Re: Is there a 6.0.x patch for CVE-2016-5388?
Hi, Thanks for your reply. I meant to ask if Tomcat will be releasing a 6.0.x version (say 6.0.46?) addressing this CVE. If yes, what time frame may I expect this version out? Best regards, Vamsi
Is there a 6.0.x patch for CVE-2016-5388?
Hi, Is there a 6.0.x patch for CVE-2016-5388? I do not see it listed in https://tomcat.apache.org/security-6.html . Thanks and best regards, Vamsi
Problem accessing a secure resource with FORM login method when web application clustered on Tomcat 6.0.18
Hi, I am using Tomcat 6.0.18 embedded in Geronimo server to cluster my web application. I have two nodes Node1 and Node2. On Node1 the HTTP port is 8080 and AJP port 8009. On Node2 the HTTP port is 8090 and AJP port 8019. I am using Apache HTTP Server (HTTP on port 80) with mod_jk as the front-end server for my application. I am using FORM authentication method to login to my application. When I access a secure resource in my application through the Apache HTTP server on port 80, it redirects me to login page and once authenticated it directs me to the secure resource loaded from NodeA. (The secure resource shows a counter that is stored in the session and incremented with each request.) When I keep refreshing the page in the browser, the counter keeps incrementing as long as the request is getting directed to NodeA. Once the request is directed to NodeB, I see the login page. (Ideally I would expect the page to load from NodeB automatically without having to login again.) At this stage, if try to login, I get a message HTTP Status 400 - Invalid direct reference to form login page and the browser's URL textbox shows http://localhost/SimpleWebApp1/secure/j_security_check . If I use BASIC authentication method to login to my application, I am prompted for login only once. I see that counter keeps incrementing with each refresh of the page in browser and switching between nodes also does not result in prompt for login. The browser would automatically send the login credentials cached from the first time even if switching to NodeB prompts for credentials again. When I deploy my application on Geronimo server that embeds Jetty as web container, and deploy my application on two nodes as described in 1st paragraph, I see the login page only the first time. Switching between nodes while refreshing the page in the browser happens smoothly and I never get the login page again. My guess is that there is an issue with Tomcat AJP connector because of which the request is getting forwarded to the login page when the HTTP server switches the node that will serve the request. Can someone throw light on what could be happening here? Thanks and best regards, -- Vamsi
Re: Problem accessing a secure resource with FORM login method when web application clustered on Tomcat 6.0.18
On Thu, Mar 3, 2011 at 5:57 PM, Mark Thomas ma...@apache.org wrote: On 03/03/2011 12:18, Vamsavardhana Reddy wrote: My guess is that there is an issue with Tomcat AJP connector because of which the request is getting forwarded to the login page when the HTTP server switches the node that will serve the request. Can someone throw light on what could be happening here? You guess is wrong. Everything is working exactly as it should. FORM authentication requires a session to work whereas BASIC does not. You have not configured your 2 Tomcat instances for session replication (get your test page to print out the session ID to confirm this). If you don't want a second login when you move from node 1 to node 2, you'll need to configure session replication (aka clustering). Thank you for your quick reply. I have configured my servers for session replication. With BASIC authentication, I notice that the counter value that is stored in the session, incremented by the JSP and stored back in the session with each request is properly replicated across the two server instances. My test page prints out the session ID, server directory in the file system and the counter value. The counter value is also displayed in the server's command console. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org -- Vamsi
Re: How to access the client's X509 Cert of an https request ?
I thought that is the only way. Is there any other way to get hold of the client cert? ++Vamsi On Fri, Apr 11, 2008 at 1:52 PM, Mark Thomas [EMAIL PROTECTED] wrote: Hanson Char wrote: Finally, I found at least one answer to this problem: If you read the spec, there are simpler ways: spec-quote section=SRV.4.7 If there is an SSL certificate associated with the request, it must be exposed by the servlet container to the servlet programmer as an array of objects of type java.security.cert.X509Certificate and accessible via a ServletRequest attribute of javax.servlet.request.X509Certificate. /spec-quote Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: What is the difference between TomCat and Geronimo?
