pages
> and a Tomcat install that serves a JSP user registration 
> system. I have
> the two talking to one another using mod_webapp and 
> everything is fine.
> The thing is I need to use SSL for my user registration 
> system. How do I
> tell Apache to tell Tomcat to use SSL when it serves from a certain
> directory?
> 
> Please help :(
> 
> Thanking  you in advance,
> Tyrone
> 
> 
> 
> --
> To unsubscribe, e-mail:   
> <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: 
> <mailto:[EMAIL PROTECTED]>
> 

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Apache & Tomcat SSL Integration

[Tyrone Buckle]

Hi all. I have an Apache install that serves all my static html pages
and a Tomcat install that serves a JSP user registration system. I have
the two talking to one another using mod_webapp and everything is fine.
The thing is I need to use SSL for my user registration system. How do I
tell Apache to tell Tomcat to use SSL when it serves from a certain
directory?

Please help :(

Thanking  you in advance,
Tyrone



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: Tomcat + SSL + IO Taglib

[QUERTEMONT Christophe]

Great, thanks a lot for your help !!!

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] 
Sent: mercredi 21 août 2002 12:28
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


First of all, since you are trying to get a resource from the server
itself, it might be completely sufficient to use http instead of https,
i.e. the url

http://localhost:8080//Cache?newsServer=moreover_news&newsFeedName

should work (assuming standard configuration). You won't have to bother
with ssl then, which should be acceptable, because the data in questiong
will be send over the server's loopback interface only (and therefor
should not be in danger of beeing monitored, as long as your server
hasn't been hacked).

If you still want to use ssl, though, there is quite a long way to go:

It seems you have tomcat configured to accept ssl at port 8443, and now
you want to get something from it from within a jsp page with this url:

https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName

In order for this to succeed, the code executing your jsp will act quite
similar to a normal webbrowser and attempts to connect to the server
given in the url (which could as well be any other server reachable over
your network). What follows is a ssl-handshake: The server presents it's
certificate and a key to encrypt the datatransfer is exchanged. This key
is normally signed by some CA (certificate authority, like Thawte or
verisign) so that the client can trust that no one just pretends to be
who he says to be (e.g. a bank or something like this) and can decide
upon that if he wants to transfer confidential information (like a
credit card number for example) to this server. 

I'm sure you have seen warnings from your browser when these
certificates are not perfectly ok, when they have expired or are not
issued for the right server(-name). Your browser will ask if you wish to
accept this and continue to connect nevertheless. (What do you see if
you enter the above URL into your browser, with "localhost" replaced by
whatever address your server is reachable at).

This is what happens to your jsp-code too, because your selfgenerated
server-key (which you created with "keytool -genkey -alias tomcat
-keyalg RSA", -genkey creates a key, not a keystore) is not signed by
anyone trusted by normal java distributions. But instead of giving the
opportunity to accept this nevertheless, the process fails, because
there is noone there to interactively give his ok.

This is all the background I can give you in realtively short time,
since the process to sign such a key and to import the certificate is
quite complex (if you do not want to spend money for someone officially
signing your key). And I'm afraid I don't know how to accept such
certificates nevertheless.

If you need advice on how to become your own CA, how to sign your key
and import the CA's key into your keystore, I could provide you with
some notes, but don't expect this will be easy.

greetings

Andreas Mohrig
-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 12:02 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


Thanks for your quick answer !

But I have never work with SSL before, so I am getting a little
confused. 
How can I get a certificate for my server ? The only thing I have done
so far is creating a keystore (keytool -genkey -alias tomcat -keyalg
RSA).

Every thing works fine except for the taglibs ?

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] 
Sent: mercredi 21 août 2002 11:52
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost",
i.e. the name which is set in the certificate. Java is really picky
about the certificates it trusts.

By the way: This has nothing to do with client authentification, since
your server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't
know itself under this name ("localhost"). You have to import your
server certificate (or the certificate of the CA that signed it) with
keytool into your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-----Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am con

RE: Tomcat + SSL + IO Taglib

[Andreas Mohrig]

First of all, since you are trying to get a resource from the server itself,
it might be completely sufficient to use http instead of https, i.e. the url

http://localhost:8080//Cache?newsServer=moreover_news&newsFeedName

should work (assuming standard configuration). You won't have to bother with
ssl then, which should be acceptable, because the data in questiong will be
send over the server's loopback interface only (and therefor should not be
in danger of beeing monitored, as long as your server hasn't been hacked).

If you still want to use ssl, though, there is quite a long way to go:

It seems you have tomcat configured to accept ssl at port 8443, and now you
want to get something from it from within a jsp page with this url:

https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName

In order for this to succeed, the code executing your jsp will act quite
similar to a normal webbrowser and attempts to connect to the server given
in the url (which could as well be any other server reachable over your
network). What follows is a ssl-handshake: The server presents it's
certificate and a key to encrypt the datatransfer is exchanged. This key is
normally signed by some CA (certificate authority, like Thawte or verisign)
so that the client can trust that no one just pretends to be who he says to
be (e.g. a bank or something like this) and can decide upon that if he wants
to transfer confidential information (like a credit card number for example)
to this server. 

I'm sure you have seen warnings from your browser when these certificates
are not perfectly ok, when they have expired or are not issued for the right
server(-name). Your browser will ask if you wish to accept this and continue
to connect nevertheless. (What do you see if you enter the above URL into
your browser, with "localhost" replaced by whatever address your server is
reachable at).

This is what happens to your jsp-code too, because your selfgenerated
server-key (which you created with "keytool -genkey -alias tomcat -keyalg
RSA", -genkey creates a key, not a keystore) is not signed by anyone trusted
by normal java distributions. But instead of giving the opportunity to
accept this nevertheless, the process fails, because there is noone there to
interactively give his ok.

This is all the background I can give you in realtively short time, since
the process to sign such a key and to import the certificate is quite
complex (if you do not want to spend money for someone officially signing
your key). And I'm afraid I don't know how to accept such certificates
nevertheless.

If you need advice on how to become your own CA, how to sign your key and
import the CA's key into your keystore, I could provide you with some notes,
but don't expect this will be easy.

greetings

Andreas Mohrig
-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 12:02 PM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


Thanks for your quick answer !

But I have never work with SSL before, so I am getting a little
confused. 
How can I get a certificate for my server ? The only thing I have done
so far is creating a keystore (keytool -genkey -alias tomcat -keyalg
RSA).

Every thing works fine except for the taglibs ?

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] 
Sent: mercredi 21 août 2002 11:52
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost",
i.e. the name which is set in the certificate. Java is really picky
about the certificates it trusts.

By the way: This has nothing to do with client authentification, since
your server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't
know itself under this name ("localhost"). You have to import your
server certificate (or the certificate of the CA that signed it) with
keytool into your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=more

RE: Tomcat + SSL + IO Taglib

[QUERTEMONT Christophe]

Thanks for your quick answer !

But I have never work with SSL before, so I am getting a little
confused. 
How can I get a certificate for my server ? The only thing I have done
so far is creating a keystore (keytool -genkey -alias tomcat -keyalg
RSA).

Every thing works fine except for the taglibs ?

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]] 
Sent: mercredi 21 août 2002 11:52
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost",
i.e. the name which is set in the certificate. Java is really picky
about the certificates it trusts.

By the way: This has nothing to do with client authentification, since
your server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't
know itself under this name ("localhost"). You have to import your
server certificate (or the certificate of the CA that signed it) with
keytool into your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>

...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>



--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Tomcat + SSL + IO Taglib

[Andreas Mohrig]

And to finish my own thought (this time before sending the message ;-):

You should then use your official server-name instead of "localhost", i.e.
the name which is set in the certificate. Java is really picky about the
certificates it trusts.

By the way: This has nothing to do with client authentification, since your
server does seem to communicate only with itself at this point.

Hope it works

Andreas Mohrig

-Original Message-
From: Andreas Mohrig [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:47 AM
To: 'Tomcat Users List'
Subject: RE: Tomcat + SSL + IO Taglib


I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't know
itself under this name ("localhost"). You have to import your server
certificate (or the certificate of the CA that signed it) with keytool into
your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>

...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: Tomcat + SSL + IO Taglib

[Andreas Mohrig]

I'm afraid your server doesn't have a certificate for itself (i.e.
localhost), from which it is requesting a resource. At least it doesn't know
itself under this name ("localhost"). You have to import your server
certificate (or the certificate of the CA that signed it) with keytool into
your java keystore to get rid of this problem.

greetings

Andreas Mohrig

-Original Message-
From: QUERTEMONT Christophe [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, August 21, 2002 11:37 AM
To: Tomcat
Subject: Tomcat + SSL + IO Taglib


Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>

...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:
<mailto:[EMAIL PROTECTED]>
For additional commands, e-mail:
<mailto:[EMAIL PROTECTED]>

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Tomcat + SSL + IO Taglib

[QUERTEMONT Christophe]

Hello,

I'am connecting to Tomcat using SSL, but without client authentification
(clientAuth="false" in server.xml). 
When I try to use io taglib, here is an JSP example : 

...
url =
"https://localhost:8443//Cache?newsServer=moreover_news&newsFeedName"%>

...

I always got this message : javax.servlet.ServletException: Couldn't
find trusted certificate

Is there a way to use IO Taglib with a secure website without client
authentification ?

Thanks.


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

AW: TOMCAT + SSL or APACHE+TOMCAT+SSL??

[Power-Netz \(Schwarz\)]

>
> Hello,
>
> I need to have SSL certificate . Web server is Tomcat4.04 serving
> static and
> dynamic pages. Should i upgrade it to APACHE+TOMCAT+SSL or TOMCAT+SSL will
> do? .

TOMCAT+SSL will do.


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

TOMCAT + SSL or APACHE+TOMCAT+SSL??

[Sujith Mathew]

Hello,

I need to have SSL certificate . Web server is Tomcat4.04 serving static and
dynamic pages. Should i upgrade it to APACHE+TOMCAT+SSL or TOMCAT+SSL will
do? .

Is there any reason i should upgrade to APACHE+TOMCAT+SSL??

Thanks in advance

Sujith Mathew






--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Tomcat SSL + VHosts was: Apache SSLCERT + Tomcat 3.3 + keytool

[Power-Netz \(Schwarz\)]

> and now to MultiDomainVirtuellHosting and SSL with different CERTS :-)

To add serveral CERTS to the keyring is not the problem, but to tell Tomcat
to use
a specific key for a vhost. Is this possible??

I can't see any options for this in the vhost xml directives. Any
suggestions?


--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

tomcat + SSL + certificate

[cpeyruqueou]

Hello,

I try to use tomcat with ssl mode but it doesn't use my certificate.
The certificate that the browser receive is a certificate generated by
tomcat.
For information I am on unix solaris system with tomcat4.0.3
and I do this:
$JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA

I put my certificate in : $JAVA_HOME/jre/lib/security

How should I do in order to tomcat use my certificate.

Thanks in advance



--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Need help for Tomcat SSL enabling on unix

[Ajay Chauhan]

Hi,

If some one can help me in enabling the Tomcat running on unix. When i try
to run the keytool to generate the keystore on HP unix machine i get the
error:

$ keytool -genkey -alias tomcat -keyalg RSA
Enter keystore password:  changeit
keytool error: java.security.NoSuchAlgorithmException: RSA KeyPairGenerator
not available

If i use the -keyalg DSA it works fine but the Tomcat does not listen on
https port. Does the RSA is the only algorithm for the Tomact.


Ajay

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

RE: TOMCAT & SSL !!!

[t . riteshmenon]

Hi,

I was looking for the postigs under " How to enforce SSL" - if
anybody cud throw some light, as iwas unable to locate it.


thanx!

-Original Message-
From: Steve D George [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 3:48 PM
To: Tomcat Users List
Subject: Re: TOMCAT & SSL !!!



Hi, have a look for postings titled 'How to enforce SSL' that were posted
over the last few days. Assuming you have gone through the How-to-SSL
document in the tomcat docs and set up a certificate, to enforce SSL for a
certain directory in your context, you need something like this in your
web.xml.


  

  Entire Application
  /*


  trackeruser


  CONFIDENTIAL

  

  
  
BASIC
Location Tracker Application
  

The important piece is the user-data-constraint and the
transport-guarantee. This tells tomcat that all requests to the url pattern
(in my case it is the whole of my context) should be sent over HTTPS. If a
request is received over HTTP, tomcat will redirect the request at whatever
port is defined in server.xml as the 'redirectPort' for the HTTP connector.
This is probably 8443. You then need to make sure that you have an SSL only
connector on that port but I guess you should already have that if you've
got the SSL working already.

Cheers.

Steve.



 

  t.riteshmenon@iflexso

  lutions.com  To:
[EMAIL PROTECTED]
   cc:

  30/04/2002 11:10 Subject:  TOMCAT & SSL
!!!  
  Please respond to

  "Tomcat Users List"

 

 





Hi All,

My application requires that certain pages on the site are accessed via
SSL,
is
there a way in tomcat to reject the connection of http to a specific page
(ie securePage.jsp) but still allow http access to other pages (ie.
standardPage.jsp).

Also i'm using cookies - so i wanted to know whether these cookies will
be visible in both the http & https contexts.

