Re: Problems with SSL configuration
On 16/11/2016 00:47, Steve Willett wrote: > I am trying to set up a stand-alone Tomcat server (apparently 7.0.53). > When I set up a simple Connector on port 8443 (no specified ciphers, and > a simple sslProtocol="TLS") using a DigiCert Certificate I can connect. > > However, if I test it with QualSys, I get an F rating because of the > accepted insecure cipher suites. However, when I try to use "approved" > suites, the server can't be reached. Are those "approved" cipher suites supported by the JVM you are using? This might help: http://people.apache.org/~markt/dev/TLSInfo.java As might this: https://wiki.apache.org/tomcat/Security/Ciphers Mark > > Connector configuration; > protocol="org.apache.coyote.http11.Http11Protocol" >maxThreads="150" SSLEnabled="true" scheme="https" secure="true" >clientAuth="false" keyAlias="server" > keystoreFile="/usr/share/tomcat7/conf/QA_YOURSPORTSLEAGUE_COM.jks" > keystorePass="" >sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" > ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" > > /> > > When I try to connect to the site with Chrome I get: > > > This site can’t be reached > > *qa.yoursportsleague.com*unexpectedly closed the connection. > > > > I also have configured it to require SSL: > > > > > Protected Context > /* > > > > CONFIDENTIAL > > > > > > Any thoughts? > >
RE: Problems with SSL configuration
Enable verbose SSL. Start Tomcat with -Djavax.net.debug=ssl. That will print a lot of info to catalina.out. You could also do the same thing on the client side if you used a java client, or something similar with OpenSSL, curl, etc. -Original Message- From: Steve Willett [st...@yoursportsleague.com<mailto:st...@yoursportsleague.com>] Sent: Tuesday, November 15, 2016 05:48 PM Central Standard Time To: users@tomcat.apache.org Subject: Problems with SSL configuration I am trying to set up a stand-alone Tomcat server (apparently 7.0.53). When I set up a simple Connector on port 8443 (no specified ciphers, and a simple sslProtocol="TLS") using a DigiCert Certificate I can connect. However, if I test it with QualSys, I get an F rating because of the accepted insecure cipher suites. However, when I try to use "approved" suites, the server can't be reached. Connector configuration; When I try to connect to the site with Chrome I get: This site can’t be reached *qa.yoursportsleague.com*unexpectedly closed the connection. I also have configured it to require SSL: Protected Context /* CONFIDENTIAL Any thoughts? -- *Steve Willett* YourSportsLeague.com
Problems with SSL configuration
I am trying to set up a stand-alone Tomcat server (apparently 7.0.53). When I set up a simple Connector on port 8443 (no specified ciphers, and a simple sslProtocol="TLS") using a DigiCert Certificate I can connect. However, if I test it with QualSys, I get an F rating because of the accepted insecure cipher suites. However, when I try to use "approved" suites, the server can't be reached. Connector configuration; protocol="org.apache.coyote.http11.Http11Protocol" maxThreads="150" SSLEnabled="true" scheme="https" secure="true" clientAuth="false" keyAlias="server" keystoreFile="/usr/share/tomcat7/conf/QA_YOURSPORTSLEAGUE_COM.jks" keystorePass="" sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2" ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF" /> When I try to connect to the site with Chrome I get: This site can’t be reached *qa.yoursportsleague.com*unexpectedly closed the connection. I also have configured it to require SSL: Protected Context /* CONFIDENTIAL Any thoughts? -- *Steve Willett* YourSportsLeague.com
Re: Strange problems with SSL support in Tomcat 6
Just for the record: many thanks for Martin for helping me off-list. My problem was that I had not added the AprLifecycleListener to server.xml. Lesson learned: do not copy over configuration files from Tomcat 5.5 to Tomcat 6 but start with the new ones from Tomcat 6 and insert the appropriate directives. Markus Markus Meyer schrieb: Hi, I have a Debian machine where previously, Tomcat 5.5 was installed (using the Tomcat 5.5 Debian package). "uname -a" returns: Linux server02 2.6.26-2-amd64 #1 SMP Sun Jul 26 20:35:48 UTC 2009 x86_64 GNU/Linux Now, for some reason I installed Tomcat 6 by using the binary distribution of Tomcat 6.0.20 downloadable from the website (because there's no Debian package for Tomcat 6 yet). I copied over the configuration files: logging.properties, server.xml, tomcat-users.xml and everything works fine except SSL. The server listens on port 80 for HTTP requests and on port 443 for HTTPS requests. With the exact same configuration and certificate file, SSL works with Tomcat 5.5 but not with Tomcat 6. Everything else works without any flaws. When I try to access the server using "https://myserver.com/"; in firefox, the error code "ssl_error_rx_record_too_long" appears. However, no errors are logged at all, although I set everything to ALL in the logging.properties file. I even converted the PKCS12 certificate I use to JKS format but although keytool shows the certificate just fine, using the JKS keystore has the same effect. I use the following connector settings in /opt/tomcat6/conf/server.xml: Tomcat is run as root (for now at least), so permission problems should not occur. Of course /opt/tomcat6/conf/cert.p12 exists and is a valid certificate. I would be extremely grateful if someone has an idea on how I could attempt to debug this strange problem. Thanks in advance! Best regards Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Strange problems with SSL support in Tomcat 6