Also Geronimo has a distribution with Tomcat as the web container. ++Vamsi On Wed, Apr 9, 2008 at 12:40 PM, Mark Thomas [EMAIL PROTECTED] wrote: Ben Stover wrote: What is the difference between TomCat and Geronimo? Geronimo is a full J2EE container. Tomcat is a Servlet/JSP container (so Tomcat functionality is a subset of Geronimo's) Mark - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: rolling the console log
May be you can pipe it to rotatelogs? See [1]. [1] http://httpd.apache.org/docs/2.0/programs/rotatelogs.html ++Vamsi On Fri, Apr 4, 2008 at 2:57 AM, Angelina Talley [EMAIL PROTECTED] wrote: Hello! We are running Tomcat 5.0 in a production environment (so upgrading isn't an option) and have encountered an issue where our console log is getting to be quite large (on the order of gigabytes). Is there any way via Tomcat configuration to set this log up to roll daily? Ideally of course we'd fix the code to not print so much, but that's not an option either. Thanks in advance for your help! - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: displaying an image from outside the webapps directory
Have you considered using the allowLinking attribute (See http://tomcat.apache.org/tomcat-6.0-doc/config/context.html) and creating a soft-link inside the webapp directory to the directory which is outside of webapp? ++Vamsi On Fri, Mar 21, 2008 at 4:28 PM, Kimberly Begley [EMAIL PROTECTED] wrote: Hi, I'm trying to make a jsp display a plot that is a jpeg in a directory outside the catalina_home directory - I do not have the option of putting it in the webapp directory (there's 1000's of them - my page will just display one of them as selected by the user - along with some other info) - how do I go about displaying it? Thanks - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Multi domain certificate with keytool
Glad to learn that your problem is solved :) ++Vamsi On Thu, Mar 13, 2008 at 7:25 PM, Some user [EMAIL PROTECTED] wrote: Thanks Vamsi! The post you mention pointed me in the right direction and I have it up and running. Great! Wasted 3 days on this one. I needed to transform my certificate to PKCS12, I missed that. Here is how for further reference: Create a new keystore with the signed certificate, the key and the chainfile. The keystore needs to be PKCS12, the default JKS Java keystore is not accepted if you created the certiface with OpenSSL. The chainfile is a file with all the certificates from you to a trusted root authority. openssl pkcs12 -export -inkey mycert.key -in mycert.pem -out mycert.pkcs12 -chain -CAfile rootchain.pem We changed the storetype so from now on you'll always have to specify the storetype (PKCS12) as a parameter. keytool -v -list -keystore keystore.pkcs12 -storetype PKCS12 Check the chain length, it has to be 1 or you certainly don't have a valid path to the root authority. Add the right keystore to the Tomcat server.xml file. You don't need to specify a keyAlias as there is only one certificate in the keystore. Vamsavardhana Reddy-2 wrote: You should be able to create a PKCS12 keystore using OpenSSL with the private key and the certificate you have. See if the following thread helps. http://www.mail-archive.com/[EMAIL PROTECTED]/msg08816.html ++Vamsi On Wed, Mar 12, 2008 at 6:59 PM, Some user [EMAIL PROTECTED] wrote: Dear Tomcat wizards, I need a signed multi domain certificate for Tomcat (x.example.com, y.example.com, z.example.com). I do have a signed certificate but can't import this in the keystore with the keytool command as I generated the request with OpenSSL and now keytool complains that the keys don't match. Fine, so I need to generate a CSR request with keytool first. When I run the keytool -genkey -alias... command I get these questions where I need to enter my first and last name: What is your first and last name? [Unknown]: x.example.com This is where I enter my fully qualified server name for the certificate. Problem is I can't enter MULTIPLE DOMAINS. I need more subdomains here as my server listens to x.example.com, y.example.com and z.example.com. A wildcard certificate is not an option as the signing authority doesn't want to sign wildcard certificates. Does anyone know how to generate a multi domain request with keytool? I know how to do this with openssl but I need a keytool one... Thanks! -- View this message in context: http://www.nabble.com/Multi-domain-certificate-with-keytool-tp16002309p16002309.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- View this message in context: http://www.nabble.com/Multi-domain-certificate-with-keytool-tp16002309p16025518.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Multi domain certificate with keytool