Thanks in advance,

Ritesh


This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended
recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>





--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

RE: TOMCAT & SSL !!!

[t . riteshmenon]

Hi Steve,   

   I had included the security constraint in web.xml, but still
the request goes thru without ssl. what mistake am i making?

what is the ? do i have to include that too.
i was also not clear abt the "redirectPort" bit - where cud i get
more help?

thanx,
Ritesh


-Original Message-
From: Steve D George [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, April 30, 2002 3:48 PM
To: Tomcat Users List
Subject: Re: TOMCAT & SSL !!!



Hi, have a look for postings titled 'How to enforce SSL' that were posted
over the last few days. Assuming you have gone through the How-to-SSL
document in the tomcat docs and set up a certificate, to enforce SSL for a
certain directory in your context, you need something like this in your
web.xml.


  

  Entire Application
  /*


  trackeruser


  CONFIDENTIAL

  

  
  
BASIC
Location Tracker Application
  

The important piece is the user-data-constraint and the
transport-guarantee. This tells tomcat that all requests to the url pattern
(in my case it is the whole of my context) should be sent over HTTPS. If a
request is received over HTTP, tomcat will redirect the request at whatever
port is defined in server.xml as the 'redirectPort' for the HTTP connector.
This is probably 8443. You then need to make sure that you have an SSL only
connector on that port but I guess you should already have that if you've
got the SSL working already.

Cheers.

Steve.



 

  t.riteshmenon@iflexso

  lutions.com  To:
[EMAIL PROTECTED]
   cc:

  30/04/2002 11:10 Subject:  TOMCAT & SSL
!!!  
  Please respond to

  "Tomcat Users List"

 

 





Hi All,

My application requires that certain pages on the site are accessed via
SSL,
is
there a way in tomcat to reject the connection of http to a specific page
(ie securePage.jsp) but still allow http access to other pages (ie.
standardPage.jsp).

Also i'm using cookies - so i wanted to know whether these cookies will
be visible in both the http & https contexts.

Thanks in advance,

Ritesh


This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended
recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>





--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.


--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Is there a possibility to specify the minimum encryption rate for tomcat SSL support ?

[Zimpel Frank]

Older browser versions (for exemple IE4 ...) don't support 128 bit
encryption rate. Is there a way to configure tomcat to deny all requests
from clients, that are not capable of using 128 bit encryption rate. 

The SSL connection, using the configuration as described in "SSL How To",
reduces the encryption rate automatically to a level, the client is
compatible to.


 

--
To unsubscribe, e-mail:   
For additional commands, e-mail: 

Tomcat SSL with both client-auth and server-auth?

[Meren, Libby]

Hi,

Is it possible to set up a tomcat (3.2.3) server with both client and
server-authentication running?  I've set up a server.xml file with two
connectors (with different port no.s specified, and one having
client-auth=true, the other client-auth=false).  I can run the server and
connect to each of the areas (I've specified them as different contexts, eg
path="/client" and path="/server") as specified, however I'm concerned that
the two authentication levels aren't being enforced.

For example, if I connect to the server-authenticated area (eg
https://localhost:8443/server), the security is my site's certificate.
However, if I then change the link in the browser window (eg to
https://localhost:8444/client) I am not required to present/select my
certificate to authenticate to the server.  In other words, it has
maintained the server-authentication specified in the first connection.
This also works in reverse: if I connect via client-auth (and present my
cert), I can then move to the server-authenticated area without any fuss.  I
suspect this is because this is all one session, and I haven't successfully
set up Tomcat to accept multiple auth-levels within the one session (or this
isn't possible).

Can someone please help?

Thanks very much!



--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: TOMCAT & SSL !!!

[Jacob Kjome]

Looks like Steve D. George already answered the SSL setup question,
but as far as cookies go.  No, you cannot share cookies between http
and https.  The reason is not a deficiency in Tomcat or Apache, the
reason is security.  Actually, you might be able to read cookies set
in http while in https, but most certainly *not* vice-vera.

Take a look at the Netscape Cookie Spec for more info:
http://www.netscape.com/newsref/std/cookie_spec.html

Jake

Tuesday, April 30, 2002, 5:10:45 AM, you wrote:

tric> Hi All,

tric> My application requires that certain pages on the site are accessed via SSL,
tric> is
tric> there a way in tomcat to reject the connection of http to a specific page
tric> (ie securePage.jsp) but still allow http access to other pages (ie.
tric> standardPage.jsp).

tric> Also i'm using cookies - so i wanted to know whether these cookies will
tric> be visible in both the http & https contexts.

tric> Thanks in advance,

tric> Ritesh
tric> 
tric> This message contains privileged and confidential information and is
tric> intended only for the individual named.If you are not the intended recipient
tric> you should not disseminate,distribute,store,print, copy or deliver this
tric> message.Please notify the sender immediately by e-mail if you have received
tric> this e-mail by mistake and delete this e-mail from your system.E-mail
tric> transmission cannot be guaranteed to be secure or error-free as information
tric> could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
tric> contain viruses.The sender therefore does not accept liability for any
tric> errors or omissions in the contents of this message which arise as a result
tric> of e-mail transmission. If verification is required please request a
tric> hard-copy version.
tric> 

tric> --
tric> To unsubscribe:   
tric> For additional commands: 
tric> Troubles with the list: 



-- 
Best regards,
 Jacobmailto:[EMAIL PROTECTED]


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Re: TOMCAT & SSL !!!

[Steve D George]

Hi, have a look for postings titled 'How to enforce SSL' that were posted
over the last few days. Assuming you have gone through the How-to-SSL
document in the tomcat docs and set up a certificate, to enforce SSL for a
certain directory in your context, you need something like this in your
web.xml.


  

  Entire Application
  /*


  trackeruser


  CONFIDENTIAL

  

  
  
BASIC
Location Tracker Application
  

The important piece is the user-data-constraint and the
transport-guarantee. This tells tomcat that all requests to the url pattern
(in my case it is the whole of my context) should be sent over HTTPS. If a
request is received over HTTP, tomcat will redirect the request at whatever
port is defined in server.xml as the 'redirectPort' for the HTTP connector.
This is probably 8443. You then need to make sure that you have an SSL only
connector on that port but I guess you should already have that if you've
got the SSL working already.

Cheers.

Steve.



   

  t.riteshmenon@iflexso

  lutions.com  To:   
[EMAIL PROTECTED]
   cc: 

  30/04/2002 11:10         Subject:  TOMCAT & SSL !!!  

  Please respond to

  "Tomcat Users List"  

   

   





Hi All,

My application requires that certain pages on the site are accessed via
SSL,
is
there a way in tomcat to reject the connection of http to a specific page
(ie securePage.jsp) but still allow http access to other pages (ie.
standardPage.jsp).

Also i'm using cookies - so i wanted to know whether these cookies will
be visible in both the http & https contexts.

Thanks in advance,

Ritesh


This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended
recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>





--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

TOMCAT & SSL !!!

[t . riteshmenon]

Hi All,

My application requires that certain pages on the site are accessed via SSL,
is
there a way in tomcat to reject the connection of http to a specific page
(ie securePage.jsp) but still allow http access to other pages (ie.
standardPage.jsp).

Also i'm using cookies - so i wanted to know whether these cookies will
be visible in both the http & https contexts.

Thanks in advance,

Ritesh

This message contains privileged and confidential information and is
intended only for the individual named.If you are not the intended recipient
you should not disseminate,distribute,store,print, copy or deliver this
message.Please notify the sender immediately by e-mail if you have received
this e-mail by mistake and delete this e-mail from your system.E-mail
transmission cannot be guaranteed to be secure or error-free as information
could be intercepted,corrupted,lost,destroyed,arrive late or incomplete or
contain viruses.The sender therefore does not accept liability for any
errors or omissions in the contents of this message which arise as a result
of e-mail transmission. If verification is required please request a
hard-copy version.


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: Apache + Tomcat + SSL : Please help me on this

[Anton Brazhnyk]

Hi,

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, February 28, 2002 5:37 AM
> To: [EMAIL PROTECTED]
> Subject: Apache + Tomcat + SSL : Please help me on this
> 
> 
> Hi All,
> 
> I have a problem in configuring SSL. I basically have two questions.
> 
> 1. I'm trying to configure Apache to use Tomcat as a servlet 
> container. My Apche server is 1.3.14-3 and i'm using Tomcat 4.02 
> and mod_webapp.so to integrate using WebAppConnection. I 
> basically followed the steps given as in following article
> 
> http://dcb.sun.com/practices/howtos/tomcat_apache.jsp
> 
> It worked very well and I managed to get Apache passing request 
> to the Tomcat. All works fine.
> 
> Now my actual problem is SSL. How to get SSL work with Tomcat ? 
> Should I use Apaches SSL as recommended in Tomcat doc or Tomcats 
> SSL. What steps should I take ?
> 

Can't help here, sorry. You should consult with Apache docs. And you have
to use Apache SSL, in fact AFAIK you won't be able to use Tomcat one in
that configuration.

> 
> 2. In a another machine I have Tomcat running as a standalone. I 
> tried to configure Tomcat SSL by following the how to document in 
> Tomcat. I am getting following error thrown in stdout in logs directory.
> 
> Create Catalina server
> Exception during startup processing
> java.lang.reflect.InvocationTargetException: 
> java.lang.NoClassDefFoundError: javax/net/ServerSocketFactory
>  at java.lang.Class.forName0(Native Method)
>  at java.lang.reflect.Method.invoke(Native Method)
>  ... ... ...
>  at 
> org.apache.catalina.startup.BootstrapService.main(BootstrapService
> .java:428)
> 
> As with my knowledge I precisely followed the steps given in doc, 
> but still have problem. as I uncomment the SSL HTTP/1.1 Connector 
> on port 8443 in server.xml, I could not get Tomcat started and 
> hence getting the exception thrown in stdout. 
> 

It looks like you don't have JSSE installed in proper location.
It resides in $JAVA_HOME/jre/lib/ext in my case and
I believe it can live in $CATALINA_HOME/server/lib
or in $CATALINA_HOME/common/lib if your apps use it.

> 
> I would highly appreciate if anyone can help me on this as I'm 
> tightly held up to finish my project on due date.
> 
> Thank you,
> 
> Zaid.
> 
> 

Anton

--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Apache + Tomcat + SSL : Please help me on this

[zaid]

Hi All,

I have a problem in configuring SSL. I basically have two questions.

1. I'm trying to configure Apache to use Tomcat as a servlet container. My Apche 
server is 1.3.14-3 and i'm using Tomcat 4.02 and mod_webapp.so to integrate using 
WebAppConnection. I basically followed the steps given as in following article

http://dcb.sun.com/practices/howtos/tomcat_apache.jsp

It worked very well and I managed to get Apache passing request to the Tomcat. All 
works fine.

Now my actual problem is SSL. How to get SSL work with Tomcat ? Should I use Apaches 
SSL as recommended in Tomcat doc or Tomcats SSL. What steps should I take ?


2. In a another machine I have Tomcat running as a standalone. I tried to configure 
Tomcat SSL by following the how to document in Tomcat. I am getting following error 
thrown in stdout in logs directory.

Create Catalina server
Exception during startup processing
java.lang.reflect.InvocationTargetException: java.lang.NoClassDefFoundError: 
javax/net/ServerSocketFactory
 at java.lang.Class.forName0(Native Method)
 at java.lang.Class.forName(Unknown Source)
 at org.apache.catalina.util.xml.ObjectCreate.start(XmlMapper.java:616)
 at org.apache.catalina.util.xml.XmlMapper.matchStart(XmlMapper.java:412)
 at org.apache.catalina.util.xml.XmlMapper.startElement(XmlMapper.java:91)
 at org.xml.sax.helpers.XMLReaderAdapter.startElement(XMLReaderAdapter.java:329)
 at org.apache.xerces.parsers.SAXParser.startElement(SAXParser.java:1376)
 at 
org.apache.xerces.validators.common.XMLValidator.callStartElement(XMLValidator.java:1214)
 at 
org.apache.xerces.framework.XMLDocumentScanner.scanElement(XMLDocumentScanner.java:1806)
 at 
org.apache.xerces.framework.XMLDocumentScanner$ContentDispatcher.dispatch(XMLDocumentScanner.java:1182)
 at 
org.apache.xerces.framework.XMLDocumentScanner.parseSome(XMLDocumentScanner.java:381)
 at org.apache.xerces.framework.XMLParser.parse(XMLParser.java:1081)
 at org.xml.sax.helpers.XMLReaderAdapter.parse(XMLReaderAdapter.java:223)
 at javax.xml.parsers.SAXParser.parse(SAXParser.java:345)
 at javax.xml.parsers.SAXParser.parse(SAXParser.java:290)
 at org.apache.catalina.util.xml.XmlMapper.readXml(XmlMapper.java:228)
 at org.apache.catalina.startup.CatalinaService.load(CatalinaService.java:189)
 at org.apache.catalina.startup.CatalinaService.execute(CatalinaService.java:171)
 at org.apache.catalina.startup.Catalina.process(Catalina.java:179)
 at java.lang.reflect.Method.invoke(Native Method)
 at org.apache.catalina.startup.BootstrapService.main(BootstrapService.java:428)

As with my knowledge I precisely followed the steps given in doc, but still have 
problem. as I uncomment the SSL HTTP/1.1 Connector on port 8443 in server.xml, I could 
not get Tomcat started and hence getting the exception thrown in stdout. 


