SSLProtocol, TLS and Internet Explorer
We are having a problem with our Standalone tomcat Server SSL Connectors and viewing servlets in Internet Explorer 7on Windows Vista. With the original config in the server.xml and SSLProtocol set to SSL It works fine on IE6, and IE7 on XP. It does not work on IE7 on Windows Vista. When the protocol is set to TLS, it works in IE7 on Vista, but not IE6. You can get around this by in IE7 turning off the Use TLS 1.0 option on IE, or turning this option on in IE6. We do not feel this workaround is sufficient for our needs. We want a way to not have to make these changes. I seriously think it has to do with the Java we are using because of what I have seen in the Tomcat docs. The encryption/decryption protocol to be used on this socket. It is not recommended to change this value if you are using Sun's JVM. It is reported that IBM's 1.4.1 implementation of the TLS protocol is not compatible with some popular browsers. In this case, use the value SSL. We are using IBM Java 1.5.0 java version 1.5.0 Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20060511 (SR2)) IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20060504 (JIT enabled) J9VM - 20060501_06428_lHdSMR JIT - 20060428_1800_r8 GC - 20060501_AA) JCL - 20060511a And Tomcat 5.5.20 Here is the Server.xml for the connector Connector address=XXX.XX.XXX.XX port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=SSL keystoreFile=/usr/local/bin/ice/sslcerts/.keystore keystorePass=changeme algorithm=IbmX509 / Would we be able to fix this problem, by going Sun Java and redoing keystores and certificates? Would this allow the TLS Protocol to work for all browsers? Thanks in advance for the help!
Noobie Questions
I am a relative noobie when it comes to using the Tomcat software and have a few questions. I have been reading these threads for a few weeks now and I know that a lot of the things discussed on here are out of my league, but I just wanted to know what a few of you would do in my situation. OK we administer databases for higher education institutions, we also set up and support all software for the databases. This software includes web access software. We have 7 different clients, 14 databases(1 prod and 1 test for each client), and 14 web sites for accessing information 1 for each live and test. 1 Web Server running RHEL and tomcat 5.5.2 we also use 7 SSL certs, on for each institution which has the live name in it, so test will still be secure you just have to answer a prompt when visited or install the cert. It has been set up as the Tomcat standalone, the only way our software vendor will support it. And have set up each servlet as it's own service in the server.xml. Is this how you guys would have done it. This is the only way we could apply different certs to the different servlets. This is probably everywhere on the net but, Is there a way to bounce these services independently from the tomcat app itself? Also is it possible to script the deployment and reload proccess? I can't seem to figure that out.
RE: Noobie Questions
-Original Message- From: David Delbecq [mailto:[EMAIL PROTECTED] Sent: Tuesday, February 27, 2007 10:29 AM To: Tomcat Users List Subject: Re: Noobie Questions En l'instant précis du 27/02/07 15:25, Henderson,Nathan s'exprimait en ces termes: We have 7 different clients, 14 databases(1 prod and 1 test for each client), and 14 web sites for accessing information 1 for each live and test. 1 Web Server running RHEL and tomcat 5.5.2 we also use 7 SSL certs, on for each institution which has the live name in it, so test will still be secure you just have to answer a prompt when visited or install the cert. Are those client certificates? (identifying client based on a client certificate residing next to internet explorer or firefox) Or are those server certificate (allowing SSL encryption of transmission + authentification of server, but client authentification is still done using a simple user + password method)? We use server certificates Based on your answer, the interpretation of your main question is totally different :) I will go assuming you speak of server certificates as those are more frequently used than SSLClientAuth So you say you have a different 'entry' in server.xml for each 'servlet' ?! Do you mean different Connector, different Hosts or different Contexts? (A connector can contain several host which in turn can contain several context (webapplications) which each have several servlet) If what you need is to have https://client1.company.com/client1/ https://client1-test.company.com/client1-test/ https://client2.company.com/client2/ https://client2-test.company.com/client2-test/ ... and have client1 and 2 present different certificates but have client1 and client1-test present same certificate, i would recommand. connector 8080 (ssl=true) - host client1 - context client1 - host client1-test - context client1-test connector 8081 (ssl=true) - host client2 - context client2 - host client2-test - context client2-test In short, 1 connector per certificate. Why not a single connector for everything? Because, in HTTPS you have to present server certificate to client before client sends you the http header containing the name of virtual host he tries to access. So you only have 2 possibilities to find out which certificate to send to client, either use the server IP of connection (in your case, all the same, so useless information), either use the port number (8080 is certificate 1, 8081 is certificate 2, etc) Note, in another possible configuration: https://client1.company.com/client1/ https://client1.company.com/client1-test/ https://client2.company.com/client2/ https://client2.company.com/client2-test/ connector 8080 (ssl=true) - host client1 - context client1 - context client1-test connector 8081 (ssl=true) - host client2 - context client2 - context client2-test Not sure my information is helpfull, try to help you based on you informations :) Also, if you provide additionnal informations, try to use correct word (or provide us with you server.xml file to make discussion clear) This is an entry from our server.xml for one of our connections there are 14 just like this with different ip addresses for each entry and names of course, I set up IP aliases on the NIC card for this purpose. Service name=xxtest Connector address=xxx.xx.xxx.xx port=80 redirectPort=443/ !-- Define a SSL HTTP/1.1 Connector on port 443 -- Connector address=xxx.xx.xxx.xx port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=SSL keystoreFile=/usr/local/bin/ice/sslcerts/.xxwalive keystorePass=xx algorithm=IbmX509 / Engine name=xxtest defaultHost=xxwatest.iceschools.org Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / !-- This Host is the Virtual Host: xxwatest -- Host name=xxwatest.myorg.org appBase=/usr/webadvisor/xxwatest Aliasxxx.xx.xxx.xx/Alias Valve className='org.apache.catalina.valves.AccessLogValve' directory='/usr/webadvisor/xxwatest/logs' prefix='xxwatest_access.' suffix='.log' pattern='common'/ Logger className='org.apache.catalina.logger.FileLogger' directory='/usr/webadvisor/xxwatest/logs' prefix='xxwatest_catalina.' suffix='.log' timestamp='true'/ Context path=/ debug=5 docBase=/usr/webadvisor/xxwatest privileged=true / Context path=/manager debug=5 docBase=/usr/tomcat/apache-tomcat
Multiple services and not restarting
I am running Tomcat 5.5.2 as a stand-alone server with 14 separate services. This is done to run 14 different sites but share 7 ssl certs. The problem I am having is when I run my script to bounce the tomcat server only the first 3 or 4 services get restarted. Does anyone happen to have any explanation for this? Here is my script ** ip=/usr/local/bin/ice tc_dir=/usr/tomcat/apache-tomcat-5.5.20/bin if [ $# -eq 1 ] then tc_oper=$1 else echo -e Enter start, stop, or bounce: \c read tc_oper fi case $tc_oper in start) $tc_dir/startup.sh ;; stop) $tc_dir/shutdown.sh ;; bounce) $tc_dir/shutdown.sh $tc_dir/startup.sh ;; *) echo Invalid operation you must enter stop start or bounce: Exiting. exit ;; esac ** All of the services are exactly the same and here is a snapshot of one from the server.xml file ** Service name=xx Connector address=xxx.xx.xxx.xx port=80 redirectPort=443/ !-- Define a SSL HTTP/1.1 Connector on port 443 -- Connector address=xxx.xx.xxx.xx port=443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=SSL keystoreFile=/usr/local/bin/ice/sslcerts/.dewalive keystorePass=tick17 algorithm=IbmX509 / Engine name=xx defaultHost=..xxx Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase / !-- This Host is the Virtual Host: -- Host name=..xxx appBase=/usr/x/ Aliasxxx.xx.xxx.xx/Alias Valve className='org.apache.catalina.valves.AccessLogValve' directory='/usr/x//logs' prefix='_access.' suffix='.log' pattern='common'/ Logger className='org.apache.catalina.logger.FileLogger' directory='/usr/x//logs' prefix='_catalina.' suffix='.log' timestamp='true'/ Context path=/ debug=5 docBase=/usr/x/ privileged=true / Context path=/manager debug=5 docBase=/usr/tomcat/apache-tomcat-5.5.20/server/webapps/manager privileged=tr ue / /Host /Engine /Service **