You should be able to create a PKCS12 keystore using OpenSSL with the private key and the certificate you have. See if the following thread helps. http://www.mail-archive.com/[EMAIL PROTECTED]/msg08816.html ++Vamsi On Wed, Mar 12, 2008 at 6:59 PM, Some user [EMAIL PROTECTED] wrote: Dear Tomcat wizards, I need a signed multi domain certificate for Tomcat (x.example.com, y.example.com, z.example.com). I do have a signed certificate but can't import this in the keystore with the keytool command as I generated the request with OpenSSL and now keytool complains that the keys don't match. Fine, so I need to generate a CSR request with keytool first. When I run the keytool -genkey -alias... command I get these questions where I need to enter my first and last name: What is your first and last name? [Unknown]: x.example.com This is where I enter my fully qualified server name for the certificate. Problem is I can't enter MULTIPLE DOMAINS. I need more subdomains here as my server listens to x.example.com, y.example.com and z.example.com. A wildcard certificate is not an option as the signing authority doesn't want to sign wildcard certificates. Does anyone know how to generate a multi domain request with keytool? I know how to do this with openssl but I need a keytool one... Thanks! -- View this message in context: http://www.nabble.com/Multi-domain-certificate-with-keytool-tp16002309p16002309.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: catalina.out is not reloading
I am guessing... Somewhere in the script there should be a catalina.out to append to catalina.out. Change that to catalina.out so that the old file is automatically rewritten. Or else you may use rotatelogs program that comes with apache http server. See http://httpd.apache.org/docs/2.0/programs/rotatelogs.html ++Vamsi On Feb 11, 2008 3:47 PM, persistence k [EMAIL PROTECTED] wrote: Thanks Mr.David . Will you please send me a sample start up script to handle renaming or deleting the old catalina.out file. Regards, Persistence On 2/11/08, David Smith [EMAIL PROTECTED] wrote: Then you should modify the startup script to handle renaming or deleting the old file before starting tomcat. Catalina.out itself is just the redirected standard output from tomcat and tomcat has no control over what the OS does with what it spews out. As a better alternative, configure your favorite logging framework to provide rolling log files. There are lots of messages in the archives regarding log4j and dealing with the classloader system in tomcat if you want to go that direction. --David persistence k wrote: Yes, Mr.David. I want each time tomcat's redirects its standard output to catalina.out file, this file should reflect that change and during tomcat start up all the content in the file should be deleted, instead of appending it to previous messages. Right now I'm closing and reopening the file to notice the changes in it. Instead I would like to see the file reloaded each time tomcat redirects its standard output to that file, just as it happens in windows. Please suggest me a solution for this. Thanks Persistence. On Feb 7, 2008 4:08 PM, David Smith [EMAIL PROTECTED] wrote: I'm not clear on what you mean by 'reloading' as catalina.out is just a text file accepting tomcat's redirected standard output. It should simply be appended to as messages are generated. Are you saying you want the file to be deleted and started fresh on every tomcat startup? --David persistence k wrote: Hi, whenever I restart the tomcat in linux, the file ' catalina.out ' is not automatically reloading just like the file ' std.out ' does in windows. ' catalina.out ' file containing all the 'System.out ' statements printed from the day tomcat was installed in my linux system. Please tell me a solution so that the file ' catalina.out ' gets reloaded for each and every time I made change in WEB UI. -Persistence - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Tomcat access logs
Is there a way to specify how many days access logs should be retained by tomcat so that old access logs (for e.g. more than a month old) are automatically deleted? I am using Tomcat 5.5.15. ++Vamsi
Re: Invalid Keystore Format Exception