I would highly appreciate if anyone can help me on this as I'm tightly held up to 
finish my project on due date.

Thank you,

Zaid.

Standalone Tomcat SSL Cipher Suite Configuration

[Boyd, Garth]

Is it possible to configure a standalone Tomcat installation  to
negotiate from an administrator provided cipher suite list?

Other containers do allow you to configure what cipher suites
are available for negotiation (websphere for example). I have 
searched high and low and have not found anything to indicate 
that this is configurable for standalone Tomcat.

Can someone prove me wrong? Please?

Thanks in advance,

- Garth
[EMAIL PROTECTED]


This message may contain privileged and/or confidential information.  If you
have received this e-mail in error or are not the intended recipient, you
may not use, copy, disseminate or distribute it; do not open any
attachments, delete it immediately from your system and notify the sender
promptly by e-mail that you have done so.  Thank you.

--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Apache & Jakarta-Tomcat SSL

[Lars Nielsen Lind]

Hi.

I am using Tomcat 4.0.1 with Apache (mod_webapp) and it works fine. Now I
want to use SSL and I have compiled and configured mod_ssl with Apache
1.3.22.

In my httpd.conf file I have configured the SSL stuff as described in the
book Professional Apache.

If I start Apache with ./apachectl start - it works fine.

If I start Apache with ./apachectl startssl - it works NOT fine...

Are there some specific steps to do when using SSL with Apache & Tomcat (via
mod_webapp)?


Best regards,
Lars Nielsen Lind




--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: Tomcat & SSL

[Jim Urban]

http://jakarta.apache.org/tomcat/tomcat-4.0-doc/ssl-howto.html about a third
of the way down, do a browser find on Keystore.

Jim

-Original Message-
From: Rama [mailto:[EMAIL PROTECTED]]
Sent: Thursday, December 27, 2001 4:01 AM
To: [EMAIL PROTECTED]
Subject: Tomcat & SSL


Hi,

I can't create a SSL connection in my Tomcat server.
It always says: C:\Documents and Settings\Default User\.keytool is not
found.

How to create .keytool in that directory?

An article about this would also be helpful.


Rama


 _ Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com
--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>



--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Re: Tomcat & SSL

[Pae Choi]

Among many other articles, you can read the "keytool" description
from sun site.


Pae

> Hi,
> 
> I can't create a SSL connection in my Tomcat server.
> It always says: C:\Documents and Settings\Default User\.keytool is not
> found.
> 
> How to create .keytool in that directory?
> 
> An article about this would also be helpful.
> 
> 
> Rama
> 
> 
> 
> _
> Do You Yahoo!?
> Get your free @yahoo.com address at http://mail.yahoo.com
> 
> 
> --
> To unsubscribe:   
> For additional commands: 
> Troubles with the list: 
> 


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Tomcat & SSL

[Rama]

Hi,

I can't create a SSL connection in my Tomcat server.
It always says: C:\Documents and Settings\Default User\.keytool is not
found.

How to create .keytool in that directory?

An article about this would also be helpful.


Rama



_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

AW: Verisign Cert and Tomcat SSL

[Lauer, Oliver]

Was does your keytool -list say now ?  

> AXA eSolutions GmbH
> AXA Konzern AG Germany
> Oliver Lauer 
> Web Architect
> Wörthstraße 34
> D-50668 Köln
> Germany
> Tel.: +49 221 148 31277
> Fax: +49 221 148 43963
> Mobil: +49 179 59 064 59
> e-Mail: [EMAIL PROTECTED]
> _
> 


-Ursprüngliche Nachricht-
Von: David E. Bruce [mailto:[EMAIL PROTECTED]]
Gesendet: Dienstag, 11. Dezember 2001 21:10
An: [EMAIL PROTECTED]
Betreff: Verisign Cert and Tomcat SSL


I've been running tomcat 4.0.1 on RedHat 7.2 with a self signed cert for 
a while now and had no problems.  Now, however, I've gotten a verisign 
cert and I'm getting an error.
I removed the tomcat alias with my self signed cert.
I created the cert request with OpenSSL 0.9.6b, and got the crt file 
back from verisign.
I did
keytool -import -alias tomcat -file mycert.crt
And tomcat starts up no problem, the non-ssl connection works fine, but 
when I try to hit a servlet with a security constraint, I get the 
following message from my browser (Mac OS X, IE 5.1):
Security Failure.  The server reply is invalid.

There is nothing in my catalina.out that would suggest a problem.  
Anyone know what I need to do?
Feel free to email me directly as well as reply to the list.
Thanks,

David Bruce
[EMAIL PROTECTED]
Network Services
Computing Service
University of Arkansas


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>


--
Aus Rechts- und Sicherheitsgruenden ist die in dieser E-Mail gegebene Information 
nicht rechtsverbindlich. Eine rechtsverbindliche Bestaetigung reichen wir Ihnen gerne 
auf Anforderung in schriftlicher Form nach. Beachten Sie bitte, dass jede Form der 
unautorisierten Nutzung, Veroeffentlichung, Vervielfaeltigung oder Weitergabe des 
Inhalts dieser E-Mail nicht gestattet ist.Diese Nachricht  ist ausschliesslich fuer 
den bezeichneten Adressaten oder dessen Vertreter bestimmt. Sollten Sie nicht der 
vorgesehene Adressat dieser E-Mail oder dessen Vertreter sein, so bitten wir Sie, sich 
mit dem Absender der E-Mail in Verbindung zu setzen.

For legal and security reasons the information provided in this e-mail is not legally 
binding. Upon request we would be pleased to provide you with a legally binding 
confirmation in written form. Any form of unauthorised use, publication, reproduction, 
copying or disclosure of the content of this e-mail is not permitted. This message is 
exclusively for the person addressed or their representative. If you are not the 
intended recipient of this message and its contents, please notify the sender 
immediately.

==


--
To unsubscribe:   <mailto:[EMAIL PROTECTED]>
For additional commands: <mailto:[EMAIL PROTECTED]>
Troubles with the list: <mailto:[EMAIL PROTECTED]>

Verisign Cert and Tomcat SSL

[David E. Bruce]

I've been running tomcat 4.0.1 on RedHat 7.2 with a self signed cert for 
a while now and had no problems.  Now, however, I've gotten a verisign 
cert and I'm getting an error.
I removed the tomcat alias with my self signed cert.
I created the cert request with OpenSSL 0.9.6b, and got the crt file 
back from verisign.
I did
keytool -import -alias tomcat -file mycert.crt
And tomcat starts up no problem, the non-ssl connection works fine, but 
when I try to hit a servlet with a security constraint, I get the 
following message from my browser (Mac OS X, IE 5.1):
Security Failure.  The server reply is invalid.

There is nothing in my catalina.out that would suggest a problem.  
Anyone know what I need to do?
Feel free to email me directly as well as reply to the list.
Thanks,

David Bruce
[EMAIL PROTECTED]
Network Services
Computing Service
University of Arkansas


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Tomcat SSL - Where are the missing ciphers ?

[Tal Dayan]

When querying a Tomcat 4.01 standalone server with Netcraft's SSL checker
(http://www.netcraft.com/sslwhats) only one cipher, 'RC4 with MD5', is
listed.

A breakpoint in the method SSLServerSockerFactory.initServerSockt() shows
that more than 10 ciphers are available and are enabled. Where are the other
ciphers ? Does tomcat ignore them somehow ?

BTW, when querying a site like https://www.register.com, Netcraft lists 7
ciphers so the problem does not seem to be with Netcraft.

Thanks,

Tal


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

Apache+mod_ssl and Tomcat+ssl

[Adrian . Fortuzi]

Hello all

We are using Apache+mod_ssl in DMZ-Internet. 
We have a Firewall between DMZ and our Intranet. 
Tomcat 3.2 is in Intranet installed. Can we have 
Tomcat to perform SSL with Apache-Server too but through a Firewall?
Apache server have to be authenticated through a Certificate 
in order to pass through the internal Firewall.
We want one end-to-end SSL connection between the client
and our Tomcat behind Firewall in Intranet.
 

Any suggestions are welcome.
 
Thanks,
Adrian
 
 
 


--
To unsubscribe:   
For additional commands: 
Troubles with the list: 

RE: Tomcat SSL Only 40 Bit

[Jim Urban]

Yes, and when I go to other HTTPS sites the little lock on the bottom of the
browser says 128 bit encryption.

Jim

-Original Message-
From: Riner Bill Contr AEDC/SVT [mailto:[EMAIL PROTECTED]]
Sent: Thursday, October 18, 2001 4:28 PM
To: '[EMAIL PROTECTED]'
Subject: RE: Tomcat SSL Only 40 Bit


Do you have a 128-bit encryption version of IE?  Bill

>  -Original Message-
> From: Jim Urban [mailto:[EMAIL PROTECTED]]
> Sent: Thursday, October 18, 2001 4:12 PM
> To:   Tomcat-User
> Subject:  Tomcat SSL Only 40 Bit
>
> I created a certificate and set up Tomcat SSL (stand-a-lone on NT) and it
> works!  However, according to IE, HTTPS is only using 40 bit encryption.
> How do I get 128 bit encryption?
>
> Jim Urban
> Product Manager
> Netsteps Inc.
> Suite 505E
> 1 Pierce Pl.
> Itasca, IL  60143
> Voice:  (630) 250-3045 x2164
> Fax:  (630) 250-3046
>

RE: Tomcat SSL Only 40 Bit

[Riner Bill Contr AEDC/SVT]

Do you have a 128-bit encryption version of IE?  Bill

>  -Original Message-
> From: Jim Urban [mailto:[EMAIL PROTECTED]] 
> Sent: Thursday, October 18, 2001 4:12 PM
> To:   Tomcat-User
> Subject:  Tomcat SSL Only 40 Bit
> 
> I created a certificate and set up Tomcat SSL (stand-a-lone on NT) and it
> works!  However, according to IE, HTTPS is only using 40 bit encryption.
> How do I get 128 bit encryption?
> 
> Jim Urban
> Product Manager
> Netsteps Inc.
> Suite 505E
> 1 Pierce Pl.
> Itasca, IL  60143
> Voice:  (630) 250-3045 x2164
> Fax:  (630) 250-3046
> 

Tomcat SSL Only 40 Bit

[Jim Urban]

I created a certificate and set up Tomcat SSL (stand-a-lone on NT) and it
works!  However, according to IE, HTTPS is only using 40 bit encryption.
How do I get 128 bit encryption?

Jim Urban
Product Manager
Netsteps Inc.
Suite 505E
1 Pierce Pl.
Itasca, IL  60143
Voice:  (630) 250-3045 x2164
Fax:  (630) 250-3046


 winmail.dat

RE: Tomcat+SSL+IBM Java

[Alexander Jesse]

Hi,

things that come to mind:
- are the JSSE-jars in the classpath?
- could it be that you have to define an IBM security-provider?

good luck
Alexander

-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 03, 2001 11:14 AM
To: [EMAIL PROTECTED]
Subject: Tomcat+SSL+IBM Java


Hi,

we are bound to use  Tomcat with IBM Java, and we try to start it
with SSL, the result is:

Exception during startup processing
java.lang.reflect.InvocationTargetException: java.lang.NoClassDefFoundError:
com/sun/net/ssl/SSLContext

It seems to be natural, for the relevant class in IBM extension is 
com/ibm/net/ssl/SSLContext. 

Can anybody give a tip, what to do now?
(To use Sun's software not an option here...)

Thanks 

Agnes Sipos
Hungaria Insurance 

Tomcat+SSL+IBM Java

[Sipos Ágnes]

Hi,

we are bound to use  Tomcat with IBM Java, and we try to start it
with SSL, the result is:

Exception during startup processing
java.lang.reflect.InvocationTargetException: java.lang.NoClassDefFoundError:
com/sun/net/ssl/SSLContext

It seems to be natural, for the relevant class in IBM extension is 
com/ibm/net/ssl/SSLContext. 

Can anybody give a tip, what to do now?
(To use Sun's software not an option here...)

Thanks 

Agnes Sipos
Hungaria Insurance 

AW: to be a bit more specific: using POST with SSL (was: mod_jk required for apache/tomcat/SSL?)

[Amthauer, Heiner]

no, sorry, you are not. It is not a java source-code problem. The system is
all working perfectly well with normal http. And there are serveral
servlets, some being accessed with POST and some with GET - all work fine.
Until I switch to SSL. Afterwards I can no longer access the servlets with
POST.

greetings

> it seems that you didn't use 
> doPost(Httpreq,res)  method in
> your servlet, am i right ?
> cheers :)

Re: to be a bit more specific: using POST with SSL (was: mod_jk required for apache/tomcat/SSL?)

[yilmaz]

Hi Amthauer!
it seems that you didn't use doPost(Httpreq,res)  method in
your servlet, am i right ?
cheers :)
- Original Message -
From: "Amthauer, Heiner" <[EMAIL PROTECTED]>
To: "'tomcat'" <[EMAIL PROTECTED]>
Sent: Tuesday, August 28, 2001 3:24 PM
Subject: to be a bit more specific: using POST with SSL (was: mod_jk
required for apache/tomcat/SSL?)