Hi, I have a Debian machine where previously, Tomcat 5.5 was installed (using the Tomcat 5.5 Debian package). "uname -a" returns: Linux server02 2.6.26-2-amd64 #1 SMP Sun Jul 26 20:35:48 UTC 2009 x86_64 GNU/Linux Now, for some reason I installed Tomcat 6 by using the binary distribution of Tomcat 6.0.20 downloadable from the website (because there's no Debian package for Tomcat 6 yet). I copied over the configuration files: logging.properties, server.xml, tomcat-users.xml and everything works fine except SSL. The server listens on port 80 for HTTP requests and on port 443 for HTTPS requests. With the exact same configuration and certificate file, SSL works with Tomcat 5.5 but not with Tomcat 6. Everything else works without any flaws. When I try to access the server using "https://myserver.com/"; in firefox, the error code "ssl_error_rx_record_too_long" appears. However, no errors are logged at all, although I set everything to ALL in the logging.properties file. I even converted the PKCS12 certificate I use to JKS format but although keytool shows the certificate just fine, using the JKS keystore has the same effect. I use the following connector settings in /opt/tomcat6/conf/server.xml: Tomcat is run as root (for now at least), so permission problems should not occur. Of course /opt/tomcat6/conf/cert.p12 exists and is a valid certificate. I would be extremely grateful if someone has an idea on how I could attempt to debug this strange problem. Thanks in advance! Best regards Markus - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with SSL-enabled Tomcat 5.5
HI, i im also having the same problem. java.io.IOException: Alias name aliasName does not identify a key entry. But i m not bale to over come it. I m using keytool not opessl. Please suggst me. thanks ,Bhuvan MP bajistaman wrote: > > So what you did was to create a new private key, CSR and then just follow > the instructions from your CA and everything worked? > > Thanks, > > Johann > -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tp12394044p22491455.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with SSL-enabled Tomcat 5.5
:CE:50 SHA1: 1E:11:C1:68:35:5F:BE:5A:8D:F4:07:61:6F:41:BE:92:86:BF:C5:98 *** *** - keytool -list -v -storepass changeit -- En of message, Thank you so much, Angel - Original Message - Hello, setting keyAlias="root" did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Ok, now it is working, I was missing the root cert.
I generated a script that did all the work:
JAVA_HOME=/usr/java/latest
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
THE_NAME=www.dummy.org
export THE_NAME
rm /root/.keystore
rm /usr/share/tomcat5/.keystore
openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out
${THE_NAME}_key.der -outform DER
openssl x509 -in rootCA_cer.pem -inform PEM -out rootCA_cer.der -outform DER
openssl x509 -in intermediateCA_cer.pem -inform PEM -out
intermediateCA_cer.der -outform DER
openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der
-outform DER
cat ${THE_NAME}_cer.der intermediateCA_cer.der rootCA_cer.der >
${THE_NAME}_all_cer.der
javac *.java
java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der
cp /root/keystore.ImportKey /root/.keystore
cp /root/.keystore /usr/share/tomcat5/.keystore
keytool -keypass changeit -storepass changeit -list
--
View this message in context:
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12467259
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
So what you did was to create a new private key, CSR and then just follow the instructions from your CA and everything worked? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12463871 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
On 9/3/07, Werner Schalk <[EMAIL PROTECTED]> wrote: > ... what I ended up doing was buying a new certificate Your CA wouldn't let you submit a new CSR and re-issue the cert?? That's surprising. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Hi, I tried with the Intermediate Cert as well but then I had the same problems (see below). Take a look at the comments on AgentBob's website, one is mentioning putting all certs together to make this work. At least for me it didn't and what I ended up doing was buying a new certificate unfortunately. Please let me know if you have another solution. Bye, Werner - Original Message - From: "bajistaman" <[EMAIL PROTECTED]> To: Sent: Monday, September 03, 2007 2:42 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 I have the same problem than you Werner, everything looks fine but the browser is unable to verify the identity of my site. Firefox says: a) Or the browser doesn't recognize the CA that is supporting the cert. b) Or the cert is uncomplete because of a wrong server configuration. c) Or the site is pretending to be something that is not So still trying to find what is wrong. BTW, my CA gives an intermediate cert that I didn't use because agentbob's tip didn't say anything about it. Maybe I need to install as part of the process just as the CA website says. Did you have to install the intermediate one? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I have the same problem than you Werner, everything looks fine but the browser is unable to verify the identity of my site. Firefox says: a) Or the browser doesn't recognize the CA that is supporting the cert. b) Or the cert is uncomplete because of a wrong server configuration. c) Or the site is pretending to be something that is not So still trying to find what is wrong. BTW, my CA gives an intermediate cert that I didn't use because agentbob's tip didn't say anything about it. Maybe I need to install as part of the process just as the CA website says. Did you have to install the intermediate one? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I think what is happening in your case is that the SSL handshake fails, not even sure if debug turned on would show it. (depending on what connector you are running) try removing the keyAlias (if you have it set) to let java decide on what cert in the keystore to use Filip Werner Schalk wrote: Hello, interestingly it did not work for me in the end. Basically I can import the certificate and the private key to rebuild the original keystore using AgentBob's Java code. Fine. Then when restarting Tomcat it does not complain anymore and everything appears to be fine (Tomcat says something like "Server started" and no error messages whatsoever). However when connecting to the SSL-enabled site, there is no error message coming up, but any browser (IE, Firefox, Konqueror) fail to connect to the site saying that the certificate is invalid or corrupted (although one can still imspect it in the cert properties of the respective browser). Any ideas on how to debug this problem? Tomcat appears to be okay with the cert and the keystore but SSL is still not working? @Christian: Did you have the same problem in the end or did it all work for you? Bye, Werner - Original Message - From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Friday, August 31, 2007 4:27 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Hello, interestingly it did not work for me in the end. Basically I can import the certificate and the private key to rebuild the original keystore using AgentBob's Java code. Fine. Then when restarting Tomcat it does not complain anymore and everything appears to be fine (Tomcat says something like "Server started" and no error messages whatsoever). However when connecting to the SSL-enabled site, there is no error message coming up, but any browser (IE, Firefox, Konqueror) fail to connect to the site saying that the certificate is invalid or corrupted (although one can still imspect it in the cert properties of the respective browser). Any ideas on how to debug this problem? Tomcat appears to be okay with the cert and the keystore but SSL is still not working? @Christian: Did you have the same problem in the end or did it all work for you? Bye, Werner - Original Message - From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Friday, August 31, 2007 4:27 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12426259 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
aah, now I think we are getting somewhere.
Is this not the keystore that was used to generate the CSR, and also
contains the private key?
if not, then I don't know how it would work, you still need your private
key in order to have a working SSL setup, the signed cert is only what
tomcat sends to the browser, it needs the private key in order to
decipher the stuff that the browser encrypts using the public key.
so if you deleted the original keystore that was used to create the key,
then yes, you are screwed, you need to start over, generate another key,
get another CSR, get another signed cert from verisign etc
Filip
Werner Schalk wrote:
Hello Filip,
thanks a lot for all your support. No, that's something I already
tried. When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be
able to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate.
However when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error
("No available certificate or key
corresponds to the SSL cipher suites which are enabled.").
Any more ideas?
Bye,
Seb
- Original Message - From: "Filip Hanik - Dev Lists"
<[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5
looks like the keyAlias="root" is not taking into effect, as the
container complains for not finding one named "tomcat"
could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the
"tomcat" alias, leave the "root" alias in there.
Filip
Werner Schalk wrote:
Hello,
setting keyAlias="root" did not change anything. Then I downloaded
the latest version of Tomcat, added the Verisign cert to my cacerts
file
and imported my Verisign-signed SSL certificate into a new keystore.
Unfortunately that does not change my situation: Either Tomcat is
unable to find
my alias in the keystore file (if I specify a keyAlias) or there
appears to be a problem with the SSL ciphers or certificate itself
(if I don't specify a
keyAlias).
The two error message I am getting when attempting to start Tomcat
are (see further below):
1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
Any more ideas? Is the problem maybe caused because I am creating a
new keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original
keystore file)? Are we screwed now?
Thank you. Any input is greatly appreciated.
Bye,
Werner.
- Original Message - From: "Filip Hanik - Dev Lists"
<[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5
did you set
keyAlias="root" in server.xml
Werner Schalk wrote:
Hello,
I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think)
on a Sun Solaris 10 (Sparc) but it turns out that this appears not
to be an easy task.
Hopefully you guys can shed some light on this. Basically I do
have a Verisign-signed SSL certificate which I would like to add
to my
existing Tomcat config. Now after spending hours of tweaking the
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem
with the SSL ciphers or certificate itself. Hopefully somebody
knows what to do, this
is giving me a headache for many hours now.
