Re: 8443 connector configuration (tomcat9)

2024-06-07 Thread Christopher Schultz 

Christoph,

On 6/6/24 08:33, Christoph Kukulies wrote:

I have the following configuration:

|HAPROXY TOMCAT9 https://cms.site.org/  ==> 
https://cms.site.org:8443/ |




Haproxy is passing the https-request through to tomcat.

So far the request seems to arrive on the tomcat side but a secure 
connection can't be established since the

certificate infomation is missing.

I looked at the server.xml config file, especially into the section:

   
         
             


This will use the file $CATALINA_BASE/bonf/localhost-rsa.jks for your 
key and certificate. Can you confirm that file contains both the key and 
the certificate? If you use "keytool -list -keystore 
conf/localhost-rsa.jks" it should show that you have a PrivateKeyEntry. 
It's a stupid name for "private key AND certificate" instead of 
"certificate without key".


Please also confirm there is only a single PrivateKeyEntry in there.

I can supply the information where the site.cer and priv.key are located 
but which protocol to use and what else parameters are required

is a closed book to me. Could anyone help?


What you have above should "work" but it's possible haproxy wants to 
trust the origin (Tomcat) server and so it needs the certificate from 
your Tomcat server.


Do you get some kind of error (from haproxy) when trying to connect to 
Tomcat? If so, please post the error.


To extract the cert from the keystore (to give to haproxy for trusting), 
do "keytool -exportcert -keystore conf/localhost-rsa.jks -rfc -alias 
[name of cert]". The "name of cert" can be seen when you do the "-list" 
above. It might just be called "mykey" if you didn't give it a name when 
you imported/created the keystore.


Some unsolicited advice:

1. Use a full-path for the certificateKeystoreFile so everyone reading 
the file knows *exactly* where the file is.


2. Use a PKCS12 file instead of JKS. You can use "keytool 
-importkeystore -deststoretype PKCS12" and other options to convert. 
PKCS12 is a standard and JKS is a weird Java-only thing. Better yet, use 
text-based PEM files and the certificateFile and 
certificateKeystoreFile configuration attributes on . You 
can even put both the key and the cert into the certificateFile and save 
yourself some work. The documentation says this is "NOT RECOMMENDED" but 
I'm not sure why. I don't see any security impact in keeping the key and 
cert in the same file.


3. You should probably set proxyPort and proxyName on the . 
When Tomcat or your application generates URLs dynamically, it will call 
HttpServletRequet.getServerName and getServerPort to figure out what the 
server's name is. Without these two settings, it will probably generate 
"https://cms.site.com:8443/; which probably won't work for your visitors.


Hope that helps,
-chris

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

8443 connector configuration (tomcat9)

2024-06-06 Thread Christoph Kukulies 
I have the following configuration:

HAPROXY   TOMCAT9
https://cms.site.org/==>  https://cms.site.org:8443/


Haproxy is passing the https-request through to tomcat.

So far the request seems to arrive on the tomcat side but a secure connection 
can't be established since the
certificate infomation is missing.

I looked at the server.xml config file, especially into the section:

  






I can supply the information where the site.cer and priv.key are located but 
which protocol to use and what else parameters are required
is a closed book to me. Could anyone help?

Thank you.

--
Christoph



smime.p7s
Description: S/MIME cryptographic signature