> Hi again,
>
> sorry, my last question did not really explain my situation. I'll try it
> again:
> I did install Apache 1.3.20, Tomcat 3.2.3, openssl 0.9.6, mm 1.1.3 and
> mod_ssl 2.8.4. I installed it according to a install-log of our company
> (which is actually the same as yours, Jan :) and it all works fine with
one
> exception:
> I CAN access servlets using the GET-method, however, I CANNOT access
> servlets using the POST-method. When using the POST-method I geht some
> cryptical charaters in the access-log togheter with a '501' and I get a
> 'Invalid method in request' in the error-log. Unfortunatelly I _haveto_
use
> the POST-method, because we are sending objects to our servlets. Now, the
> question is:
>
> What exactly do I need for sending objects to serlvets via SSL using the
> POST-method? Is mod_jserv enough? Is it a configuration problem?
>
> Any hints and help is greatly appreciated.
>
> regards
> Heiner
>
> 
> Dipl. Ing. Heiner Amthauer
> Entwicklungsingenieur
>
> T-Systems
>
> debis Systemhaus Ulm GEI GmbH
> Tel.: 0731 / 93 44 44 22
> Fax.: 0731 / 93 44 44 09
> Mobil.: 0178 / 42 69 33 5
> mailto:[EMAIL PROTECTED]
> 
>

to be a bit more specific: using POST with SSL (was: mod_jk required for apache/tomcat/SSL?)

[Amthauer, Heiner]

Hi again,

sorry, my last question did not really explain my situation. I'll try it
again:
I did install Apache 1.3.20, Tomcat 3.2.3, openssl 0.9.6, mm 1.1.3 and
mod_ssl 2.8.4. I installed it according to a install-log of our company
(which is actually the same as yours, Jan :) and it all works fine with one
exception:
I CAN access servlets using the GET-method, however, I CANNOT access
servlets using the POST-method. When using the POST-method I geht some
cryptical charaters in the access-log togheter with a '501' and I get a
'Invalid method in request' in the error-log. Unfortunatelly I _haveto_ use
the POST-method, because we are sending objects to our servlets. Now, the
question is: 

What exactly do I need for sending objects to serlvets via SSL using the
POST-method? Is mod_jserv enough? Is it a configuration problem?

Any hints and help is greatly appreciated.

regards
Heiner


Dipl. Ing. Heiner Amthauer
Entwicklungsingenieur

T-Systems

debis Systemhaus Ulm GEI GmbH
Tel.: 0731 / 93 44 44 22
Fax.: 0731 / 93 44 44 09
Mobil.: 0178 / 42 69 33 5
mailto:[EMAIL PROTECTED]

Re: Tomcat & SSL Encryption Level

[Craig R. McClanahan]

On Mon, 27 Aug 2001, Colin Freas wrote:

> Date: Mon, 27 Aug 2001 17:10:41 -0400
> From: Colin Freas <[EMAIL PROTECTED]>
> Reply-To: [EMAIL PROTECTED]
> To: Tomcat Users List <[EMAIL PROTECTED]>
> Subject: Tomcat & SSL Encryption Level
>
>
> I wrote this class some time ago to determine the security level of user
> connections before allowing them to login.
>
> It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
> working.
>
> Is there some relatively painless way of accessing the key length of SSL
> connections?
>

In Servlet 2.3 (i.e. Tomcat 4.0) there is -- there's a new request
attribute that returns the key size:

  javax.servlet.request.cipher_suite

Unfortunately, this won't help you on Tomcat 3.2.3.

> Thanks,
> Colin Freas
>

Craig

Tomcat & SSL Encryption Level

[Colin Freas]

I wrote this class some time ago to determine the security level of user
connections before allowing them to login.

It worked with Resin, but now I'm using Tomcat 3.2.3 and the same code isn't
working.

Is there some relatively painless way of accessing the key length of SSL
connections?

Thanks,
Colin Freas

---

import java.io.*;
import java.sql.*;
import javax.servlet.*;
import javax.servlet.http.*;

public abstract class secureHttpServlet extends HttpServlet {

  String LoginURL, SecurityTooLowURL, BadProtocolURL;

  public void init() {
//  Set default URLs for possible redirection.
BadProtocolURL = "badProtocol.html";
SecurityTooLowURL = "securityTooLow.html";
LoginURL = "login.html";
  }

  //  secureXXX should be overridden to provide desired behavior.
  public void secureGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
  }

  public final void doGet(HttpServletRequest req, HttpServletResponse res)
throws ServletException, IOException {
Object ks = req.getAttribute("javax.servlet.request.key-size");
HttpSession session = req.getSession(false);
//  Check that https protocol used...
if (req.getScheme().equals("https")) {
  //  Ensure at least 128-bit encryption used...
  if ((ks != null) && (Integer.parseInt(ks.toString()) >= 128)) {
//  Check login status...
if (session != null && session.getValue("s") != null) {
  secureGet(req,res);
}
else {
  res.sendRedirect(LoginURL);
}
  }
  else {
res.sendRedirect(SecurityTooLowURL);
System.out.println("Security level: " + ks.toString());
  }
}
else {
  res.sendRedirect(BadProtocolURL);
}
  }
}

Standalone Tomcat SSL Handshake problem

[William Lee]

I've searched in the mail archive but found no solution to the Tomcat
standalone SSL handshake problem that many people seem to experience.

I got the jsse and the certs installed according to the instruction.  I
used the keytool util to import a openssl-generated, self-signed,
certificate.  I can start the server fine with the following lines in
server.xml:





  




The keystore file is /tmp/keystore.

When I start the server, I got:

2001-08-24 17:57:33 - ContextManager: Adding context Ctx( /admin )
Starting tomcat. Check logs/tomcat.log for error messages
2001-08-24 17:57:33 - ContextManager: Adding context Ctx(  )
2001-08-24 17:57:33 - ContextManager: Adding context Ctx( /test )
2001-08-24 17:57:34 - PoolTcpConnector: Starting HttpConnectionHandler
on 8080
2001-08-24 17:57:45 - PoolTcpConnector: Starting HttpConnectionHandler
on 8443
2001-08-24 17:57:45 - PoolTcpConnector: Starting Ajp12ConnectionHandler
on 8007

When I try connect to port 8443 using https from a browser:

2001-08-24 17:57:48 - Ctx(  ): 400 R( /) null
2001-08-24 17:57:48 - Ctx(  ): IOException in: R( /) Socket
closed


I tried using openssl to connect to the server:
> openssl s_client -host sun8.dev-lab -port 8443
CONNECTED(0003)
19354:error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert
handshake
failure:s23_clnt.c:453:
 
Can somebody tell me how I can get it going?  I read from the archive
that this is common problem but I found no way to resolve this.  People
must have gotten it to work, right?...:)  BTW, I'm using JDK 1.3.1 on
Solaris 5.8, Jsse 1.0.2, and Tomcat 3.2.3.   


-- 
William Lee (Will)| Sendmail Inc.
Email:  [EMAIL PROTECTED] | http://www.sendmail.com
Tel:(510) 594-5505|

Re: mod_jk required for apache/tomcat/SSL?

[Jan Labanowski]

Try http://www.ccl.net/cca/software/UNIX/apache/index.shtml

You may need to put the same stuff you have under default port 80
inside the block for virtual host 443 in httpd.conf


On Mon, 27 Aug 2001, Amthauer, Heiner wrote:

> Hi there!
> 
> I want to use tomcat togehter with apache+mod_ssl. However, accessing my
> servlets via SSL doesn't work at all, whereas using normal http requests it
> all works fine. In any documentation about using SSL with apache/tomcat I
> allways find configuration examples for mod_jk, but none for mod_jserv
> (which I use). Is mod_jk a must when using apache/tomcat/SSL? If not, how
> can it be done with mod_jserv?
> 
> Any fast help is greatly appreciated
> regards
> Heiner
> 
> 
> Dipl. Ing. Heiner Amthauer
> Entwicklungsingenieur
> 
> T-Systems
> 
> debis Systemhaus Ulm GEI GmbH
> Tel.: 0731 / 93 44 44 22
> Fax.: 0731 / 93 44 44 09
> Mobil.: 0178 / 42 69 33 5
> mailto:[EMAIL PROTECTED]
> 
> 

Jan K. Labanowski|phone: 614-292-9279,  FAX: 614-292-7168
Ohio Supercomputer Center|Internet: [EMAIL PROTECTED] 
1224 Kinnear Rd, |http://www.ccl.net/chemistry.html
Columbus, OH 43212-1163  |http://www.osc.edu/

RE: mod_jk required for apache/tomcat/SSL?

[GOMEZ Henri]

>In any documentation about using SSL with 
>apache/tomcat I
>allways find configuration examples for mod_jk, but none for mod_jserv
>(which I use). Is mod_jk a must when using apache/tomcat/SSL? 
>If not, how
>can it be done with mod_jserv?

Yes, mod_jk will forward to your servlet/JSP 
the SSL information found in Apache 

RE: mod_jk required for apache/tomcat/SSL?

[GOMEZ Henri]

>Hi there!
>
>I want to use tomcat togehter with apache+mod_ssl. However, 
>accessing my
>servlets via SSL doesn't work at all, whereas using normal 
>http requests it
>all works fine. In any documentation about using SSL with 
>apache/tomcat I
>allways find configuration examples for mod_jk, but none for mod_jserv
>(which I use). Is mod_jk a must when using apache/tomcat/SSL? 
>If not, how
>can it be done with mod_jserv?

You should put the JkMount in the SSL  area also :)

mod_jk required for apache/tomcat/SSL?

[Amthauer, Heiner]

Hi there!

I want to use tomcat togehter with apache+mod_ssl. However, accessing my
servlets via SSL doesn't work at all, whereas using normal http requests it
all works fine. In any documentation about using SSL with apache/tomcat I
allways find configuration examples for mod_jk, but none for mod_jserv
(which I use). Is mod_jk a must when using apache/tomcat/SSL? If not, how
can it be done with mod_jserv?

Any fast help is greatly appreciated
regards
Heiner


Dipl. Ing. Heiner Amthauer
Entwicklungsingenieur

T-Systems

debis Systemhaus Ulm GEI GmbH
Tel.: 0731 / 93 44 44 22
Fax.: 0731 / 93 44 44 09
Mobil.: 0178 / 42 69 33 5
mailto:[EMAIL PROTECTED]

tomcat -- SSL

[brian luk]

I am now using apache web server with SSL already
setup.

that means I can connect to HTTP server using SSL:
https://10.0.0.105:443/
or I can connect to HTTP server w/o SSL
http://10.0.0.105:80

I can make a request to servlet using SSL:
https://10.0.0.105:443/admin/servlet/com.app.Admin
or I can make request to servelt w/o SSL
http://10.0.0.105/admin/servlet/com.app.Admin

Will I get a secure connection between servlet & web
browser if I 

- block all port that can access servlet engine(e.g.
tomcat) from internet (e.g. 80, 8080) except SSL port
443.
- now web browser to apache web server connection is
secure.
- apache server to tomcat is not secure but only
apache can access tomcat, then it means
tomcat(servlet) is secure too??

If the above way is secure. how can I block access to
servlet through port 80?  or block access to a
sepecific web application through port 80?  which
means access is only granted through SSL port 443. (in
tomcat for example)
 
Since i need to send private info up from web browser
to servlet and make sure no one spy it. (
user/password for example )

thanks.


__
Do You Yahoo!?
Make international calls for as low as $.04/minute with Yahoo! Messenger
http://phonecard.yahoo.com/

RE: tomcat-SSL

[Mehul S Dave]

Hello
   Thanks for the reply .
   Well i get some problems
   I have my Personal Certificate . When i click on Security
   of Netscape Browser & see Certificates Yours i can view my
Certificates. its fine.
 But now i connect to my ssl tomcat enabled site it gives me
message that The site  has requested client authentication, but
you do not have a Personal Certificate to authenticate yourself. The site may choose 
not to
give you access without one. But i got my Personal Certificate already .
I also manually import the certi in keystore by keytool.
Please give the solution.
Thanks.

*
Mehul S Dave
Scientific Officer, (STCS Dept.),
Tata Institute of Fundamental Research
Phone - 2152971 Extn - 2372
Mumbai .
webpage:- http://www.ecom.tifr.res.in/~mehul
*

RE: tomcat-SSL

[Rams]

The jsse classes do on part of you.
no need for u to do anything even in case of client authentication, as we do
nothing in server Authentication.
lf u r connecting as client to other severs and they need client
Authentication.
u should have ur client cert in ur keystore.

Am l making sense?