Here is what I did (steps taken from
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing
the Certificate"), please
note that I removed IPs, hostnames etc. to protect the innocent:
1) Import of the Verisign root cert into my keystore:
$ keytool -import -alias root -keystore wstest -trustcacerts -file
verisign.crt
Enter keystore password: XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3,
OU="VeriSign, Inc.", O=VeriSign Trust Network
[ ... ]
Certificate was added to keystore
2) Import of my Verisign-signed SSL certificate:
$ keytool -import -alias tomcat -keyst
Re: Problems with SSL-enabled Tomcat 5.5
Hello Filip,
thanks a lot for all your support. No, that's something I already tried.
When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be able
to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate. However
when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error ("No
available certificate or key
corresponds to the SSL cipher suites which are enabled.").
Any more ideas?
Bye,
Seb
- Original Message -
From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5
looks like the keyAlias="root" is not taking into effect, as the container
complains for not finding one named "tomcat"
could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the
"tomcat" alias, leave the "root" alias in there.
Filip
Werner Schalk wrote:
Hello,
setting keyAlias="root" did not change anything. Then I downloaded the
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore.
Unfortunately that does not change my situation: Either Tomcat is unable
to find
my alias in the keystore file (if I specify a keyAlias) or there appears
to be a problem with the SSL ciphers or certificate itself (if I don't
specify a
keyAlias).
The two error message I am getting when attempting to start Tomcat are
(see further below):
1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled.
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)
Any more ideas? Is the problem maybe caused because I am creating a new
keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original
keystore file)? Are we screwed now?
Thank you. Any input is greatly appreciated.
Bye,
Werner.
- Original Message - From: "Filip Hanik - Dev Lists"
<[EMAIL PROTECTED]>
To: "Tomcat Users List"
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5
did you set
keyAlias="root" in server.xml
Werner Schalk wrote:
Hello,
I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a
Sun Solaris 10 (Sparc) but it turns out that this appears not to be an
easy task.
Hopefully you guys can shed some light on this. Basically I do have a
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with the
SSL ciphers or certificate itself. Hopefully somebody knows what to do,
this
is giving me a headache for many hours now.
Here is what I did (steps taken from
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the
Certificate"), please
note that I removed IPs, hostnames etc. to protect the innocent:
1) Import of the Verisign root cert into my keystore:
$ keytool -import -alias root -keystore wstest -trustcacerts -file
verisign.crt
Enter keystore password: XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97
VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign,
Inc.", O=VeriSign Trust Network
[ ... ]
Certificate was added to keystore
2) Import of my Verisign-signed SSL certificate:
$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file
mysystem.crt
Enter keystore password: XXX
[ ... ]
Certificate was added to keystore
3) Change of my Tomcat configuration in server.xml to use the new
keystore and SSL cert:
disableUploadTimeout="true" acceptCount="100"
maxKeepAliveRequests="100"
scheme="https" secure="true" clientAuth="false"
compression="8192"
compressableMimeType="text/javascript,text/css"
keystoreFile="/usr/local/tomcat/conf/wstest"
keystorePass="XXX" sslProtocol="TL
Re: Problems with SSL-enabled Tomcat 5.5
looks like the keyAlias="root" is not taking into effect, as the container complains for not finding one named "tomcat" could be that it just looks for tomcat alias to be existent. this is what I would try next, import the same certificate using the "tomcat" alias, leave the "root" alias in there. Filip Werner Schalk wrote: Hello, setting keyAlias="root" did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias="root" in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the Certificate"), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: disableUploadTimeout="true" acceptCount="100" maxKeepAliveRequests="100" scheme="https" secure="true" clientAuth="false" compression="8192" compressableMimeType="text/javascript,text/css" keystoreFile="/usr/local/tomcat/conf/wstest" keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat" /> 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE1
Re: Problems with SSL-enabled Tomcat 5.5
Hello, setting keyAlias="root" did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: "Filip Hanik - Dev Lists" <[EMAIL PROTECTED]> To: "Tomcat Users List" Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias="root" in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the Certificate"), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: disableUploadTimeout="true" acceptCount="100" maxKeepAliveRequests="100" scheme="https" secure="true" clientAuth="false" compression="8192" compressableMimeType="text/javascript,text/css" keystoreFile="/usr/local/tomcat/conf/wstest" keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat" /> 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) at org.apache.
