Re: Change Default SSL port on Tomcat
From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 10:59:02 AM Subject: Re: Change Default SSL port on Tomcat On 16 Dec 2011, at 03:28, Blaxton blaxx...@yahoo.com wrote: Hi Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine. uncommented Connector port=8443 and by adding required fields in web.xml accessing secured pages would be forwarded to https with port 8443, but when I change the port from 8443 to 443, the same URL that was working with 8443, I get Secure Connection Failed is there any thing else I need to do to change the default SSL port ? did following steps to change the SSL port from Tomcat default to 443 but got 1- Generated /root/.keystore with following command: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 2- then uncommented following lines in server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / Did you add the keystore to the connector? p 3- Connector port=8009 protocol=AJP/1.3 redirectPort=443/ 4- restarted tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org yes, I did add the keystore to the connector as well and didn't work either. as a matter of fact I followed following link step by step http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/ with keystore placed in Connector, I get following error in browser : SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) and nothing shows up in mod_jk.log with no keystore and default port 8443 in all Connectors either AJP or SSL port, every thing is working fine, and I get the certificate from the secured page and forwarded to https but as soon as I change the AJP Connector redirectport to 443, I get following error in mod_jk.log file: Secure Connection Failed An error occurred during a connection to mydomain.com. Peer's certificate has an invalid signature. with following config : Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=443/ following error shows up in mod_jk.log file: connecting to back end failed. Tomcat is probably not started or is listening on the wrong port (errno=61) again and finally , with Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ everthing works fine and I will be forwarded to secure http and no problem. I think this has to do with mod_jk , this is the mod_jk that can not connect to port 443 when default port is changing to 443. to make sure , I added the required JkMount /* to vhost1_httpd.conf for port 443 as well. one question : according to following url : To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do: I need to have one of the following in server.xml file: -- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 .../ -- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 .../ I added following lines to server.xml !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 / but this time the browser shows: The connection was interrupted and nothing shows up in mod_jk.log. port=8443 .../
Re: Change Default SSL port on Tomcat
On 16/12/2011 08:47, Blaxton wrote: From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 10:59:02 AM Subject: Re: Change Default SSL port on Tomcat On 16 Dec 2011, at 03:28, Blaxton blaxx...@yahoo.com wrote: Hi Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine. uncommented Connector port=8443 and by adding required fields in web.xml accessing secured pages would be forwarded to https with port 8443, but when I change the port from 8443 to 443, the same URL that was working with 8443, I get Secure Connection Failed is there any thing else I need to do to change the default SSL port ? did following steps to change the SSL port from Tomcat default to 443 but got 1- Generated /root/.keystore with following command: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 2- then uncommented following lines in server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / Did you add the keystore to the connector? p 3- Connector port=8009 protocol=AJP/1.3 redirectPort=443/ 4- restarted tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org yes, I did add the keystore to the connector as well and didn't work either. as a matter of fact I followed following link step by step http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/ with keystore placed in Connector, I get following error in browser : SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) and nothing shows up in mod_jk.log with no keystore and default port 8443 in all Connectors either AJP or SSL port, every thing is working fine, and I get the certificate from the secured page and forwarded to https but as soon as I change the AJP Connector redirectport to 443, I get following error in mod_jk.log file: Secure Connection Failed An error occurred during a connection to mydomain.com. Peer's certificate has an invalid signature. with following config : Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=443/ following error shows up in mod_jk.log file: connecting to back end failed. Tomcat is probably not started or is listening on the wrong port (errno=61) again and finally , with Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ everthing works fine and I will be forwarded to secure http and no problem. I think this has to do with mod_jk , this is the mod_jk that can not connect to port 443 when default port is changing to 443. to make sure , I added the required JkMount /* to vhost1_httpd.conf for port 443 as well. one question : according to following url : To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do: I need to have one of the following in server.xml file: -- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 .../ -- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 .../ I added following lines to server.xml !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 / but this time the browser shows: The connection was interrupted and nothing shows up in mod_jk.log. Sorry, I read this on my phone I missed the first bit. If you're using mod_jk/AJP then you do the SSL decoding before sending traffic to Tomcat. HTTPD:80 -- Tomcat:8009 HTTPD:443 -- You should configure SSL on HTTPD instead. p -- [key:62590808] signature.asc Description: OpenPGP digital signature
Re: Change Default SSL port on Tomcat