--Rams

-Original Message-
From: Mehul S Dave [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, August 21, 2001 12:32 PM
To: Tomcat User archive
Subject: tomcat-SSL


Hi
   I have configured tomcat-SSL as an Standalone.
   Its working Fine
   I have used JSSE
   Well i need some more step-by step dtails for more Secured
Authentication. In the Server.XML in the SSL phase if i set
   parameter=clientAuth value=true then it will expect clients Certificate
too from the Client side. I wanna know on the Server side how do i have
the clients Certificate for Authentication.
Or any other Steps for Client Authentication with respect to Certificates.
Thanking you.
Bye



*
Mehul S Dave
Scientific Officer, (STCS Dept.),
Tata Institute of Fundamental Research
Phone - 2152971 Extn - 2372
Mumbai .
webpage:- http://www.ecom.tifr.res.in/~mehul
*

tomcat-SSL

[Mehul S Dave]

Hi
   I have configured tomcat-SSL as an Standalone.
   Its working Fine
   I have used JSSE 
   Well i need some more step-by step dtails for more Secured
Authentication. In the Server.XML in the SSL phase if i set 
   parameter=clientAuth value=true then it will expect clients Certificate
too from the Client side. I wanna know on the Server side how do i have
the clients Certificate for Authentication.
Or any other Steps for Client Authentication with respect to Certificates.
Thanking you.
Bye



*
Mehul S Dave
Scientific Officer, (STCS Dept.),
Tata Institute of Fundamental Research
Phone - 2152971 Extn - 2372
Mumbai .
webpage:- http://www.ecom.tifr.res.in/~mehul
*

RE: Apache+Tomcat+SSL+IE5.5

[Martin van den Bemt]

It has to do with settings in the browser that it gives this message. If you
refere one thing to http in eg the header (eg external css stylesheet or
external js file) then this messag is given.

Mvgr,
Martin

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of [EMAIL PROTECTED]
> Sent: Monday, August 13, 2001 9:08 PM
> To: [EMAIL PROTECTED]
> Subject: Apache+Tomcat+SSL+IE5.5
>
>
> Hi,
> I have a web server with Apache (with SSL) + Tomcat (with ajp13)
> Tomcat don't have a HTTP connector.
> My application only use JSP-servlets(no static page).
> It work perfectly with IE5.0 , Netscape 4 or Netscape 6
> When I use IE5.5 to connect to my apache i have this message from IE :
> (i have a french message, so it is my translation )
>
> "this page have secure elements and non-secure elements
>
> Would you like view the non-secure elements ?"
>
> It's just a warning message but I would like to know if :
>
>  _ IE5.5 is right (they are non-secured element in my JSP pages) or if
> it is a bug.
>  How to be sure ?
>
>  _ if yes, Does It mean apache-SSL don't crypt my tomcat's
> JSP. (i have
> the same message when i use ajp12 or ajp13 )
>
> Thanks in advance
> Fred
>
>
>

Apache+Tomcat+SSL+IE5.5

[java]

Hi,
I have a web server with Apache (with SSL) + Tomcat (with ajp13)
Tomcat don't have a HTTP connector.
My application only use JSP-servlets(no static page).
It work perfectly with IE5.0 , Netscape 4 or Netscape 6
When I use IE5.5 to connect to my apache i have this message from IE :
(i have a french message, so it is my translation )

"this page have secure elements and non-secure elements

Would you like view the non-secure elements ?"

It's just a warning message but I would like to know if :

 _ IE5.5 is right (they are non-secured element in my JSP pages) or if
it is a bug.
 How to be sure ?

 _ if yes, Does It mean apache-SSL don't crypt my tomcat's JSP. (i have
the same message when i use ajp12 or ajp13 )

Thanks in advance
Fred

Re: tomcat ssl direct help

[John Hebert]

Tan WeeSiong wrote:

> hi
> 
> i am facing a lot of problems with tomcat 3.2.1
> 
> the ssl direct has alreadi cause me a lot of problems
> i tried to import certs of v3 and try to let it run as
> a server cert but it doesn't work
> the default tomcat webpage cannot be display 
> and the tomcat shows these error msg 
> 2001-03-22 03:47:18 - Ctx(  ): 400 R( /) null
> 2001-03-22 03:47:18 - Ctx(  ): IOException in:
> R( /) Socket closed
> 
> 
> 
> but when i try 
> keytool -genkey -alias tomcat -keyalg RSA
> 
> the v1 cert works and ssl can be working
> 
> 
> please reply me as soon as possible because i have
> alreadi dwell on this problem for a very long time 
> and i think i am going mad alreadi.The internet
> doesn't really help much... 
> 
> please give me the solutions in detail and as simple
> to understand as possible
> 
> please i really appreciate your helpthanks


Tan,

I do not have a detailed answer but I do suggest that you use the latest 
release version of Tomcat. Are you certain that SSL v3 is supported by 
Tomcat 3.2.1?

-- 
John Alex Hebert
[EMAIL PROTECTED]
System Engineer

tomcat ssl direct help

[Tan WeeSiong]

hi

i am facing a lot of problems with tomcat 3.2.1

the ssl direct has alreadi cause me a lot of problems
i tried to import certs of v3 and try to let it run as
a server cert but it doesn't work
the default tomcat webpage cannot be display 
and the tomcat shows these error msg 
2001-03-22 03:47:18 - Ctx(  ): 400 R( /) null
2001-03-22 03:47:18 - Ctx(  ): IOException in:
R( /) Socket closed



but when i try 
keytool -genkey -alias tomcat -keyalg RSA

the v1 cert works and ssl can be working


please reply me as soon as possible because i have
alreadi dwell on this problem for a very long time 
and i think i am going mad alreadi.The internet
doesn't really help much... 

please give me the solutions in detail and as simple
to understand as possible

please i really appreciate your helpthanks









__
Do You Yahoo!?
Get personalized email addresses from Yahoo! Mail
http://personal.mail.yahoo.com/

Re: Tomcat SSL

[Tim O'Neil]

>Now I want to configure out how to confirm that the contents send between
>tomcat and apache are really encrypted.

Why do you want to do that? Is Apache and Tomcat running on two
different machines?

Tomcat SSL

[Claudius Grieser]

Hi,

I have a running Tomcat(Version 3.2.1) and Apache(Version 1.3.14-6) on
Linux.
The Appache is working with SSL.
I want to use the SSL connection also between apache and tomcat.
For the installation off SSL I used the "Tomcat and SSL" document delivered
with the tomcat documentation.
Now I want to configure out how to confirm that the contents send between
tomcat and apache are really encrypted.
Are there any logs, or can I write the encypted http to a file?

Any suggestions would be helpful.

Thanks
Claudius



Claudius Griesermailto:[EMAIL PROTECTED]

Any luck with the Verisign certificate and Tomcat/SSL?

[Fernandes, Steven (HSD, IT, Mastech)]

Justin,
 
We seem to be encountering the identical problem that you are facing. Did
not notice any replies to you question.
 
Were you able to surmount the problem? Could you share that information with
us?
 
We are using NT4.0 SP6a with Tomcat 3.2.1, JSSE 1.0.2 and JDK 1.2.2
 
We have obtained a Verisign certificate, but upon importing the certificate,
we get the identical errors you encountered; viz :
 
Page cannot be displayed (in the browser)
IOException : Socket closed etc etc on the server.
 
Could you please email me back with any solution you know of? It will be
much appreciated
 
Thanks in advance!
 
Steven Fernandes
(860) 547-8909
The Hartford,
Hartford, CT


This communication, including attachments, is for the exclusive use of 
addressee and may contain proprietary, confidential or privileged 
information. If you are not the intended recipient, any use, copying, 
disclosure, dissemination or distribution is strictly prohibited. If 
you are not the intended recipient, please notify the sender 
immediately by return email and delete this communication and destroy all copies.

Tomcat - SSL + gzip?

[Lance Dyas]

SSL... and a servlet on Tomcat, what version is required and how does
one set it up?

Tomcat & SSL

[Abhijat Thakur]

Hi,


I followed all the installation instructions to configure Tomcat with SSL

1. put jsse.jar, jcert.jar and jnet.jar in tomcat_home\lib and in
jre\lib\ext and also put it in my classpath.
2. modified java.security file to give providers name.
3. Genarated a SSL certificate(RSA) for Tomcat.
4. modified server.xml for SSL implementation

i get this error even though jsse.jar is in my classpath. I dont know what
to do next. i am kind of stuck. any help is highly appreciated.


The error is

2001-06-04 04:09:54 - ContextManager: IOException reading request, ignored -
jav
ax.net.ssl.SSLException: Unrecognized SSL handshake.
at
com.sun.net.ssl.internal.ssl.InputRecord.read([DashoPro-V1.2-120198])

at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.SSLSocketImpl.a([DashoPro-V1.2-120198])
at
com.sun.net.ssl.internal.ssl.AppInputStream.read([DashoPro-V1.2-12019
8])
at java.io.BufferedInputStream.fill(BufferedInputStream.java:186)
at java.io.BufferedInputStream.read(BufferedInputStream.java:204)
at
org.apache.tomcat.service.http.HttpRequestAdapter.doRead(HttpRequestA
dapter.java:115)
at
org.apache.tomcat.core.BufferedServletInputStream.doRead(BufferedServ
letInputStream.java:106)
at
org.apache.tomcat.core.BufferedServletInputStream.read(BufferedServle
tInputStream.java:128)
at
javax.servlet.ServletInputStream.readLine(ServletInputStream.java:138
)
at
org.apache.tomcat.service.http.HttpRequestAdapter.readNextRequest(Htt
pRequestAdapter.java:129)
at
org.apache.tomcat.service.http.HttpConnectionHandler.processConnectio
n(HttpConnectionHandler.java:195)
at
org.apache.tomcat.service.TcpWorkerThread.runIt(PoolTcpEndpoint.java:
416)
at
org.apache.tomcat.util.ThreadPool$ControlRunnable.run(ThreadPool.java
:498)
at java.lang.Thread.run(Thread.java:484)





Abhijat Thakur

RE: Tomcat & SSL

[Martin van den Bemt]

http://jakarta.apache.org/tomcat/tomcat-3.3-doc/tomcat-ssl-howto.html

Your link is a combination of cvs checkout and the above ;-))

Mvgr,
Martin

> -Original Message-
> From: Abhijat Thakur [mailto:[EMAIL PROTECTED]]
> Sent: Monday, June 04, 2001 8:24 PM
> To: [EMAIL PROTECTED]
> Subject: Tomcat & SSL
>
>
> Hi,
>
> If anybody can forward me to some documentation where i can get started on
> how to configure Tomcat with SSL. The site
>
> http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl
> -howto.htm
> l
>
> does not work. Other than that on the Archives i could find specific
> questions related to Tomcat & SSL problems but i have not reached
> that far.
>
>
> Thanks in advance
>
> Abhijat Thakur
>
>

Tomcat & SSL

[Abhijat Thakur]

Hi,

If anybody can forward me to some documentation where i can get started on
how to configure Tomcat with SSL. The site

http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/tomcat-ssl-howto.htm
l

does not work. Other than that on the Archives i could find specific
questions related to Tomcat & SSL problems but i have not reached that far.


Thanks in advance

Abhijat Thakur

RE: IIS + Tomcat + SSL

[Todd Sussman]

I am redoing the server.xml file incase of any errors I may have made.
This being the first time I have delt with SSL at all.  When we access
our site with http everything works fine.  The same with https.  The
problem is that when we request using https, a message appears asking if
we would like to download secure and non-secure items.  So I assume this
is the jsp's throwing the error/message.

Todd

-Original Message-
From: Rams [mailto:[EMAIL PROTECTED]]
Sent: Monday, May 28, 2001 6:55 AM
To: [EMAIL PROTECTED]
Subject: RE: IIS + Tomcat + SSL


Hi Todd,
did u make changes in server.xml of tomcat for ssl enabling?
not that jsp doesnt agree or servlets only agree? 
u r worried of URL for https,not the component,ok.
let me know how did u test ur jsp using https?
was it working with http?

--Rams


-Original Message-
From: Todd Sussman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 27, 2001 12:26 PM
To: [EMAIL PROTECTED]
Subject: IIS + Tomcat + SSL


We have a working IIS + Tomcat 3.2.1 server running under windows 2000.
We would like to add SSL security.  I recieved my cert from Verisign and
installed it.  The problem is that I don't think the JSP's aree using
the SSL information.  Is there anyway to test this or a howto I can
check.

Thank You
Todd

RE: IIS + Tomcat + SSL

[Rams]

Hi Todd,
did u make changes in server.xml of tomcat for ssl enabling?
not that jsp doesnt agree or servlets only agree? 
u r worried of URL for https,not the component,ok.
let me know how did u test ur jsp using https?
was it working with http?

--Rams


-Original Message-
From: Todd Sussman [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 27, 2001 12:26 PM
To: [EMAIL PROTECTED]
Subject: IIS + Tomcat + SSL


We have a working IIS + Tomcat 3.2.1 server running under windows 2000.
We would like to add SSL security.  I recieved my cert from Verisign and
installed it.  The problem is that I don't think the JSP's aree using
the SSL information.  Is there anyway to test this or a howto I can
check.

Thank You
Todd

IIS + Tomcat + SSL

[Todd Sussman]

We have a working IIS + Tomcat 3.2.1 server running under windows 2000.
We would like to add SSL security.  I recieved my cert from Verisign and
installed it.  The problem is that I don't think the JSP's aree using
the SSL information.  Is there anyway to test this or a howto I can
check.

