Re: Tomcat keeps breaking/SSL keystore troubles
Christoph, I hate these problems, they're always tough to work through, and keytool doesn't make it any easier. Did you use keytool to create your key and certificate request? If you created the key and request outside of keytool, then keytool won't have the private key and can't import the certificate. In order to get your private key into the keystore, you need to use a bit of Java code. See here: <http://www.agentbob.info/agentbob/79.html> There's no need for you to import the CA's root certificate. It's already there. Good luck! Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org Christoph Lechner wrote: Hi all, I've been trying hard to enable the SSL connector in TomCat for a few days now. As I don't have very much experience with SSL, it's quite hard for me to figure out what's going wrong. I read a lot of different setup guides, but I'm getting the same error messages all the time: 16:37:13,254 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on http-0.0.0.0 -808016:37:13,338 INFO [ChannelSocket] JK: ajp13 listening on /0.0.0.0:8009 16:37:13,346 INFO [JkMain] Jk running ID=0 time=0/24 config=null16:37:13,360 INFO [Http11BaseProtocol] Starting Coyote HTTP/1.1 on http-0.0.0.0 -844316:37:13,371 ERROR [PoolTcpEndpoint] Endpoint [SSL: ServerSocket[addr=/0.0.0.0,p ort=0,localport=8443]] ignored exception: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds t o the SSL cipher suites which are enabled.java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No avai lable certificate or key corresponds to the SSL cipher suites which are enabled.at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) at org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) at org.apache.tomcat.util.net.PoolTcpEndpoint.run(PoolTcpEndpoint.java:647) at java.lang.Thread.run(Thread.java:595) I've got a .crt file, a .csr file and a .key file for the domain and I also got the root cert from the CA. So I tried to set it up in the following way (output messages included): ---> Begin of keystore creation <--- ab-server1:~/ssl# keytool -import -trustcacerts -alias root -file rapidssl_01.cer -keystore thekeystore Enter keystore password: changeit Certificate already exists in system-wide CA keystore under alias Do you still want to add it to your own keystore? [no]: yes Certificate was added to keystore ab-server1:~/ssl# keytool -import -trustcacerts -alias tomcat -file www_mydomain_com.crt -keystore thekeystore Enter keystore password: changeit Certificate was added to keystore ab-server1:~/ssl# keytool -list -keystore thekeystore Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries root, Aug 30, 2007, trustedCertEntry, Certificate fingerprint (MD5): 8F:5D:77:06:27:C4:98:3C:5B:93:78:E7:D7:7D:9B:CC tomcat, Aug 30, 2007, trustedCertEntry, Certificate fingerprint (MD5): C4:6F:76:3F:5E:ED:33:04:F9:CB:0F:98:28:21:5D:D4 ---> End of keystore creation <--- In server.xml file, I added: OTOH I've tried a self-signed certificate and it worked. What's my fault? TIA - C. Lechner - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Self-Signed Certificate for Tomcat JVM and CAS
Sorry I hadn't seen your message earlier when you posted it. But you should create the keystore with a keystore password. Did you do that? Cheers, Mojo Lisa Tan wrote: After following the docs to generate self-signed pkcs12 key, I failed to import the key/certificate into my application with No password given for keystore, integrity will not be verified. What does the reason cause this error? I read some docs which ask to create an empty Java keystore and convert PEM formatted key to PKCS8 format. Why do I need to create an empty keystore? Thanks, Lisa Original message Date: Fri, 10 Aug 2007 18:25:56 -0700 From: "Bill Barker" <[EMAIL PROTECTED]> Subject: Re: Self-Signed Certificate for Tomcat JVM and CAS To: users@tomcat.apache.org "Lisa Tan" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] I don't know if this is a right list to ask this question. I tried to configure shibboleth which uses Tomcat with CAS authentication. I received an error: Unable to validate ProxyTicketValidator I did google search on this topic and understood the reason causing this problem is Tomcat JVM doesn't trust the SSL cert of the CAS server. Since I am still in the testing stage, I can't get a CA certificate but the self-signed certificate. If my understanding is correct, the self signed certificate via openssl doesn't have jks format but Tomcat JVM only accept jks format certificate. If you had read the friendly manual at http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, you would know that this isn't true :). While it talks about the keystore, the truststore works the same way. So use openssl to create a pkcs12 file, specify this as the truststore, in whatever way you need to do from the CAS docs, and you should be good to go. I am just wondering if any one can give me some instruction how to create a self-signed certificate and private key which can be used or imported to both Tomcat JVM and CAS server. Thanks, Lisa - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Help with exporting SSL certificate
