Tomcat 5.5 not recognizing my trustedCertEntry?
Hi All, I'm very new to Tomcat, so please excuse my ignorance. I'm setting up a server with Tomcat and SSL for our developers. For their product they must use Tomcat 5.5 - they can not upgrade to 6 at this time. The problem: I've purchased a cert from Geotrust.com, successfully imported it into the keystore using keytool, yet the tomcat welcome page kept coming up blank when I navigated to the SSL site on the server: https://servername:8443. There were no errors in the error log. The page works fine at the default address of http://servername:8080. Here is what I've done: 1. I downloaded the root chain cert from geotrust.com and created my keystore successfully, adding it and my newly purchased cert into the keystore file. 2. I restarted tomcat and received no errors. But navigating to the server in a browser shows a Page cannot be found error. Running netstat -an in a command prompt shows port 8443 open and accepting connections. 2. To test if it was my cert or Keystore file, I borrowed a keystore from our developer and used it instead, and everything worked - page opened fine when navigating to it at https://server:8443 https://server:8443/ . 3. So, I have a problem with my Keystore. I then imported my cert into his test keystore, but when I navigated to the page it used his key and not mine. 4. Next: I added the keyAlias=tomcat1 tag into the SSL connector configs in the server.xml file, and restarted tomcat. And of course I get this error in the Catalina error log: java.io.IOException: Alias name tomcat1 does not identify a key entry 5. Next: I ran keystore -list and noted that his keys are listed as keys (duh) and my key is listed as a trustedCertEntry - which is probably why the system won't use it when I use the keyAlias=tomcat tag in the server.xml file. So - my big question is: how do I get tomcat to recognize my trustedCertEntry as a valid Key? Do I need to create my own certificate and place it in the original keystore I created, along with the root and the cert I bought? Is there a tag for the server.xml file that will force it to use the trustedCertEntry I imported into the keytool? Here is a copy of the connector settings for server.xml, for the configuration that loads without errors: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=false disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\keystore keystorePass=PASSWORD/ Thanks for any and all help provided, Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121
RE: SSL not working on Tomcat - The Solution
Hi All - The simple solution to this whole problem is that I was using the wrong Keystore file - not the one I originally used to generate my certificate request. I originally tried to use the original keystore file to import in my newly purchased certification, but I kept getting the error Wrong Keystore Format (or something to that effect - I forgot and am in a hurry here). The reason why is I was following poor instructions on my company's wiki which omitted the storetype tag in the keystore -import line. You need the -storetype PKCS12 when importing into a PKCS12 keystore. Duh on me. This is how we learn. I figured I'd just point this out for anyone else using the keytool command and working with PKCS12 format keys and keystores. Thanks to all those who offered help! Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Christopher Schultz [mailto:[EMAIL PROTECTED] Sent: Wednesday, November 08, 2006 5:02 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael, Michael Casale wrote: I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Wow. Sounds like something is seriously screwed up. Have you tried a different client machine? Perhaps one of your SSL libraries is hosed. Have you tried re-installing Tomcat? Perhaps one of TC's SSL libraries is hosed. If all else fails, I would run something like memtest86 on your server to see if the memory is okay. It's tough to do all this crypto stuff and not have an exception when the littlest thing goes wrong, so something is definitely amiss. It's not like Sun invented a new SSL protocol and didn't tell anyone about it ;) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.5 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFFUlPC9CaO5/Lv0PARAiljAJ9auqO2pfKdS9+zimV5hFhJR2zn2wCfZkY5 KP4Xe5Do8g1iS9+EYc0LqvA= =QizN -END PGP SIGNATURE- - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
SSL not working on Tomcat
Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Thanks for any help! Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121
RE: SSL not working on Tomcat
I've installed Firefox 2.0 and I get the error: Firefox can't connect securely to upm.knoa.com because the site uses a security protocol which isn't enabled So... I changed sslProtocol=TLS to sslProtocol=SSL and restarted the service. I get the same error. Meanwhile, with Internet Explorer, I turned off friendly error messages, and loaded the page. Instead of a page not found I get a blank page. Interesting. Next I tried the validator, a tool from here: http://validator.w3.org/ Great tool. It reports the following error: 500 SSL negotiation failed: error:1406D0CB:SSL routines:GET_SERVER_HELLO:peer error no cipher Any ideas? I'm going to try re-importing the original certificate in PKCS12 format... Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Mark Eggers [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:35 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Did you try this with Firefox? IE has some problems with no-cache in the header or as a pragma. Later versions of Tomcat 5.5 set this. There is a mailing list thread concerning this: http://marc.theaimsgroup.com/?t=11180675668r=1w=2 along with some solutions. Hope this helps. /mde/ just my two cents . . . . --- Michael Casale [EMAIL PROTECTED] wrote: Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1.Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2.Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3.I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ According to the Tomcat SSL documentation, I need to have the root cert and the purchased cert in the keystore file, and I need to use the keyAlias to tell Tomcat which one to use. But whenever I add in the keyAlias entry it gives me the Alias name tomcat does not identify a key entry error in the logs. If I could find out how to enable better logging I may be able to troubleshoot this further. Want to start your own business? Learn how on Yahoo! Small Business. http://smallbusiness.yahoo.com/r-index
RE: SSL not working on Tomcat
I also tried building the keystore in PKCS12 format - importing both the root cert and normal cert into the keystore. I'm getting the same error. Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -Original Message- From: Dhiraj Ramakrishnan [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 6:44 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Hi, According to you, one of the steps that you did was , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. You seem to be running your application on a windows box. Can that be the reason why your key is not working properly ? Thanks Dhiraj Ramakrishnan On 11/8/06, Caldarale, Charles R [EMAIL PROTECTED] wrote: From: Michael Casale [mailto:[EMAIL PROTECTED] Subject: SSL not working on Tomcat I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Depending on how you installed Tomcat, you may have also gotten the native connector, aka APR. Its SSL configuration is different from the traditional Tomcat connector. Look here for details: http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regardless, you probably want to move up to a more recent level. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: SSL not working on Tomcat
Thanks for your response. The tomcat keystore is located in c:\files. The version of Java is 1.5.0_06 Thanks! Mike -Original Message- From: Martin Gainty [mailto:[EMAIL PROTECTED] Sent: Tuesday, November 07, 2006 9:08 PM To: Tomcat Users List Subject: Re: SSL not working on Tomcat Michael comments prefixed with Re Howdy all, I'm struggling through setting up Tomcat with SSL on a Windows 2003 server, and even when I get the server running, with no errors in the logs when restarting the tomcat service, all I get is a Page Not Found error when I point to the ssl port on the server. Pointing to the default connector on port 8080 works fine. Here's a little background: 1. Using keytool, I created a certificate request, sent it off to Geotrust, and purchased a cert to import. It was emailed to me. 2. Following the recommendations of geotrust (http://www.geocerts.com/support/install/install_tomcat.php ) , I downloaded their root cert, imported it, converted their cert to DER format (on a separate Linux box), and imported it into the keystore. 3. I restarted the Tomcat service with no errors, see the connector started on port 8443: Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init INFO: Initializing Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load INFO: Initialization processed in 812 ms Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start INFO: Starting service Catalina Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start INFO: Starting Servlet Engine: Apache Tomcat/5.5.12 Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start INFO: XML validation disabled Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8080 Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on http-8443 Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:8009 Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/31 config=null Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load INFO: Find registry server-registry.xml at classpath resource Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start INFO: Server startup in 1203 ms Now, opening any page on the server at http://servername:8080 http://servername:8080/ works fine, but https://servername:8443 https://servername:8443/ doesn't work. All ports are opened through the firewall, etc. Same for https://localhost:8443 https://localhost:8443/ . Here is the server.xml file entry for the connector: Connector className=org.apache.coyote.tomcat5.CoyoteConnector port=8443 minProcessors=5 maxProcessors=20 enableLookups=true disableUploadTimeout=true acceptCount=100 debug=0 scheme=https secure=true sslProtocol=TLS keystoreFile=c:\files\tomcat keystorePass=THEPASS/ MGcould you check to see if the keystoreFile is called tomcat and is located in in C:\files ? MGout of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm? MGhttp://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html MGM- Michael Casale Systems Administrator / IT Manager Knoa Software [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] Ph. (212) 807-9608 ext. 6000 Fax (212) 675-6121 -- No virus found in this incoming message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.409 / Virus Database: 268.13.32/523 - Release Date: 11/7/2006 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]