Thank You
Todd

-Original Message-
From: Nirvana [mailto:[EMAIL PROTECTED]]
Sent: Sunday, May 27, 2001 8:24 AM
To: [EMAIL PROTECTED]
Subject: Re: Tomcat and weblogic


Tomcat is a servlet/JSP engine with a small in efficient web engine. It
can
not host any other stuff like EJBs or anything. But Weblogic is an
AppServer. So it has both an EJB container/engine and a Servlet/JSP
engine.
but some ppl use tomcat for their servlet/JSP hosting for it's known
performance and use any other appserver like weblogic for EJB hosting.

-Nirvana

-Original Message-
From: Salwa Ananou <[EMAIL PROTECTED]>
To: Tomcat-User (E-mail) <[EMAIL PROTECTED]>
Date: Friday, May 25, 2001 3:26 AM
Subject: Tomcat and weblogic


>Hi,
>
>I m a new tomcat user and i don't know a lot about it;
>
>My stuff is designed to work with an application server and i need also
>tomcat;
>
>Can i use Tomcat as a application server, ? or must I install weblogic
and
>tomcat at the same machine;
>
>or does weblogic include all tomcat fonctionalities; so i don't need
tomcat.
>
>thanks
>
>

Apache/Tomcat/SSL

[Bhat, Mahesh]

Hi
 
I have an Apache 
Server running under SSL. I have linked my Tomcat Server to it. Now I would like 
to refer to the SSL variables like SSL_CIPHER_USEKEYSIZE from my 
servlet code but don't know how to do it. 
 
Has anyone done 
that before ?
 
regards
mahesh
 

Important:

Internet communications are not necessarily secure and may be intercepted or changed after they are sent.
The Abbey National Group does not accept liability for any such changes. If you wish to confirm the origin or content of this communication, please contact the sender using an alternative means of communication.

This communication does not create or modify any contract.

If you are not the intended recipient of this communication you should destroy it without copying, disclosing or otherwise using its contents. Please notify the sender immediately of the error.

The Abbey National Group comprises Abbey National plc and its subsidiary group of companies.

Abbey National plc. Registered Office: Abbey House, Baker Street, London, NW1 6XL. Reg. No. 2294747.
Registered in England.

RE: Tomcat + SSL Certificates

[Tim O'Neil]

At 10:16 AM 5/11/2001 -0400, you wrote:
>My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE
>didn't support the use of SGC certificates, which I still suspect. Tim; can
>you confirm the Tomcat version with which you are successfully connecting at
>128-bits?

3.2.1.

Re[2]: Tomcat + SSL Certificates

[Wolfgang Mutter]

Hi,

Friday, May 11, 2001, 11:09:49 AM, you wrote:

we have an solution for the ssl problem. So you can use tomcat
standalone with an CA certificate. We wrote an small Java programm
to import the certificate into the keystore. The source and an small
desription is under http://www.comu.de/docs/tomcat_ssl.htm. If you
have any extension so please send it to us, and we include it to the
base version !

> Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this
> problem, but until then I need all the help I can get.

Yours
Wolfgang Mutter
Computer Mutter GmbH

RE: Tomcat + SSL Certificates

[Sean Pritchard]

I'm using Tomcat 3.2.1, the US JSSE version, and the US version of IE 5.0.

-Original Message-
From: Alan Williamson [mailto:[EMAIL PROTECTED]]
Sent: Friday, May 11, 2001 7:49 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Tomcat + SSL Certificates


Sean, Tim,

Thanks for your feedback.

I've checked my JSSE version, and it's 1.0.2 global version.  Which
according to the accompanying user guide has the same level of cryptography
as the domestic US version, so I don't think it's the jars that are causing
the problem.

My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE
didn't support the use of SGC certificates, which I still suspect. Tim; can
you confirm the Tomcat version with which you are successfully connecting at
128-bits?

I was aware of the 128-bit standard Thawte certs, but I never got a
connection at 128 via the test cert.  They switch down to 40 dependant on
the browser and server according to Thawte.  However the versions of
Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible
according to them, which again points to the old version of Tomcat I'm using
!

Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this
problem, but until then I need all the help I can get.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Alan Williamson]

Sean, Tim,

Thanks for your feedback.

I've checked my JSSE version, and it's 1.0.2 global version.  Which
according to the accompanying user guide has the same level of cryptography
as the domestic US version, so I don't think it's the jars that are causing
the problem.

My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE
didn't support the use of SGC certificates, which I still suspect. Tim; can
you confirm the Tomcat version with which you are successfully connecting at
128-bits?

I was aware of the 128-bit standard Thawte certs, but I never got a
connection at 128 via the test cert.  They switch down to 40 dependant on
the browser and server according to Thawte.  However the versions of
Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible
according to them, which again points to the old version of Tomcat I'm using
!

Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this
problem, but until then I need all the help I can get.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Alan Williamson]

Sean, Tim,

Thanks for your feedback.

I've checked my JSSE version, and it's 1.0.2 global version.  Which
according to the accompanying user guide has the same level of cryptography
as the domestic US version, so I don't think it's the jars that are causing
the problem.

My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE
didn't support the use of SGC certificates, which I still suspect. Tim; can
you confirm the Tomcat version with which you are successfully connecting at
128-bits?

I was aware of the 128-bit standard Thawte certs, but I never got a
connection at 128 via the test cert.  They switch down to 40 dependant on
the browser and server according to Thawte.  However the versions of
Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible
according to them, which again points to the old version of Tomcat I'm using
!

Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this
problem, but until then I need all the help I can get.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Alan Williamson]

Sean, Tim,

Thanks for your feedback.

I've checked my JSSE version, and it's 1.0.2 global version.  Which
according to the accompanying user guide has the same level of cryptography
as the domestic US version, so I don't think it's the jars that are causing
the problem.

My initial suspicion was that Tomcat 3.0 which I'm using as part of J2EE
didn't support the use of SGC certificates, which I still suspect. Tim; can
you confirm the Tomcat version with which you are successfully connecting at
128-bits?

I was aware of the 128-bit standard Thawte certs, but I never got a
connection at 128 via the test cert.  They switch down to 40 dependant on
the browser and server according to Thawte.  However the versions of
Netscape (4.75) and I.E (5.0) I'm running are both 128-bit compatible
according to them, which again points to the old version of Tomcat I'm using
!

Hopefully v1.3 of the J2EE with Tomcat 4.0 in it will get around this
problem, but until then I need all the help I can get.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Tim O'Neil]

I am doing exactly the same thing, using Thawte as
well. Tomcat seems to be dealing with 128 bit
security for me just fine. I think your supposition
that Alan is using the 40-bit JSEE jars is correct.
Alan; BTW: Thawte also has a 128 bit "standard"
cert, the "SuperCert" isn't nessessary for 128
bits. I didn't really read the propaganda on Thawte's
site about the super cert but the main thing I got out
of it was that it makes renewing itself a real snap.
Great for Thawte...

At 10:45 AM 5/10/2001 -0400, you wrote:
>I generated a self-signed certificate using the keytool as discussed in the
>tomcat doc.  It seems to be encrypting at 128-bit (according to my browser).
>You will need a version of the security extensions (JSSE I think) that
>supports 128 bit encryption.  I don't know whether the international version
>supports that.  I have not tried to import a third party certificate yet.
>
>Sean
>
>-Original Message-
>From: Alan Williamson [mailto:[EMAIL PROTECTED]]
>Sent: Thursday, May 10, 2001 4:58 AM
>To: '[EMAIL PROTECTED]'
>Subject: RE: Tomcat + SSL Certificates
>
>
>Ylan, Sean,
>
>Thank you for your replies.
>
>I do have SSL working through Tomcat directly using a test certificate that
>I got from the CA Thawte,  however it only seems to work with a standard
>x509 certificate (40-bit)!
>
>I'd really like to be able to make use of the latest SGC SuperCerts (as
>Thawte badge them) which are 128-bit.  But I'm unsure of what Tomcat version
>supports them, if it actually does and this is what I'm really trying to
>find out.
>
>Cheers,
>
>Alan

RE: Tomcat + SSL Certificates

[Sean Pritchard]

I generated a self-signed certificate using the keytool as discussed in the
tomcat doc.  It seems to be encrypting at 128-bit (according to my browser).
You will need a version of the security extensions (JSSE I think) that
supports 128 bit encryption.  I don't know whether the international version
supports that.  I have not tried to import a third party certificate yet.

Sean

-Original Message-
From: Alan Williamson [mailto:[EMAIL PROTECTED]]
Sent: Thursday, May 10, 2001 4:58 AM
To: '[EMAIL PROTECTED]'
Subject: RE: Tomcat + SSL Certificates


Ylan, Sean,

Thank you for your replies.

I do have SSL working through Tomcat directly using a test certificate that
I got from the CA Thawte,  however it only seems to work with a standard
x509 certificate (40-bit)!

I'd really like to be able to make use of the latest SGC SuperCerts (as
Thawte badge them) which are 128-bit.  But I'm unsure of what Tomcat version
supports them, if it actually does and this is what I'm really trying to
find out.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Alan Williamson]

Ylan, Sean,

Thank you for your replies.

I do have SSL working through Tomcat directly using a test certificate that
I got from the CA Thawte,  however it only seems to work with a standard
x509 certificate (40-bit)!

I'd really like to be able to make use of the latest SGC SuperCerts (as
Thawte badge them) which are 128-bit.  But I'm unsure of what Tomcat version
supports them, if it actually does and this is what I'm really trying to
find out.

Cheers,

Alan

RE: Tomcat + SSL Certificates

[Sean Pritchard]

I have been able to get Tomcat to support SSL in standalone mode just fine.
There is a very brief write-up of the procedure in the Tomcat documentation
and an example connector in the example web.xml file.  I was initially
concerned because the write-up is so short, but it turned out that following
the steps as outlined worked fine.  No long write-up was needed.  You do
need to download the security extensions from Sun but this is all covered in
the documentation.

Sean

-Original Message-
From: Ylan Segal [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, May 09, 2001 1:48 PM
To: [EMAIL PROTECTED]
Subject: RE: Tomcat + SSL Certificates


As I understand it, tomcat by itself does not support any certificates. If
you want to use SSL then you need to integrate it with another webserver.

I user tomcat with apache-modssl and it works great.

Ylan

|-Original Message-
|From: Alan Williamson [mailto:[EMAIL PROTECTED]]
|Sent: Wednesday, May 09, 2001 5:30 AM
|To: '[EMAIL PROTECTED]'
|Subject: Tomcat + SSL Certificates
|
|
|Hi,
|
|Could somone please tell me what version of Tomcat (if any)
|supports 128-bit
|Server-Gated Crypto (SGC) certificates.
|
|I'm currently using Java J2EE 1.2.1 and Tomcat v3.0 which comes along with
|it without much luck.  With a test 128-bit cert installed Tomcat fails to
|locate my test jsp, but it works fine with a x 509 cert.
|
|Cheers,
|
|Alan
|

RE: Tomcat + SSL Certificates

[Ylan Segal]

As I understand it, tomcat by itself does not support any certificates. If
you want to use SSL then you need to integrate it with another webserver.

I user tomcat with apache-modssl and it works great.

Ylan

|-Original Message-
|From: Alan Williamson [mailto:[EMAIL PROTECTED]]
|Sent: Wednesday, May 09, 2001 5:30 AM
|To: '[EMAIL PROTECTED]'
|Subject: Tomcat + SSL Certificates
|
|
|Hi,
|
|Could somone please tell me what version of Tomcat (if any)
|supports 128-bit
|Server-Gated Crypto (SGC) certificates.
|
|I'm currently using Java J2EE 1.2.1 and Tomcat v3.0 which comes along with
|it without much luck.  With a test 128-bit cert installed Tomcat fails to
|locate my test jsp, but it works fine with a x 509 cert.
|
|Cheers,
|
|Alan
|

Tomcat + SSL Certificates

[Alan Williamson]

Hi,

Could somone please tell me what version of Tomcat (if any) supports 128-bit
Server-Gated Crypto (SGC) certificates.

I'm currently using Java J2EE 1.2.1 and Tomcat v3.0 which comes along with
it without much luck.  With a test 128-bit cert installed Tomcat fails to
locate my test jsp, but it works fine with a x 509 cert.

Cheers,

Alan

IIS 5.0 + Tomcat + SSL ??

[Todd Sussman]

Our setup is like this:
We have a win2k Server running IIS 5.0 with Tomcat serving JSP's.  This
works fine when using http.
I Downloaded a test SSL certificate from Verisign in order to decide
if/when we will implement this.  I have never worked with ssl and when I
install the certificate and attempt to access the site via https it
doesn't find the page.
 
Thank you in advance for any help.
 
Todd

Re: Tomcat & SSL

[Wolle]

That's means, when you build your own mod_jk, you get a change that
Apache will not hang up ?
This could be the reason why this has no happend in my case.