From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 12:35:24 PM Subject: Re: Change Default SSL port on Tomcat On 16/12/2011 08:47, Blaxton wrote: From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 10:59:02 AM Subject: Re: Change Default SSL port on Tomcat On 16 Dec 2011, at 03:28, Blaxton blaxx...@yahoo.com wrote: Hi Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine. uncommented Connector port=8443 and by adding required fields in web.xml accessing secured pages would be forwarded to https with port 8443, but when I change the port from 8443 to 443, the same URL that was working with 8443, I get Secure Connection Failed is there any thing else I need to do to change the default SSL port ? did following steps to change the SSL port from Tomcat default to 443 but got 1- Generated /root/.keystore with following command: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 2- then uncommented following lines in server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / Did you add the keystore to the connector? p 3- Connector port=8009 protocol=AJP/1.3 redirectPort=443/ 4- restarted tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org yes, I did add the keystore to the connector as well and didn't work either. as a matter of fact I followed following link step by step http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/ with keystore placed in Connector, I get following error in browser : SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) and nothing shows up in mod_jk.log with no keystore and default port 8443 in all Connectors either AJP or SSL port, every thing is working fine, and I get the certificate from the secured page and forwarded to https but as soon as I change the AJP Connector redirectport to 443, I get following error in mod_jk.log file: Secure Connection Failed An error occurred during a connection to mydomain.com. Peer's certificate has an invalid signature. with following config : Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=443/ following error shows up in mod_jk.log file: connecting to back end failed. Tomcat is probably not started or is listening on the wrong port (errno=61) again and finally , with Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ everthing works fine and I will be forwarded to secure http and no problem. I think this has to do with mod_jk , this is the mod_jk that can not connect to port 443 when default port is changing to 443. to make sure , I added the required JkMount /* to vhost1_httpd.conf for port 443 as well. one question : according to following url : To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do: I need to have one of the following in server.xml file: -- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 .../ -- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 .../ I added following lines to server.xml !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 / but this time the browser shows: The connection was interrupted and nothing shows up in mod_jk.log. Sorry, I read this on my phone I missed the first bit. If you're using mod_jk/AJP then you do the SSL decoding before sending traffic to Tomcat. HTTPD:80 -- Tomcat:8009 HTTPD:443 -- You should configure SSL on HTTPD instead. p -- [key:62590808] Then how the default 8443 works fine with the same URL ? following is set in vhost1_httpd.conf JkMount /app1/* worker1 so , all URLs containing /app1/ should be forwarded to Tomcat to be processed regardless of the port and that what is happening when redirectport=8443 is set in AJP Connector and accessing http://www.mydomain.com/app1/securelocation/ will be redirected to https://mydomain.com:8443/app1/securelocation/ but as soon as the redirectport is changed in AJP Connector to 443 , it won't work. unless we assume , port 8443 will be processed by Tomcat but port 443 should be processed by Apache !
Re: Change Default SSL port on Tomcat
From: Pid p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 12:35:24 PM Subject: Re: Change Default SSL port on Tomcat On 16/12/2011 08:47, Blaxton wrote: From: Pid * p...@pidster.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 10:59:02 AM Subject: Re: Change Default SSL port on Tomcat On 16 Dec 2011, at 03:28, Blaxton blaxx...@yahoo.com wrote: Hi Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine. uncommented Connector port=8443 and by adding required fields in web.xml accessing secured pages would be forwarded to https with port 8443, but when I change the port from 8443 to 443, the same URL that was working with 8443, I get Secure Connection Failed is there any thing else I need to do to change the default SSL port ? did following steps to change the SSL port from Tomcat default to 443 but got 1- Generated /root/.keystore with following command: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 2- then uncommented following lines in server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / Did you add the keystore to the connector? p 3- Connector port=8009 protocol=AJP/1.3 redirectPort=443/ 4- restarted tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org yes, I did add the keystore to the connector as well and didn't work either. as a matter of fact I followed following link step by step http://techtracer.com/2007/09/12/setting-up-ssl-on-tomcat-in-3-easy-steps/ with keystore placed in Connector, I get following error in browser : SSL received a record that exceeded the maximum permissible length. (Error code: ssl_error_rx_record_too_long) and nothing shows up in mod_jk.log with no keystore and default port 8443 in all Connectors either AJP or SSL port, every thing is working fine, and I get the certificate from the secured page and forwarded to https but as soon as I change the AJP Connector redirectport to 443, I get following error in mod_jk.log file: Secure Connection Failed An error occurred during a connection to mydomain.com. Peer's certificate has an invalid signature. with following config : Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=443/ following error shows up in mod_jk.log file: connecting to back end failed. Tomcat is probably not started or is listening on the wrong port (errno=61) again and finally , with Connector port=8443 and Connector port=8009 protocol=AJP/1.3 redirectPort=8443/ everthing works fine and I will be forwarded to secure http and no problem. I think this has to do with mod_jk , this is the mod_jk that can not connect to port 443 when default port is changing to 443. to make sure , I added the required JkMount /* to vhost1_httpd.conf for port 443 as well. one question : according to following url : To define a Java (JSSE) connector, regardless of whether the APR library is loaded or not do: I need to have one of the following in server.xml file: -- Define a blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11Protocol port=8443 .../ -- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 .../ I added following lines to server.xml !-- Define a non-blocking Java SSL Coyote HTTP/1.1 Connector on port 8443 -- Connector protocol=org.apache.coyote.http11.Http11NioProtocol port=8443 / but this time the browser shows: The connection was interrupted and nothing shows up in mod_jk.log. Sorry, I read this on my phone I missed the first bit. If you're using mod_jk/AJP then you do the SSL decoding before sending traffic to Tomcat. HTTPD:80 -- Tomcat:8009 HTTPD:443 -- You should configure SSL on HTTPD instead. p -- [key:62590808] Thank you pid, I looked in Catalina.out and found out 443 port is already in use error and I had listen 443 in apache, so removed it and now tomcat comes up and all is good. I am not sure if it is better to serve ssl and https through Tomcat or Apache ?