Re: Problems with SSL-enabled Tomcat 5.5
did you set keyAlias="root" in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the Certificate"), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: disableUploadTimeout="true" acceptCount="100" maxKeepAliveRequests="100" scheme="https" secure="true" clientAuth="false" compression="8192" compressableMimeType="text/javascript,text/css" keystoreFile="/usr/local/tomcat/conf/wstest" keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat" /> 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75) at org.apache.catalina.connector.Connector.start(Connector.java:1089) at org.apache.catalina.core.StandardService.start(StandardService.java:459) at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) at org.apache.catalina.startup.Catalina.start(Catalina.java:551) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) However my keystore DOES contain my two keys (Verisign's key as well as my SSL cert): # keytool -list --keystore wstest -v Enter keystore password: XXX Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: root Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [...] *** *** Alias name: tomcat Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: CN=myhostname, ... [...] *** *** Here is the first problem: Why does my alias "tomcat" not identify a key entry in the keystore? It does exist, doesn't it? 5) Now to get around this problem, I removed the "keyAlias" directive from the Tomcat config which now like like this: disableUploa
Problems with SSL-enabled Tomcat 5.5
Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing the Certificate"), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: disableUploadTimeout="true" acceptCount="100" maxKeepAliveRequests="100" scheme="https" secure="true" clientAuth="false" compression="8192" compressableMimeType="text/javascript,text/css" keystoreFile="/usr/local/tomcat/conf/wstest" keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat" /> 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75) at org.apache.catalina.connector.Connector.start(Connector.java:1089) at org.apache.catalina.core.StandardService.start(StandardService.java:459) at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) at org.apache.catalina.startup.Catalina.start(Catalina.java:551) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) However my keystore DOES contain my two keys (Verisign's key as well as my SSL cert): # keytool -list --keystore wstest -v Enter keystore password: XXX Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: root Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU="VeriSign, Inc.", O=VeriSign Trust Network [...] *** *** Alias name: tomcat Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: CN=myhostname, ... [...] *** *** Here is the first problem: Why does my alias "tomcat" not identify a key entry in the keystore? It does exist, doesn't it? 5) Now to get around this problem, I removed the "keyAlias" directive from the Tomcat config which now like like this: disableUploadTimeout="true" acceptCount="100" maxKeepAliveRequests="100" scheme="h
RE: Problems with SSL
It looks like from your first post you may have somehting wrong in your server.xml file. The "protocol="SSL"" in the last line of your Connector tag. Try removing that and see if that gets rid of the errors. Nathan -Original Message- From: Dario Hernan [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] Sent: Thursday, August 09, 2007 12:55 PM To: Tomcat Users List Subject: Re: Problems with SSL [EMAIL PROTECTED] ~]# java -version java version "1.5.0" Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20070201 (SR4)) IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20070201 (JIT enabled) J9VM - 20070131_11312_lHdSMR JIT - 20070109_1805ifx1_r8 GC - 200701_09) JCL - 20070126 On 8/9/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > From: Dario Hernan [mailto:[EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]> ] > > Subject: Re: Problems with SSL > > > > echo $PATH > > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: > > /sbin:/bin:/usr/sbin:/usr/bin:/root/bin > > That tells us nothing. > > > echo JAVA_HOME > > That should be: > echo $JAVA_HOME > > Also do: > > java -version > > as previously requested, just to be sure. You could also try > deinstalling the GNU version, just to be safe. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE > PROPRIETARY MATERIAL and is thus for use only by the intended > recipient. If you received this in error, please contact the sender > and delete the e-mail and its attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, > e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > >
RE: Problems with SSL
> From: Dario Hernan [mailto:[EMAIL PROTECTED] > Subject: Re: Problems with SSL > > -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/t > omcat5/common/lib > -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/t > omcat5/common/lib Why do you have that property specified twice? For that matter, why do you have it specified at all? > -classpath /usr/lib/jvm/jre-1.5.0-ibm/lib/tools.jar: > /usr/share/tomcat5/bin/bootstrap.jar: > /usr/share/tomcat5/bin/commons-logging-api.jar: > /usr/share/java/mx4j/mx4j-impl.jar: > /usr/share/java/mx4j/mx4j-jmx.jar Typically, the only thing needed on the -classpath is bootstrap.jar; you certainly don't need tools.jar anymore. Why are the other jars there? The MX4J classes are not needed with a true JRE 5 implementation. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problems with SSL
> From: Dario Hernan [mailto:[EMAIL PROTECTED] > Subject: Re: Problems with SSL > > Yes, I installed it through yum installer, are there difference > between it and tar file? Yes, the .tar file works. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
Yes, I installed it through yum installer, are there difference between it and tar file? On 8/9/07, Hassan Schroeder <[EMAIL PROTECTED]> wrote: > On 8/9/07, Dario Hernan <[EMAIL PROTECTED]> wrote: > > I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME > > correctly, now when I start the tomcat, it use the correct jvm > > That's progress :-) > > > But, on the log file appear some errors. > > Is this a Tomcat that was bundled with RedHat, as it appears? If so, > you would save yourself a lot of time (and headaches) by removing it > and re-installing via a tar file from the actual Tomcat download site. > > -- > Hassan Schroeder [EMAIL PROTECTED] > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
On 8/9/07, Dario Hernan <[EMAIL PROTECTED]> wrote: > I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME > correctly, now when I start the tomcat, it use the correct jvm That's progress :-) > But, on the log file appear some errors. Is this a Tomcat that was bundled with RedHat, as it appears? If so, you would save yourself a lot of time (and headaches) by removing it and re-installing via a tar file from the actual Tomcat download site. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME correctly, now when I start the tomcat, it use the correct jvm ps ax |grep tomcat 9122 ?Sl 0:05 /usr/lib/jvm/jre-1.5.0-ibm/bin/java -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/tomcat5/common/lib -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/tomcat5/common/lib -Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath /usr/lib/jvm/jre-1.5.0-ibm/lib/tools.jar:/usr/share/tomcat5/bin/bootstrap.jar:/usr/share/tomcat5/bin/commons-logging-api.jar:/usr/share/java/mx4j/mx4j-impl.jar:/usr/share/java/mx4j/mx4j-jmx.jar -Dcatalina.base=/usr/share/tomcat5 -Dcatalina.home=/usr/share/tomcat5 -Djava.io.tmpdir=/usr/share/tomcat5/temp org.apache.catalina.startup.Bootstrap But, on the log file appear some errors. I attached the log file. Thanks for your advice. On 8/9/07, Dario Hernan <[EMAIL PROTECTED]> wrote: > [EMAIL PROTECTED] ~]# java -version > java version "1.5.0" > Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20070201 > (SR4)) > IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 > j9vmxi3223-20070201 (JIT enabled) > J9VM - 20070131_11312_lHdSMR > JIT - 20070109_1805ifx1_r8 > GC - 200701_09) > JCL - 20070126 > > > On 8/9/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > > From: Dario Hernan [mailto:[EMAIL PROTECTED] > > > Subject: Re: Problems with SSL > > > > > > echo $PATH > > > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: > > > /sbin:/bin:/usr/sbin:/usr/bin:/root/bin > > > > That tells us nothing. > > > > > echo JAVA_HOME > > > > That should be: > > echo $JAVA_HOME > > > > Also do: > > > > java -version > > > > as previously requested, just to be sure. You could also try > > deinstalling the GNU version, just to be safe. > > > > - Chuck > > > > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > > MATERIAL and is thus for use only by the intended recipient. If you > > received this in error, please contact the sender and delete the e-mail > > and its attachments from all computers. > > > > - > > To start a new topic, e-mail: users@tomcat.apache.org > > To unsubscribe, e-mail: [EMAIL PROTECTED] > > For additional commands, e-mail: [EMAIL PROTECTED] > > > > > /etc/profile: line 31: 1: Permission denied Using CATALINA_BASE: /usr/share/tomcat5 Using CATALINA_HOME: /usr/share/tomcat5 Using CATALINA_TMPDIR: /usr/share/tomcat5/temp Using JRE_HOME: 09-ago-2007 15:29:20 