Greetings,
Wolle


GOMEZ Henri wrote:

> >> When I've had to kill Tomcat on my setup, Apache locks up
> >and requires a
> >> restart, even after restarting Tomcat.
> >>
> >> Also, according to the mod_jk FAQ:
> >>
> >>
> >http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-
> >howto.html#s8
> >>
> >> "Q. Whenever I restart Tomcat, Apache locks up!
> >> A. The Ajp13 protocol keeps an open socket between Tomcat
> >and Apache. When
> >> you restart Tomcat, you need to restart Apache as well."
> >>
> >> which was pretty much my own experience,
> >>
> >> Regards,
> >> Joel Parramore
> >>
>
> It's no more true with the latest mod_jk/ajp13 found in
> TC 3.3 cvs. I commited two patches in ajp13 worker (C side)
> which fixes that.
>
> But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes
> are delicate and Marc ask us to avoid touching sensible
> code in TC 3.2.x. Even if I'm convident with the ajp13 worker
> patch we need many testers to put it back in TC 3.2.

--

Re: Tomcat & SSL

[Joel Parramore]

So, the latest mod_jk/ajp13 in Tomcat 3.3 fixes this?  Nice to know...
thanks.

Regards,
Joel Parramore


- Original Message -
From: "GOMEZ Henri" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Thursday, April 26, 2001 4:02 PM
Subject: RE: Tomcat & SSL


> >> When I've had to kill Tomcat on my setup, Apache locks up
> >and requires a
> >> restart, even after restarting Tomcat.
> >>
> >> Also, according to the mod_jk FAQ:
> >>
> >>
> >http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-
> >howto.html#s8
> >>
> >> "Q. Whenever I restart Tomcat, Apache locks up!
> >> A. The Ajp13 protocol keeps an open socket between Tomcat
> >and Apache. When
> >> you restart Tomcat, you need to restart Apache as well."
> >>
> >> which was pretty much my own experience,
> >>
> >> Regards,
> >> Joel Parramore
> >>
>
> It's no more true with the latest mod_jk/ajp13 found in
> TC 3.3 cvs. I commited two patches in ajp13 worker (C side)
> which fixes that.
>
> But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes
> are delicate and Marc ask us to avoid touching sensible
> code in TC 3.2.x. Even if I'm convident with the ajp13 worker
> patch we need many testers to put it back in TC 3.2.

RE: Tomcat & SSL

[GOMEZ Henri]

>> When I've had to kill Tomcat on my setup, Apache locks up 
>and requires a
>> restart, even after restarting Tomcat.
>>
>> Also, according to the mod_jk FAQ:
>>
>> 
>http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-
>howto.html#s8
>>
>> "Q. Whenever I restart Tomcat, Apache locks up!
>> A. The Ajp13 protocol keeps an open socket between Tomcat 
>and Apache. When
>> you restart Tomcat, you need to restart Apache as well."
>>
>> which was pretty much my own experience,
>>
>> Regards,
>> Joel Parramore
>>

It's no more true with the latest mod_jk/ajp13 found in
TC 3.3 cvs. I commited two patches in ajp13 worker (C side)
which fixes that.

But mod_jk in TC 3.2 != mod_jk in TC 3.3 since some fixes
are delicate and Marc ask us to avoid touching sensible
code in TC 3.2.x. Even if I'm convident with the ajp13 worker
patch we need many testers to put it back in TC 3.2.

Re: Tomcat & SSL

[Milt Epstein]

On Tue, 24 Apr 2001, Jeff Kilbride wrote:

> Correct. Apache stops serving mod_jk requests. However, apache
> itself doesn't die. It will go on happily serving .html, .php,
> mod_perl, etc...
>
> Just don't want to give anyone the impression that the entire apache
> server locks up when Tomcat is restarted.

Then why do you say "correct" in response to someone who says it
*does* lockup? :-).

I'm confused ... :-).


> - Original Message -
> From: "Joel Parramore" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 3:47 PM
> Subject: Re: Tomcat & SSL
>
> > When I've had to kill Tomcat on my setup, Apache locks up and
> > requires a restart, even after restarting Tomcat.
> >
> > Also, according to the mod_jk FAQ:
> >
> >
> http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html#s8
> >
> > "Q. Whenever I restart Tomcat, Apache locks up!
> > A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When
> > you restart Tomcat, you need to restart Apache as well."
> >
> > which was pretty much my own experience,
> >
> > Regards,
> > Joel Parramore
> >
> >
> > - Original Message -
> > From: "Jeff Kilbride" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, April 24, 2001 6:38 PM
> > Subject: Re: Tomcat & SSL
> >
> > > Well, apache doesn't die, per se -- it just doesn't respond to
> > > connections from Tomcat until restarted.
> > >
> > > --jeff
> > >
> > > - Original Message -
> > > From: "Joel Parramore" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, April 24, 2001 3:31 PM
> > > Subject: Re: Tomcat & SSL
> > >
> > > > Using ajp13 with Apache and Tomcat holds open a socket for
> > > > requests between the two as opposed to opening a socket for
> > > > every request (ajp12).  Shutting down Tomcat apparently does
> > > > not gracefully allow Apache to deal with the socket suddenly
> > > > closing, so Apache dies as well.
> > > >
> > > > Regards,
> > > > Joel Parramore
[ ... ]

Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]

RE: Tomcat & SSL

[Boris Niyazov]

I see a little misunderstanding here. Apache with mod_ssl or apache-ssl module 
uses ssl connection with http clients. The communication between apache and the 
servlet container is done via ajpXX protocol that can be secure or not. As I 
understand ajp12 (that mod_jserv uses) does not support SSL while ajp13 (that 
mod_jk uses) does. 
So, if apache and the servlet container are residing on the same box, one can 
use apache-ssl with mod_jserv or tomcat+ajp12 and be secure (that what we do 
here). When using communication between apache and the servlet container is done 
via net, one should probably use ajp13, meaning tomcat+mod_jk.

This is my 2 cents
*
* Boris NiyazovPh:  212-854-4094  Fax: 212-854-1749 *
* Systems Manager  Email: [EMAIL PROTECTED] * 
* Columbia Law School  URL: http://www.law.columbia.edu *
*  
 



>Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
>list-help: <mailto:[EMAIL PROTECTED]>
>list-unsubscribe: <mailto:[EMAIL PROTECTED]>
>list-post: <mailto:[EMAIL PROTECTED]>
>Delivered-To: mailing list [EMAIL PROTECTED]
>Date: Tue, 24 Apr 2001 16:32:03 -0500 (CDT)
>From: Milt Epstein <[EMAIL PROTECTED]>
>X-X-Sender: <[EMAIL PROTECTED]>
>To: <[EMAIL PROTECTED]>
>Subject: RE: Tomcat & SSL
>MIME-Version: 1.0
>X-Spam-Rating: h31.sny.collab.net 1.6.2 0/1000/N
>
>On Tue, 24 Apr 2001, GOMEZ Henri wrote:
>
>> >
>> >> -- mod_jserv won't work if you want to use SSL
>> >
>> >Why not? SSL stuff in apache is done in apache, and jserv is
>> >only a connector.
>> >The SSL in apache works the same way in mod_ssl, and
>> >mod_jserv. The only
>> >difference is that in Servlet Spec 2.0 (JSDK2.0 which jserv is) has no
>> >notion of SSL (to my knowledge), and you cannot really do
>> >anything with SSL
>> >within servlets, unless you write everything yourself. You still get
>> >the CGI environment variables, so you probably can find out that
>> >request was handled as HTTPS, but apache takes care of it for you,
>> >and you cannot make much use of it within a servlet.
>>
>> mod_jserv didn't support SSL neither ajp12. You must use mod_jk
>> with ajp13 to get SSL info forwarded from Apache to Tomcat.
>[ ... ]
>
>Can you clarify what you mean bu this?  Because I'm using Apache with
>mod_ssl, and Tomcat with mod_jserv, and things are working just fine.
>Perhaps there's some functionality I don't have, but I guess I haven't
>needed it yet.
>
>Milt Epstein
>Research Programmer
>Software/Systems Development Group
>Computing and Communications Services Office (CCSO)
>University of Illinois at Urbana-Champaign (UIUC)
>[EMAIL PROTECTED]
>

  - Boris

Re: Tomcat & SSL

[Jeff Kilbride]

Correct. Apache stops serving mod_jk requests. However, apache itself
doesn't die. It will go on happily serving .html, .php, mod_perl, etc...

Just don't want to give anyone the impression that the entire apache server
locks up when Tomcat is restarted.

Thanks,
--jeff

- Original Message -
From: "Joel Parramore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 3:47 PM
Subject: Re: Tomcat & SSL


>
> When I've had to kill Tomcat on my setup, Apache locks up and requires a
> restart, even after restarting Tomcat.
>
> Also, according to the mod_jk FAQ:
>
>
http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html#s8
>
> "Q. Whenever I restart Tomcat, Apache locks up!
> A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When
> you restart Tomcat, you need to restart Apache as well."
>
> which was pretty much my own experience,
>
> Regards,
> Joel Parramore
>
>
> - Original Message -
> From: "Jeff Kilbride" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 6:38 PM
> Subject: Re: Tomcat & SSL
>
>
> > Well, apache doesn't die, per se -- it just doesn't respond to
connections
> > from Tomcat until restarted.
> >
> > --jeff
> >
> > - Original Message -
> > From: "Joel Parramore" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, April 24, 2001 3:31 PM
> > Subject: Re: Tomcat & SSL
> >
> >
> > >
> > >
> > > Using ajp13 with Apache and Tomcat holds open a socket for requests
> > between
> > > the two as opposed to opening a socket  for every request (ajp12).
> > Shutting
> > > down Tomcat apparently does not gracefully allow Apache to deal with
the
> > > socket suddenly closing, so Apache dies as well.
> > >
> > > Regards,
> > > Joel Parramore
> > >
> > >
> > > - Original Message -
> > > From: "Milt Epstein" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, April 24, 2001 5:37 PM
> > > Subject: RE: Tomcat & SSL
> > >
> > >
> > > > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> > > >
> > > > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > > > >> apache-mod_ssl, running with mod_jk
> > > > > >>
> > > > > >> -- mod_jserv won't work if you want to use SSL
> > > > > >>
> > > > > >> Is the above true?  And also, if my web server is
> IPlanet/Netscape
> > or
> > > > > >> IIS, do those redirectors provide SSL support?
> > > > > >>
> > > > > >> Any help would be greatly appreciated!  Please cc:
> [EMAIL PROTECTED]
> > > > > >
> > > > > >Well, I can't answer all your questions, but I am using Apache,
> > > > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one
> would
> > > > > >seem to be "no, it's false" :-).
> > > > >
> > > > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > > > >
> > > > > And that the part of the connector area which is the more
activelly
> > > > > maintained.
> > > >
> > > > Wasn't there something about tomcat being more difficult to restart
> > > > when using ajp13?  Like apache had to be restarted as well?  If
true,
> > > > I think that's too big an inconvenience to warrant switching.
> > > >
> > > > Milt Epstein
> > > > Research Programmer
> > > > Software/Systems Development Group
> > > > Computing and Communications Services Office (CCSO)
> > > > University of Illinois at Urbana-Champaign (UIUC)
> > > > [EMAIL PROTECTED]
> > >
>

Re: Tomcat & SSL

[Wolle]

Joel Parramore wrote:

> When I've had to kill Tomcat on my setup, Apache locks up and requires a
> restart, even after restarting Tomcat.
>
> Also, according to the mod_jk FAQ:
>
> http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html#s8
>
> "Q. Whenever I restart Tomcat, Apache locks up!
> A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When
> you restart Tomcat, you need to restart Apache as well."
>
> which was pretty much my own experience,
>
> Regards,
> Joel Parramore
>

-> mmh, i haven't had this.
  When i shutdown only the Tomcat Server, apache will show a internal Server
error,
until Tomcat is back up ..(Tomcat3.2.2b2 and apache 1.3.17-10)..

Greetings,
Michael

>
> - Original Message -
> From: "Jeff Kilbride" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 6:38 PM
> Subject: Re: Tomcat & SSL
>
> > Well, apache doesn't die, per se -- it just doesn't respond to connections
> > from Tomcat until restarted.
> >
> > --jeff
> >
> > - Original Message -
> > From: "Joel Parramore" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, April 24, 2001 3:31 PM
> > Subject: Re: Tomcat & SSL
> >
> >
> > >
> > >
> > > Using ajp13 with Apache and Tomcat holds open a socket for requests
> > between
> > > the two as opposed to opening a socket  for every request (ajp12).
> > Shutting
> > > down Tomcat apparently does not gracefully allow Apache to deal with the
> > > socket suddenly closing, so Apache dies as well.
> > >
> > > Regards,
> > > Joel Parramore
> > >
> > >
> > > - Original Message -
> > > From: "Milt Epstein" <[EMAIL PROTECTED]>
> > > To: <[EMAIL PROTECTED]>
> > > Sent: Tuesday, April 24, 2001 5:37 PM
> > > Subject: RE: Tomcat & SSL
> > >
> > >
> > > > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> > > >
> > > > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > > > >> apache-mod_ssl, running with mod_jk
> > > > > >>
> > > > > >> -- mod_jserv won't work if you want to use SSL
> > > > > >>
> > > > > >> Is the above true?  And also, if my web server is
> IPlanet/Netscape
> > or
> > > > > >> IIS, do those redirectors provide SSL support?
> > > > > >>
> > > > > >> Any help would be greatly appreciated!  Please cc:
> [EMAIL PROTECTED]
> > > > > >
> > > > > >Well, I can't answer all your questions, but I am using Apache,
> > > > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one
> would
> > > > > >seem to be "no, it's false" :-).
> > > > >
> > > > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > > > >
> > > > > And that the part of the connector area which is the more activelly
> > > > > maintained.
> > > >
> > > > Wasn't there something about tomcat being more difficult to restart
> > > > when using ajp13?  Like apache had to be restarted as well?  If true,
> > > > I think that's too big an inconvenience to warrant switching.
> > > >
> > > > Milt Epstein
> > > > Research Programmer
> > > > Software/Systems Development Group
> > > > Computing and Communications Services Office (CCSO)
> > > > University of Illinois at Urbana-Champaign (UIUC)
> > > > [EMAIL PROTECTED]
> > >

Re: Tomcat & SSL

[Joel Parramore]

Maybe... I don't understand the compatibility mode that mod_jk uses to
support ajp12, I admit (same transmission protocol, but with the socket
still held open?)  The setup that I'm using actually uses ajp12 with mod_jk
and I thought I'd encountered the same problem.  I think I will check on
that and get back to you, though.