Re: Change Default SSL port on Tomcat
Thank you pid, I looked in Catalina.out and found out 443 port is already in use error and I had listen 443 in apache, so removed it and now tomcat comes up and all is good. I am not sure if it is better to serve ssl and https through Tomcat or Apache So your plan is to serve normal traffic via HTTPD, mod_jk but send the SSL traffic straight to Tomcat? That would be, erm, unusual. p - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Change Default SSL port on Tomcat
Pid * wrote: Thank you pid, I looked in Catalina.out and found out 443 port is already in use error and I had listen 443 in apache, so removed it and now tomcat comes up and all is good. I am not sure if it is better to serve ssl and https through Tomcat or Apache So your plan is to serve normal traffic via HTTPD, mod_jk but send the SSL traffic straight to Tomcat? That would be, erm, unusual. Yes, there is something in that whole explanation which didn't sound quite right. To the Original Poster, if this wasn't clear yet : The AJP protocol does not support SSL connections. In other words, if your connection schema is : browser -(1)- Apache + mod_jk -(2)- AJP Connector on port 8009 + Tomcat (or mod_proxy_ajp) then (2) cannot be a HTTPS connection. The normal thing is to have (1) be a HTTPS connection, which ends at the Apache level. Then mod_jk (or mod_proxy_ajp) forwards the requests to Tomcat via (2), but that is an AJP protocol connection, which is not encrypted. It can forward the original SSL headers, so that Tomcat can have a look at them, but that's it. Most likely, when you are establishing an HTTPS connection between the browser and Tomcat, it goes around Apache httpd, directly to Tomcat, like this : browser --(1)- HTTPS Connector + Tomcat Apache + mod_jk (totally unaware of what's going on now) Maybe you are just unaware of this because both Apache httpd and Tomcat are running on the same host, so have the same hostname and IP address, which just the port being different. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Change Default SSL port on Tomcat
From: André Warnier a...@ice-sa.com To: Tomcat Users List users@tomcat.apache.org Sent: Friday, December 16, 2011 10:34:24 PM Subject: Re: Change Default SSL port on Tomcat Pid * wrote: Thank you pid, I looked in Catalina.out and found out 443 port is already in use error and I had listen 443 in apache, so removed it and now tomcat comes up and all is good. I am not sure if it is better to serve ssl and https through Tomcat or Apache So your plan is to serve normal traffic via HTTPD, mod_jk but send the SSL traffic straight to Tomcat? That would be, erm, unusual. Yes, there is something in that whole explanation which didn't sound quite right. To the Original Poster, if this wasn't clear yet : The AJP protocol does not support SSL connections. In other words, if your connection schema is : browser -(1)- Apache + mod_jk -(2)- AJP Connector on port 8009 + Tomcat (or mod_proxy_ajp) then (2) cannot be a HTTPS connection. The normal thing is to have (1) be a HTTPS connection, which ends at the Apache level. Then mod_jk (or mod_proxy_ajp) forwards the requests to Tomcat via (2), but that is an AJP protocol connection, which is not encrypted. It can forward the original SSL headers, so that Tomcat can have a look at them, but that's it. Most likely, when you are establishing an HTTPS connection between the browser and Tomcat, it goes around Apache httpd, directly to Tomcat, like this : browser --(1)- HTTPS Connector + Tomcat Apache + mod_jk (totally unaware of what's going on now) Maybe you are just unaware of this because both Apache httpd and Tomcat are running on the same host, so have the same hostname and IP address, which just the port being different. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org Thank you for the tip. That's a good point.
Re: Change Default SSL port on Tomcat
On 16 Dec 2011, at 03:28, Blaxton blaxx...@yahoo.com wrote: Hi Apache 2.2 is connected to Tomcat 6.0.29 through mod_jk and all works fine. uncommented Connector port=8443 and by adding required fields in web.xml accessing secured pages would be forwarded to https with port 8443, but when I change the port from 8443 to 443, the same URL that was working with 8443, I get Secure Connection Failed is there any thing else I need to do to change the default SSL port ? did following steps to change the SSL port from Tomcat default to 443 but got 1- Generated /root/.keystore with following command: %JAVA_HOME%\bin\keytool -genkey -alias tomcat -keyalg RSA 2- then uncommented following lines in server.xml Connector port=443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS / Did you add the keystore to the connector? p 3- Connector port=8009 protocol=AJP/1.3 redirectPort=443/ 4- restarted tomcat - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org