Seems strange. Can you send a keystore file that you generated along with the passwords you used for the keystore as well as the key (you can generate one with password secret say)? May be I can investigate if there is something wrong with the keystore. Also, what JDK/JVM are you using? ++Vamsi On Jan 30, 2008 8:12 PM, Ole Ersoy [EMAIL PROTECTED] wrote: Hi Vamsi, I tried: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -storetype JKS Thanks for the suggestion though, - Ole Vamsavardhana Reddy wrote: May be you should use the -storetype JKS to be sure of the format in which the keystore is generated. ++Vamsi On Jan 30, 2008 11:11 AM, Ole Ersoy [EMAIL PROTECTED] wrote: Hi, I'm trying to get SSL working real quick for some experiments, and I did this: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Answered the questions, got .keystore to appear in my home directory and then I uncommented the SSL Connector element in server.xml and filled out the keystoreFile and keystorePass attributes. Now I get this exception: Jan 29, 2008 11:27:38 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad( JavaKeyStore.java :651) at sun.security.provider.JavaKeyStore$JKS.engineLoad( JavaKeyStore.java:56) at java.security.KeyStore.load(KeyStore.java:1202) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore( JSSESocketFactory.java:319) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore( JSSESocketFactory.java:293) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers( JSSESocketFactory.java:444) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init( JSSESocketFactory.java:378) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket( JSSESocketFactory.java:125) Anyone know why this is happening? I tried regenerating a few times but hte results are still the same. Thanks, - Ole - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Invalid Keystore Format Exception
Glad that your problem is solved :) ++Vamsi On Jan 30, 2008 10:38 PM, Ole Ersoy [EMAIL PROTECTED] wrote: OK - Looks like it's an IcedTea thing. I installed JDK 1.6, regenerated the key, and now it works fine. Thanks again for all the helpful suggestions, - Ole Vamsavardhana Reddy wrote: Seems strange. Can you send a keystore file that you generated along with the passwords you used for the keystore as well as the key (you can generate one with password secret say)? May be I can investigate if there is something wrong with the keystore. Also, what JDK/JVM are you using? ++Vamsi On Jan 30, 2008 8:12 PM, Ole Ersoy [EMAIL PROTECTED] wrote: Hi Vamsi, I tried: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA -storetype JKS Thanks for the suggestion though, - Ole Vamsavardhana Reddy wrote: May be you should use the -storetype JKS to be sure of the format in which the keystore is generated. ++Vamsi On Jan 30, 2008 11:11 AM, Ole Ersoy [EMAIL PROTECTED] wrote: Hi, I'm trying to get SSL working real quick for some experiments, and I did this: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Answered the questions, got .keystore to appear in my home directory and then I uncommented the SSL Connector element in server.xml and filled out the keystoreFile and keystorePass attributes. Now I get this exception: Jan 29, 2008 11:27:38 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad( JavaKeyStore.java :651) at sun.security.provider.JavaKeyStore$JKS.engineLoad( JavaKeyStore.java:56) at java.security.KeyStore.load(KeyStore.java:1202) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore( JSSESocketFactory.java:319) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore( JSSESocketFactory.java:293) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers( JSSESocketFactory.java:444) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init( JSSESocketFactory.java:378) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket( JSSESocketFactory.java:125) Anyone know why this is happening? I tried regenerating a few times but hte results are still the same. Thanks, - Ole - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Invalid Keystore Format Exception
May be you should use the -storetype JKS to be sure of the format in which the keystore is generated. ++Vamsi On Jan 30, 2008 11:11 AM, Ole Ersoy [EMAIL PROTECTED] wrote: Hi, I'm trying to get SSL working real quick for some experiments, and I did this: $JAVA_HOME/bin/keytool -genkey -alias tomcat -keyalg RSA Answered the questions, got .keystore to appear in my home directory and then I uncommented the SSL Connector element in server.xml and filled out the keystoreFile and keystorePass attributes. Now I get this exception: Jan 29, 2008 11:27:38 PM org.apache.coyote.http11.Http11Protocol init SEVERE: Error initializing endpoint java.io.IOException: Invalid keystore format at sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java :651) at sun.security.provider.JavaKeyStore$JKS.engineLoad( JavaKeyStore.java:56) at java.security.KeyStore.load(KeyStore.java:1202) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore( JSSESocketFactory.java:319) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustStore( JSSESocketFactory.java:293) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getTrustManagers( JSSESocketFactory.java:444) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init( JSSESocketFactory.java:378) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket( JSSESocketFactory.java:125) Anyone know why this is happening? I tried regenerating a few times but hte results are still the same. Thanks, - Ole - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Use JMX to manage applications