Yerger, Chad wrote: I purchased a chained *.SSL cert from Godaddy. I installed it successfully on my Tomcat Server(server #1). Now I need to export it and replace another Tomcat servers(server #2) self signed cert with the export from server #1. I tried doing the keytool export from server #1 and keytool import into my current keystore on server #2 with no success(The keytool process throws no errors). I dont get any error messages or anything to track down..the https pages just dont load. What is the proper procedure for doing these exports /imports? Any help is appreciated. There's not a lot of information from your message to go on, like what error do you get from your browser on loading a page, so I kind of have to take a guess. On server 1: keytool -export -rfc -alias tomcat -file tomcat.cert -storepass changeit Copy mycertificate.cert to server 2 On server 2: keytool -delete -alias tomcat -storepass changeit keytool -import -alias tomcat -storepass changeit -file tomcat.cert Sorry I can't unwrap the lines there. Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: unpackWARs Pros and Cons
Jim Goodspeed wrote: Are there any pros and cons running unpackWARs one way or another? It seems like keeping unpackWARs="false" might be a little cleaner (not having to remove expanded directories when deploying a new war file), but I wasn't sure if there were any performance hits associated with running this set to false. I've been running with packed WARs for a while, and just ran into an issue with Spring's log4jContextListener. It demands that the war be unpacked so it can reference the application root as an absolute pathname. Tsk! I agree that leaving them packed is neater, and I like not having to worry about stale files in an exploded app directory, but I'm careful to delete the exploded directory most of the time anyway. Having them unpacked should have a slight performance advantage because the files don't have to be searched and unpacked from the WAR when they're referenced. Best regards, Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers: http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [OT] Parallel Tomcat 5 and 6 services on Windows
There might be a better explanation in the windows Event Viewer. Good luck, Mojo Robert Novotny wrote: The message was "Failed to install Tomcat6 service. Ignore and continue anyway (not recommended)?" Tomcat 5 service has been stopped prior to the installation. I wonder why the setup issues this message, since the tomcat6 service should be considered independent of tomcat5 service. Maybe there is some name/description clash in the service installation routine (does Windows allow to have more than one service with an identical DisplayName?). Anyways, the services.bat is indeed the best workaround. Mark Thomas-14 wrote: Robert Novotny wrote: Greetings, I would like to test Tomcat 6 on Windows, however I would still like to retain the previous Tomcat 5 installation (along with the Tomcat 5 service). I don't think the windows installer isn't set up to do this. I can't remember what the issue was but have a vague recollection of a bug report in this area. Using services.bat is the best work-around. Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers: http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Parallel Tomcat 5 and 6 services on Windows
Robert Novotny wrote: I would like to test Tomcat 6 on Windows, however I would still like to retain the previous Tomcat 5 installation (along with the Tomcat 5 service). I would think you can do that. You can even run them both at the same time, as long as they are configured to listen on different ports. However, the installation threw an error when it was about to install the Tomcat 6 service (note that I have unchecked the Service option in the component selection dialogue). What was the error? Was it a port conflict? If so, you know how to solve that one, right? If it was a service name conflict, you should be able to solve that one too by renaming one of the services. Did you at least stop the tomcat5 service before installing tomcat6? As long as only one of them is running at once, it should work fine. See Control Panel | Administrative Tools | Services Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Can one have a log4j repository per webapp in Tomcat?
At my company we have Tomcat 5.5 instances running lots of webapps, and problems with those apps interfering with each other's log files -- especially in instances of libraries like hibernate. I've read and understand the principles of using log4j respositories, such as Ceki Gülcü's document here <http://www.qos.ch/logging/sc.jsp>, but I get the impression that a component-based RepositorySelector is not available in Tomcat. Is there a known way to eliminate interference between web applications in logging when using a log4j in common/lib? Best regards, Mojo -- Morris Jones Monrovia, CA http://www.whiteoaks.com Old Town Astronomers http://www.otastro.org - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]