Regards,
Joel Parramore


- Original Message -
From: "Milt Epstein" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 6:39 PM
Subject: Re: Tomcat & SSL


> On Tue, 24 Apr 2001, Joel Parramore wrote:
>
> > Using ajp13 with Apache and Tomcat holds open a socket for requests
> > between the two as opposed to opening a socket for every request
> > (ajp12).  Shutting down Tomcat apparently does not gracefully allow
> > Apache to deal with the socket suddenly closing, so Apache dies as
> > well.
>
> But some others indicated that if you kept around ajp12 as well, you
> could use that for shutdown, and that would avoid the problem.  Is
> that not correct?
>
>
> > - Original Message -
> > From: "Milt Epstein" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, April 24, 2001 5:37 PM
> > Subject: RE: Tomcat & SSL
> >
> >
> > > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> > >
> > > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > > >> apache-mod_ssl, running with mod_jk
> > > > >>
> > > > >> -- mod_jserv won't work if you want to use SSL
> > > > >>
> > > > >> Is the above true?  And also, if my web server is
IPlanet/Netscape or
> > > > >> IIS, do those redirectors provide SSL support?
> > > > >>
> > > > >> Any help would be greatly appreciated!  Please cc:
[EMAIL PROTECTED]
> > > > >
> > > > >Well, I can't answer all your questions, but I am using Apache,
> > > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one
would
> > > > >seem to be "no, it's false" :-).
> > > >
> > > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > > >
> > > > And that the part of the connector area which is the more activelly
> > > > maintained.
> > >
> > > Wasn't there something about tomcat being more difficult to restart
> > > when using ajp13?  Like apache had to be restarted as well?  If true,
> > > I think that's too big an inconvenience to warrant switching.
> > >
> > > Milt Epstein
> > > Research Programmer
> > > Software/Systems Development Group
> > > Computing and Communications Services Office (CCSO)
> > > University of Illinois at Urbana-Champaign (UIUC)
> > > [EMAIL PROTECTED]
> >
>
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
> [EMAIL PROTECTED]
>

Re: Tomcat & SSL

[Joel Parramore]

When I've had to kill Tomcat on my setup, Apache locks up and requires a
restart, even after restarting Tomcat.

Also, according to the mod_jk FAQ:

http://jakarta.apache.org/tomcat/jakarta-tomcat/src/doc/mod_jk-howto.html#s8

"Q. Whenever I restart Tomcat, Apache locks up!
A. The Ajp13 protocol keeps an open socket between Tomcat and Apache. When
you restart Tomcat, you need to restart Apache as well."

which was pretty much my own experience,

Regards,
Joel Parramore


- Original Message -
From: "Jeff Kilbride" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 6:38 PM
Subject: Re: Tomcat & SSL


> Well, apache doesn't die, per se -- it just doesn't respond to connections
> from Tomcat until restarted.
>
> --jeff
>
> - Original Message -
> From: "Joel Parramore" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 3:31 PM
> Subject: Re: Tomcat & SSL
>
>
> >
> >
> > Using ajp13 with Apache and Tomcat holds open a socket for requests
> between
> > the two as opposed to opening a socket  for every request (ajp12).
> Shutting
> > down Tomcat apparently does not gracefully allow Apache to deal with the
> > socket suddenly closing, so Apache dies as well.
> >
> > Regards,
> > Joel Parramore
> >
> >
> > - Original Message -
> > From: "Milt Epstein" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Tuesday, April 24, 2001 5:37 PM
> > Subject: RE: Tomcat & SSL
> >
> >
> > > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> > >
> > > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > > >> apache-mod_ssl, running with mod_jk
> > > > >>
> > > > >> -- mod_jserv won't work if you want to use SSL
> > > > >>
> > > > >> Is the above true?  And also, if my web server is
IPlanet/Netscape
> or
> > > > >> IIS, do those redirectors provide SSL support?
> > > > >>
> > > > >> Any help would be greatly appreciated!  Please cc:
[EMAIL PROTECTED]
> > > > >
> > > > >Well, I can't answer all your questions, but I am using Apache,
> > > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one
would
> > > > >seem to be "no, it's false" :-).
> > > >
> > > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > > >
> > > > And that the part of the connector area which is the more activelly
> > > > maintained.
> > >
> > > Wasn't there something about tomcat being more difficult to restart
> > > when using ajp13?  Like apache had to be restarted as well?  If true,
> > > I think that's too big an inconvenience to warrant switching.
> > >
> > > Milt Epstein
> > > Research Programmer
> > > Software/Systems Development Group
> > > Computing and Communications Services Office (CCSO)
> > > University of Illinois at Urbana-Champaign (UIUC)
> > > [EMAIL PROTECTED]
> >

Re: Tomcat & SSL

[David Wall]

> ajp13 used to have a bug that caused problems when performing binary file
> uploads (like jpeg images, for example).
> We had to drop back to ajp12 for that reason.
> Has the bug been fixed?

The version in the 3.2.2beta seems to work just fine for file uploads, at
least when using the Jason Hunter MultiPart classes.

David

Re: Tomcat & SSL

[David Wall]

> Make me a favour, switch to mod_jk and ajp13 which is faster and
> support much more servers (Apache, IIS, IPlanet/NES, jni).
>
> And that the part of the connector area which is the more activelly
> maintained.

What's unfortunate, though, is that it doesn't grab ALL of the SSL
environment variables, and it's missing one I think is a critical one,
SSL_CIPHER_USEKEYSIZE, because that one tells you whether someone is coming
in with a weak or strong keysize.  It's often important to know whether 40,
56 or 128 bits are being used, especially for a site that wants to ensure
strong encryption is being used to prevent eavesdroppers from hacking
passcodes and the like.

David

Re: Tomcat & SSL

[Milt Epstein]

On Tue, 24 Apr 2001, Joel Parramore wrote:

> Using ajp13 with Apache and Tomcat holds open a socket for requests
> between the two as opposed to opening a socket for every request
> (ajp12).  Shutting down Tomcat apparently does not gracefully allow
> Apache to deal with the socket suddenly closing, so Apache dies as
> well.

But some others indicated that if you kept around ajp12 as well, you
could use that for shutdown, and that would avoid the problem.  Is
that not correct?


> - Original Message -
> From: "Milt Epstein" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 5:37 PM
> Subject: RE: Tomcat & SSL
>
>
> > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> >
> > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > >> apache-mod_ssl, running with mod_jk
> > > >>
> > > >> -- mod_jserv won't work if you want to use SSL
> > > >>
> > > >> Is the above true?  And also, if my web server is IPlanet/Netscape or
> > > >> IIS, do those redirectors provide SSL support?
> > > >>
> > > >> Any help would be greatly appreciated!  Please cc: [EMAIL PROTECTED]
> > > >
> > > >Well, I can't answer all your questions, but I am using Apache,
> > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one would
> > > >seem to be "no, it's false" :-).
> > >
> > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > >
> > > And that the part of the connector area which is the more activelly
> > > maintained.
> >
> > Wasn't there something about tomcat being more difficult to restart
> > when using ajp13?  Like apache had to be restarted as well?  If true,
> > I think that's too big an inconvenience to warrant switching.
> >
> > Milt Epstein
> > Research Programmer
> > Software/Systems Development Group
> > Computing and Communications Services Office (CCSO)
> > University of Illinois at Urbana-Champaign (UIUC)
> > [EMAIL PROTECTED]
>

Milt Epstein
Research Programmer
Software/Systems Development Group
Computing and Communications Services Office (CCSO)
University of Illinois at Urbana-Champaign (UIUC)
[EMAIL PROTECTED]

Re: Tomcat & SSL

[Jeff Kilbride]

Well, apache doesn't die, per se -- it just doesn't respond to connections
from Tomcat until restarted.

--jeff

- Original Message -
From: "Joel Parramore" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 3:31 PM
Subject: Re: Tomcat & SSL


>
>
> Using ajp13 with Apache and Tomcat holds open a socket for requests
between
> the two as opposed to opening a socket  for every request (ajp12).
Shutting
> down Tomcat apparently does not gracefully allow Apache to deal with the
> socket suddenly closing, so Apache dies as well.
>
> Regards,
> Joel Parramore
>
>
> - Original Message -
> From: "Milt Epstein" <[EMAIL PROTECTED]>
> To: <[EMAIL PROTECTED]>
> Sent: Tuesday, April 24, 2001 5:37 PM
> Subject: RE: Tomcat & SSL
>
>
> > On Tue, 24 Apr 2001, GOMEZ Henri wrote:
> >
> > > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > > >> apache-mod_ssl, running with mod_jk
> > > >>
> > > >> -- mod_jserv won't work if you want to use SSL
> > > >>
> > > >> Is the above true?  And also, if my web server is IPlanet/Netscape
or
> > > >> IIS, do those redirectors provide SSL support?
> > > >>
> > > >> Any help would be greatly appreciated!  Please cc: [EMAIL PROTECTED]
> > > >
> > > >Well, I can't answer all your questions, but I am using Apache,
> > > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one would
> > > >seem to be "no, it's false" :-).
> > >
> > > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > > support much more servers (Apache, IIS, IPlanet/NES, jni).
> > >
> > > And that the part of the connector area which is the more activelly
> > > maintained.
> >
> > Wasn't there something about tomcat being more difficult to restart
> > when using ajp13?  Like apache had to be restarted as well?  If true,
> > I think that's too big an inconvenience to warrant switching.
> >
> > Milt Epstein
> > Research Programmer
> > Software/Systems Development Group
> > Computing and Communications Services Office (CCSO)
> > University of Illinois at Urbana-Champaign (UIUC)
> > [EMAIL PROTECTED]
>

Re: Tomcat & SSL

[Joel Parramore]

Using ajp13 with Apache and Tomcat holds open a socket for requests between
the two as opposed to opening a socket  for every request (ajp12).  Shutting
down Tomcat apparently does not gracefully allow Apache to deal with the
socket suddenly closing, so Apache dies as well.

Regards,
Joel Parramore


- Original Message -
From: "Milt Epstein" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Tuesday, April 24, 2001 5:37 PM
Subject: RE: Tomcat & SSL


> On Tue, 24 Apr 2001, GOMEZ Henri wrote:
>
> > >> -- SSL is only supported for Apache, and you need Apache-SSL or
> > >> apache-mod_ssl, running with mod_jk
> > >>
> > >> -- mod_jserv won't work if you want to use SSL
> > >>
> > >> Is the above true?  And also, if my web server is IPlanet/Netscape or
> > >> IIS, do those redirectors provide SSL support?
> > >>
> > >> Any help would be greatly appreciated!  Please cc: [EMAIL PROTECTED]
> > >
> > >Well, I can't answer all your questions, but I am using Apache,
> > >mod_ssl, tomcat, and mod_jserv, so the answer to your last one would
> > >seem to be "no, it's false" :-).
> >
> > Make me a favour, switch to mod_jk and ajp13 which is faster and
> > support much more servers (Apache, IIS, IPlanet/NES, jni).
> >
> > And that the part of the connector area which is the more activelly
> > maintained.
>
> Wasn't there something about tomcat being more difficult to restart
> when using ajp13?  Like apache had to be restarted as well?  If true,
> I think that's too big an inconvenience to warrant switching.
>
> Milt Epstein
> Research Programmer
> Software/Systems Development Group
> Computing and Communications Services Office (CCSO)
> University of Illinois at Urbana-Champaign (UIUC)
> [EMAIL PROTECTED]

Re: Tomcat & SSL

[Wolle]

Sam Newman wrote:

> You might have problems detecting if you are working over a secure
> connection. See if the isSecure() method works in a servlet when working
> over SSL.

-> and for that you need the ajp13 Protocol, with ajp12 the isSecure Methode
will mostly not work correct.


>
>
> sam
> > > mod_jserv didn't support SSL neither ajp12. You must use mod_jk
> > > with ajp13 to get SSL info forwarded from Apache to Tomcat.
> > [ ... ]
> >
> > Can you clarify what you mean bu this?  Because I'm using Apache with
> > mod_ssl, and Tomcat with mod_jserv, and things are working just fine.
> > Perhaps there's some functionality I don't have, but I guess I haven't
> > needed it yet.
> >

--
__
Gruss,
Wolle

---
  [EMAIL PROTECTED]