SSL configuration for Tomcat 9
My system uses embedded Tomcat to connect to a HttpServlet instance.
I have just uprgraded from Tomcat 8.0.2 to 9.0.64
I am implementing SSL for the first time.
I created a keystore with no alias. Keytool gave it the alias "mykey". (2nd
entry below)
I imported an issued PEM certificate (4 items in chain)
The final item in the chain has the alias "tomcat" as per
https://tomcat.apache.org/tomcat-8.5-doc/ssl-howto.html#Importing_the_Certificate
(The same documentation recommends the keystore alias also be 'tomcat' but
If the keystore and the issued certificate are both given the same alias
(ie 'tomcat'), keytool will import the final entry as "self generated" and
throw an error. Here is my abbreviated keystore list using alias 'mykey'
for the keystore.
keystore listing___
Keystore type: PKCS12
Keystore provider: SUN
Your keystore contains 5 entries
intermediate, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
68:B9:C7:61.
intermediate2, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
7F:A4:FF:68
mykey, 16/07/2022, PrivateKeyEntry,
Certificate fingerprint (SHA-256):
36:F8:64:73:.
root, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256): D7:A7:A0:FB..
tomcat, 16/07/2022, trustedCertEntry,
Certificate fingerprint (SHA-256):
36:A9:B7:A9:..
Here is my startup code (no server.xml file)
Tomcat tomcat = new Tomcat();
tomcat.setPort(PATHS.getPortNumber());
Connector c=tomcat.getConnector();
c.setSecure(true);
c.setScheme("https");
c.setProperty("SSLEnabled","true");//crucial bit of code
SSLHostConfig ss=new SSLHostConfig();
//ss.setHostName("localhost"); this breaks the init process - leave as
"_default_"
ss.setCertificateKeyAlias("mykey"); // if set to 'tomcat'
init will throw "Alias name [tomcat] does not identify a key entry"
ss.setCertificateKeystorePassword("changit");
ss.setCertificateKeystoreFile(PATHS.getHomePath()+"/ks/mykeystor.jks");
ss.setCertificateKeystoreType("PKCS12");
ss.setCertificateKeystoreProvider("SUN")
c.addSslHostConfig(ss);
org.apache.catalina.Context ctx = tomcat.addContext("", new
File(".").getAbsolutePath());
Tomcat.addServlet(ctx, "myApp", new MyApp());
ctx.addServletMappingDecoded("/*", "myApp");
Logr.s("connector scheme "+c.getScheme());
Logr.s("connector SSLEnabled "+c.getProperty("SSLEnabled"));
Logr.s("connector redirect "+c.getRedirectPort()); //defaults to 443
Logr.s("connector protocol "+c.getProtocol());
tomcat.start();
tomcat.getServer().await();
When I use "tomcat" as the alias for the keystore I cannot load the final
issued certificate without an error. If I use "mykey" as the keystore alias
everything seems to be working but the certificate returned to the browser
is not the domain-specific certified certificate but a certificate
generated with the certificate keystore fingerprint. In a properly
operating implementation, what certificate should be returned to the
browser?
I'm obviously doing something wrong. But what ?
--
Vince Stewart
Re: Tomcat 9.0.62: Setting STRICT_SERVLET_COMPLIANCE to true breaks Tomcat Single Sign On
Mark, Thanks for the comments. Yes, LegacCookieProcessor gets invoked in my case, not the default Rfc6265CookieProcessor as documented at Tomcat 9 Cookie Processor Component ( https://tomcat.apache.org/tomcat-9.0-doc/config/cookie-processor.html). I enabled debugging for a few components: - "org.apache.catalina.connector" - "org.apache.catalina.valves" - "org.apache.catalina.valves" - "org.apache.catalina.realm" - "org.apache.tomcat.util.http" I could see that the cookie in the request to web app #2 only contains JSESSIONID, not other cookies that are added in the response from web app #1 after successful authentication. When the parameter STRICT_SERVLET_COMPLIANCE is false (default), other cookies in the response from web app #1 are present in requests to other web apps. I wonder whether the browser clients behave differently because the cookie path "/" was double-quoted like "\"/\""?! If the possible cause is on the client side (browsers), I am not sure if there is anything I can do about it on the server side. Again, thanks for your help and any further comment is very appreciated. Thanks a lot in advance. Regards, Wenshiuan Tang
Publishing Tomcat webapp
Hello, Can someone please give me a step by step guide on how to make my tomcat webapp available online with a domain name. Thanks. Regards, JC
AW: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup
Hello, did you hijack that topic or is it related to that? If it’s a new topic, please start a new thread with an according subject. Thanks! > -Ursprüngliche Nachricht- > Von: Jasmin Ćatić > Gesendet: Freitag, 15. Juli 2022 10:56 > An: Tomcat Users List > Betreff: Re: [OT] issues with Tomcat to Siteminder communication post mod- > proxy setup > > Hello, > > Can someone please give me a step by step guide on how to make my > tomcat webapp available online with a domain name. > Thanks. > > Regards, > JC > > sri, 13. srp 2022. u 18:31 napisao > je: > > > Could this potentially be caused by > > > className="org.apache.catalina.core.AprLifecycleListener" > > SSLEngine="on" /> > > > > But not using Tomcat Native? > > > > Thanks, > > > > Dream * Excel * Explore * Inspire > > Jon McAlexander > > Senior Infrastructure Engineer > > Asst. Vice President > > He/His > > > > Middleware Product Engineering > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > MAC: F4469-010 > > Tel 515-988-2508 | Cell 515-988-2508 > > > > jonmcalexan...@wellsfargo.com > > This message may contain confidential and/or privileged information. > > If you are not the addressee or authorized to receive this for the > > addressee, you must not use, copy, disclose, or take any action based > > on this message or any information herein. If you have received this > > message in error, please advise the sender immediately by reply e-mail > > and delete this message. Thank you for your cooperation. > > > > > > > -Original Message- > > > From: Thomas Hoffmann (Speed4Trade GmbH) > > > > > > Sent: Wednesday, July 13, 2022 11:28 AM > > > To: Tomcat Users List > > > Subject: AW: [OT] issues with Tomcat to Siteminder communication > > > post mod-proxy setup > > > > > > Hello, > > > > > > > -Ursprüngliche Nachricht- > > > > Von: jonmcalexan...@wellsfargo.com.INVALID > > > > > > > > Gesendet: Mittwoch, 13. Juli 2022 18:17 > > > > An: users@tomcat.apache.org > > > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication > > > > post > > > > mod- proxy setup > > > > > > > > Here is the error we are getting. The login form, hosted by > > > > Tomcat, does a POST to the /login/login.fcc for siteminder which > > > > is on the HTTPD server and is not behind the proxypass or > proxypassreverse. > > > > > > > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 > > > > 13:12:49.399 > > > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) > > > > PDT| > > > > PDT|12 > > > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: > > > > Unable to get Channel Secure Session: Unable to perform > > > > siteminder handshake > > > > java.lang.Exception: Unable to perform siteminder handshake > > > > > > > > Our SiteMinder team is telling us it's not their issue. Again, > > > > this POST worked fine when using mod_jk and SSL wasn't enabled for > > > connection on Tomcat. > > > > > > > > Thanks, > > > > > > > > > > This error message is most likely thrown by the application and not > > > by tomcat. > > > The underlying error would be important including the full stack below. > > > Are there some "caused by" Exceptions below? > > > Otherwise the siteminder application is hiding the underlying Exception. > > > > > > > > > > jonmcalexan...@wellsfargo.com > > > > This message may contain confidential and/or privileged information. > > > > If you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action > > > > based on this message or any information herein. If you have > > > > received this message in error, please advise the sender > > > > immediately by reply e-mail and delete this message. Thank you for > your cooperation. > > > > > > > > > > > > > -Original Message- > > > > > From: jonmcalexan...@wellsfargo.com.INVALID > > > > > > > > > > Sent: Tuesday, July 12, 2022 5:22 PM > > > > > To: users@tomcat.apache.org > > > > > Subject: RE: [OT] issues with Tomcat to Siteminder communication > > > > > post > > > > > mod- proxy setup > > > > > > > > > > I'm wondering if it is having to do with the SMSESSION cookie > > > > > not getting passed correctly. Still trying to figure this one out. > > > > > > > > > > Thanks, > > > > > > > > > > Dream * Excel * Explore * Inspire Jon McAlexander Senior > > > > > Infrastructure Engineer Asst. Vice President He/His > > > > > > > > > > Middleware Product Engineering > > > > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > > > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > > MAC: F4469-010 > > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > > > > > > jonmcalexan...@wellsfargo.com > > > > > This message may contain confidential and/or privileged information. > > > > > If you are not the addressee or authorized to receive this for > > > > > the addressee, you must not use,
Re: [OT] issues with Tomcat to Siteminder communication post mod-proxy setup