org.apache.coyote.http11.Http11BaseProtocol pause INFORMACIÃ N: Pausing Coyote HTTP/1.1 on http-8081 09-ago-2007 15:29:20 org.apache.catalina.connector.Connector pause GRAVE: Protocol handler pause failed java.lang.NullPointerException at org.apache.catalina.connector.Connector.pause(Connector.java:1032) at org.apache.catalina.core.StandardService.stop(StandardService.java:489) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:734) at org.apache.catalina.startup.Catalina.stop(Catalina.java:602) at org.apache.catalina.startup.Catalina.start(Catalina.java:577) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:615) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433) 09-ago-2007 15:29:20 org.apache.catalina.connector.Connector pause GRAVE: Protocol handler pause failed java.lang.NullPointerException at org.apache.jk.server.JkMain.pause(JkMain.java:679) at org.apache.jk.server.JkCoyoteHandler.pause(JkCoyoteHandler.java:163) at org.apache.catalina.connector.Connector.pause(Connector.java:1032) at org.apache.catalina.core.StandardService.stop(StandardService.java:489) at org.apache.catalina.core.StandardServer.stop(StandardServer.java:734) at org.apache.catalina.startup.Catalina.stop(Catalina.java:602) at org.apache.catalina.startup.Catalina.start(Catalina.java:577) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:615) at org.apache.catalina.startup.Boo
Re: Problems with SSL
[EMAIL PROTECTED] ~]# java -version java version "1.5.0" Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20070201 (SR4)) IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32 j9vmxi3223-20070201 (JIT enabled) J9VM - 20070131_11312_lHdSMR JIT - 20070109_1805ifx1_r8 GC - 200701_09) JCL - 20070126 On 8/9/07, Caldarale, Charles R <[EMAIL PROTECTED]> wrote: > > From: Dario Hernan [mailto:[EMAIL PROTECTED] > > Subject: Re: Problems with SSL > > > > echo $PATH > > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: > > /sbin:/bin:/usr/sbin:/usr/bin:/root/bin > > That tells us nothing. > > > echo JAVA_HOME > > That should be: > echo $JAVA_HOME > > Also do: > > java -version > > as previously requested, just to be sure. You could also try > deinstalling the GNU version, just to be safe. > > - Chuck > > > THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY > MATERIAL and is thus for use only by the intended recipient. If you > received this in error, please contact the sender and delete the e-mail > and its attachments from all computers. > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problems with SSL
> From: Dario Hernan [mailto:[EMAIL PROTECTED] > Subject: Re: Problems with SSL > > echo $PATH > /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin: > /sbin:/bin:/usr/sbin:/usr/bin:/root/bin That tells us nothing. > echo JAVA_HOME That should be: echo $JAVA_HOME Also do: java -version as previously requested, just to be sure. You could also try deinstalling the GNU version, just to be safe. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
This is the output of the PATH echo $PATH /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin And the JAVA_HOME echo JAVA_HOME JAVA_HOME the JAVA_HOME is not setting and in the PATH there isn't something about java but in the tomcat5.conf I have this line, JAVA_HOME="/usr/lib/jvm/jre-1.5.0-ibm/bin/java" Is possible that tomcat is taking the java config from another site? On 8/9/07, Hassan Schroeder <[EMAIL PROTECTED]> wrote: > On 8/9/07, Dario Hernan <[EMAIL PROTECTED]> wrote: > > I'm use the IBM JDK on RedHat Enterprise Linux 5 > > You might /want/ to, but your error message says otherwise :-) > > Check your JAVA_HOME and PATH statements; or run `java -version` > and see what you get. > > -- > Hassan Schroeder [EMAIL PROTECTED] > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
On 8/9/07, Dario Hernan <[EMAIL PROTECTED]> wrote: > I'm use the IBM JDK on RedHat Enterprise Linux 5 You might /want/ to, but your error message says otherwise :-) Check your JAVA_HOME and PATH statements; or run `java -version` and see what you get. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL
I'm use the IBM JDK on RedHat Enterprise Linux 5 On 8/9/07, Peter Crowther <[EMAIL PROTECTED]> wrote: > > From: Dario Hernan [mailto:[EMAIL PROTECTED] > > java.lang.ClassNotFoundException: SSL not found in > [...] > > parent=gnu.gcj.runtime.SystemClassLoader > > Install and use the Sun JDK, not Gnu. As I recall, the Gnu > implementation doesn't contain the Sun SSL classes that Tomcat expects. > > - Peter > > - > To start a new topic, e-mail: users@tomcat.apache.org > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Problems with SSL