On 8/23/07, lightbulb432 [EMAIL PROTECTED] wrote: What is the preferred API for accessing MBeans from within servlets or JSPs? MBeanServerConnection jmxServerConnection = JMXConnectorFactory.connect (new JMXServiceURL(urlForJMX),null).getMBeanServerConnection(); jmxServerConnection.getAttribute(new ObjectName(Application:Name=Server,Type=Server),myAttribute); This code can connect to an MBeanServer which need not be in the same JVM as your Servlet and you may need to provide authorization credentials to get connected. OR MBeanServer server = (MBeanServer) MBeanServerFactory.findMBeanServer(null).get(0); AttributeList list = server.getAttributes(new ObjectName(Application:Name=Server,Type=Server),myAttribute); This code looks up MBeanServers in the same JVM as your Servlet. They both have roughly the same amount of code and do the same thing, so I'm wondering which is the preferred way. Unfortunately, you can't really abstract away the mechanism of getting the MBeanServer because one uses a MBeanServer while the other way uses the MBeanServerConnection object from which to perform other methods. The only tradeoff I can see is that the first way requires knowing the JMX connection URL which may need to be changed if, for example, the JXM port number is changed. However, the second way may return multiple MBeanServers, right? In the second way, would you ever expect a List with more than one MBeanServer to be returned? If so, how would that happen, and how would your code deal with it? Thanks. lightbulb432 wrote: How, from a web application deployed to Tomcat, can you customize the behavior of your web application based on attributes specified in an MBean? The link http://tomcat.apache.org/tomcat-6.0-doc/monitoring.html talks a lot about Ant tasks, but that's not really what I'm looking to do. How can you get programmatic access to MBeans? And how do you deploy MBeans to Tomcat? I'm pretty confused here...hopefully someone can clarify. Thanks. -- View this message in context: http://www.nabble.com/Use-JMX-to-manage-applications-tf3978363.html#a12297804 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: How to get port of a running Tomcat instance
I do not know if this info is helpful... ServletRequest has getServerPort() and getServerName() methods that should give the port and server through which the request came. Vamsi On 8/24/07, Brian Barnett [EMAIL PROTECTED] wrote: Can someone provide a java code snippet showing how to get the port that Tomcat is listening on? Is there a way to access the settings in the server.xml file from within a running instance of Tomcat? I'm running a Struts-based app on Tomcat 5.5 (multiple Tomcat instances actually) and need to know which port a request just came in on. Ideally, I would like to set an application scope variable at startup, in a plugin class. The plugin class has access to ServletContext and a ModuleConfig object, but I was not able to find a way to get the port through those objects. Maybe I'm missing it. I looked through ServletContext object and could not find it. Could not find access to Catalina's HttpConnector class anywhere. Thanks, Brian Barnett - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Thawte SSL certificates
Can you send me the certificate(s) you received from the Thawte CA? May be I can help. You should be comfortable sending it as there is nothing secret about Certificates. It is only your private-key that should not be transmitted. Vamsi On 8/13/07, Lyallex [EMAIL PROTECTED] wrote: Hi I was wondering if anyone has managed to get the Thawte SSL test certificate working with Tomcat 5.5. I have created a CSR and submitted it to Thawte. I got a test certificate back I have installed the Thawte Root(chain) certificate and tried to install the test certificate I got a CertificateParsingException: invalid DER encoded certificate data. I think this might have something to do with different encoding schemes I think the certificate I got was PEM encoded not DER encoded (guess work here) I got hold of openssl and issued the following openssl x509 -in my_downloaded_cert.txt -out my_downloaded_cert.der and got he following error unable to load certificate 1360:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:632:Expect ing: TRUSTED CERTIFICATE I'm sort of lost here really, has anyone got this working ? Thanks Duncan - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]