Hello, Can someone please give me a step by step guide on how to make my tomcat webapp available online with a domain name. Thanks. Regards, JC sri, 13. srp 2022. u 18:31 napisao je: > Could this potentially be caused by > className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" /> > > But not using Tomcat Native? > > Thanks, > > Dream * Excel * Explore * Inspire > Jon McAlexander > Senior Infrastructure Engineer > Asst. Vice President > He/His > > Middleware Product Engineering > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > 8080 Cobblestone Rd | Urbandale, IA 50322 > MAC: F4469-010 > Tel 515-988-2508 | Cell 515-988-2508 > > jonmcalexan...@wellsfargo.com > This message may contain confidential and/or privileged information. If > you are not the addressee or authorized to receive this for the addressee, > you must not use, copy, disclose, or take any action based on this message > or any information herein. If you have received this message in error, > please advise the sender immediately by reply e-mail and delete this > message. Thank you for your cooperation. > > > > -Original Message- > > From: Thomas Hoffmann (Speed4Trade GmbH) > > > > Sent: Wednesday, July 13, 2022 11:28 AM > > To: Tomcat Users List > > Subject: AW: [OT] issues with Tomcat to Siteminder communication post > > mod-proxy setup > > > > Hello, > > > > > -Ursprüngliche Nachricht- > > > Von: jonmcalexan...@wellsfargo.com.INVALID > > > > > > Gesendet: Mittwoch, 13. Juli 2022 18:17 > > > An: users@tomcat.apache.org > > > Betreff: RE: [OT] issues with Tomcat to Siteminder communication post > > > mod- proxy setup > > > > > > Here is the error we are getting. The login form, hosted by Tomcat, > > > does a POST to the /login/login.fcc for siteminder which is on the > > > HTTPD server and is not behind the proxypass or proxypassreverse. > > > > > > javax.net.ssl|DEBUG|96|https-jsse-nio-8305-exec-1|2022-07-12 > > > 13:12:49.399 > > > PDT|SSLSocketImpl.java:1615|close the SSL connection (passive) > > > PDT|12 > > > Jul 2022 13:12:49,399 ERROR [https-jsse-nio-8305-exec-1]: DEVT: > > > Unable to get Channel Secure Session: Unable to perform siteminder > > > handshake > > > java.lang.Exception: Unable to perform siteminder handshake > > > > > > Our SiteMinder team is telling us it's not their issue. Again, this > > > POST worked fine when using mod_jk and SSL wasn't enabled for > > connection on Tomcat. > > > > > > Thanks, > > > > > > > This error message is most likely thrown by the application and not by > > tomcat. > > The underlying error would be important including the full stack below. > > Are there some "caused by" Exceptions below? > > Otherwise the siteminder application is hiding the underlying Exception. > > > > > > > jonmcalexan...@wellsfargo.com > > > This message may contain confidential and/or privileged information. > > > If you are not the addressee or authorized to receive this for the > > > addressee, you must not use, copy, disclose, or take any action based > > > on this message or any information herein. If you have received this > > > message in error, please advise the sender immediately by reply e-mail > > > and delete this message. Thank you for your cooperation. > > > > > > > > > > -Original Message- > > > > From: jonmcalexan...@wellsfargo.com.INVALID > > > > > > > > Sent: Tuesday, July 12, 2022 5:22 PM > > > > To: users@tomcat.apache.org > > > > Subject: RE: [OT] issues with Tomcat to Siteminder communication > > > > post > > > > mod- proxy setup > > > > > > > > I'm wondering if it is having to do with the SMSESSION cookie not > > > > getting passed correctly. Still trying to figure this one out. > > > > > > > > Thanks, > > > > > > > > Dream * Excel * Explore * Inspire > > > > Jon McAlexander > > > > Senior Infrastructure Engineer > > > > Asst. Vice President > > > > He/His > > > > > > > > Middleware Product Engineering > > > > Enterprise CIO | EAS | Middleware | Infrastructure Solutions > > > > > > > > 8080 Cobblestone Rd | Urbandale, IA 50322 > > > > MAC: F4469-010 > > > > Tel 515-988-2508 | Cell 515-988-2508 > > > > > > > > jonmcalexan...@wellsfargo.com > > > > This message may contain confidential and/or privileged information. > > > > If you are not the addressee or authorized to receive this for the > > > > addressee, you must not use, copy, disclose, or take any action > > > > based on this message or any information herein. If you have > > > > received this message in error, please advise the sender immediately > > > > by reply e-mail and delete this message. Thank you for your > cooperation. > > > > > > > > > -Original Message- > > > > > From: Christopher Schultz > > > > > Sent: Tuesday, July 12, 2022 9:16 AM > > > > > To: users@tomcat.apache.org > > > > > Subject: Re: [OT] issues with Tomcat to Siteminder communication > > > > > post > > > > > mod- proxy setup > > > > > > > > > > Jon, > > > > > > > > > > On 7/8/22 16:48, jonm