> From: Dario Hernan [mailto:[EMAIL PROTECTED] > java.lang.ClassNotFoundException: SSL not found in [...] > parent=gnu.gcj.runtime.SystemClassLoader Install and use the Sun JDK, not Gnu. As I recall, the Gnu implementation doesn't contain the Sun SSL classes that Tomcat expects. - Peter - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Problems with SSL
Hi all, I'm trying to config Tomcat5 with SSL support, I generated the
.keystore file and changed my server.xml file with this
when I start the tomcat service I get this error:
SEVERE: Falló la instanciación del manejador de protocolo:
java.lang.ClassNotFoundException: SSL not found in
org.apache.catina.loader.StandardClassLoader{urls=[file:/var/lib/tomcat5/server/classes/,file:/usr/share/java/tomcat5/tomcat-util-5.5.23.jar,file:/usr/share/java/jakarta-commons-digester-1.7.jar,file:/usr/share/java/libgcj-4.1.1.jar,file:/usr/share/java/tomcat5/tomcat-jkstatus-ant-5.5.23.jar,file:/usr/share/java/tomcat5/catalina-storeconfig-5.5.23.jar,file:/usr/share/java/tomcat5/catalina-5.5.23.jar,file:/usr/share/java/tomcat5/tomcat-http-5.5.23.jar,file:/usr/share/java/mx4j/mx4j-3.0.1.jar,file:/usr/share/java/catalina-ant-5.5.23.jar,file:/usr/share/java/jakarta-commons-logging-1.0.4.jar,file:/usr/share/java/tomcat5/tomcat-ajp-5.5.23.jar,file:/usr/share/java/tomcat5/servlets-webdav-5.5.23.jar,file:/usr/share/java/tomcat5/catalina-ant-jmx-5.5.23.jar,file:/usr/share/eclipse/plugins/org.eclipse.jdt.core_3.2.1.v_677_R32x.jar,file:/usr/share/java/jakarta-commons-beanutils-1.7.0.jar,file:/usr/share/java/regexp-1.4.jar,file:/usr/share/java/tomcat5/catalina-optional-5.5.23.jar,file:/usr/share/java/tomcat5/catalina-cluster-5.5.23.jar,file:/usr/share/java/tomcat5/servlets-invoker-5.5.23.jar,file:/usr/share/java/jakarta-commons-el-1.0.jar,file:/usr/share/java/tomcat5/servlets-default-5.5.23.jar,file:/usr/share/java/jakarta-commons-modeler-1.1.jar,file:/usr/share/java/tomcat5/tomcat-coyote-5.5.23.jar,file:/usr/share/java/tomcat5/tomcat-apr-5.5.23.jar,file:/usr/share/java/jakarta-commons-fileupload-1.0.jar],
parent=org.apache.catalina.loader.StandardClassLoader{urls=[file:/var/lib/tomcat5/common/classes/,file:/var/lib/tomcat5/common/i18n/tomcat-i18n-ja.jar,file:/var/lib/tomcat5/common/i18n/tomcat-i18n-fr.jar,file:/var/lib/tomcat5/common/i18n/tomcat-i18n-en.jar,file:/var/lib/tomcat5/common/i18n/tomcat-i18n-es.jar,file:/usr/share/java/xml-commons-apis-1.3.02.jar,file:/usr/share/java/xerces-j2-2.7.1.jar,file:/usr/share/java/jakarta-commons-logging-api-1.0.4.jar,file:/usr/share/java/geronimo/spec-jta-1.0.1B-rc2.jar,file:/usr/share/java/mx4j/mx4j-3.0.1.jar,file:/usr/share/java/jakarta-commons-pool-1.3.jar,file:/usr/share/java/jasper5-compiler-5.5.23.jar,file:/usr/share/java/libgcj-4.1.1.jar,file:/usr/share/java/jakarta-commons-collections-3.1.jar,file:/usr/share/eclipse/plugins/org.eclipse.jdt.core_3.2.1.v_677_R32x.jar,file:/usr/share/java/jakarta-commons-dbcp-1.2.1.jar,file:/usr/share/java/tomcat5-servlet-2.4-api-5.5.23.jar,file:/usr/share/java/ant-1.6.5.jar,file:/usr/share/java/libgcj-4.1.1.jar,file:/usr/share/java/jasper5-runtime-5.5.23.jar,file:/usr/share/java/classpathx-jaf-1.0.jar,file:/usr/share/java/tomcat5-jsp-2.0-api-5.5.23.jar,file:/usr/share/java/tomcat5/naming-resources-5.5.23.jar,file:/usr/share/java/jakarta-commons-el-1.0.jar,file:/usr/share/java/tomcat5/naming-factory-5.5.23.jar,file:/usr/share/java/classpathx-mail-1.3.1-monolithic-1.1.1.jar],
parent=gnu.gcj.runtime.SystemClassLoader{urls=[file:/usr/lib/jvm/java/lib/tools.jar,file:/usr/share/tomcat5/bin/bootstrap.jar,file:/usr/share/tomcat5/bin/commons-logging-api.jar,file:/usr/share/java/mx4j/mx4j-impl.jar,file:/usr/share/java/mx4j/mx4j-jmx.jar],
parent=gnu.gcj.runtime.ExtensionClassLoader{urls=[], parent=null
9-ago-07 11:19:15 org.apache.catalina.core.AprLifecycleListener lifecycleEvent
SEVERE: Error registering connector
java.lang.NullPointerException
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Falló el
arranque del manejador de protocolo: java.lang.NullPointerExcepion
at
org.apache.catalina.connector.Connector.start(catalina-5.5.23.jar.sorx9303.so)
at
org.apache.catalina.core.StandardService.start(catalina-5.5.23.jar.sorx9303.so)
at
org.apache.catalina.core.StandardServer.start(catalina-5.5.23.jar.sorx9303.so)
at
org.apache.catalina.startup.Catalina.start(catalina-5.5.23.jar.sorx9303.so)
at java.lang.reflect.Method.invoke(libgcj.so.7rh)
at org.apache.catalina.startup.Bootstrap.start(bootstrap.jar.so)
at org.apache.catalina.startup.Bootstrap.main(bootstrap.jar.so)
9-ago-07 11:19:18 org.apache.catalina.startup.Catalina start
INFO: Server startup in 2820 ms
does anyone can help me?
thanks in advance
Dario
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
