Re: HTTPS setup
Hello, Thanks for the advise - ive tried various permutations of trying to use an exisiting CA signed X509 certificate to enable SSL with tomcat. From reading various mailing lists it appears this is a frequent problem but one that many people have solved using the solutions I have tried - perhaps Im missing something? My environment is Java 1.5.0_06, Tomcat 5.5.12, Fedora Core 4, my certificate is signed my the eScience CA in the UK. Here are my findings ... Splitting the p12 file into a crt and key: In the conf/server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEngine=on SSLCertificateFile=certificate.crt SSLCertificateKeyFile=certificate.key SSLPassword=pass / Error message splitting the p12 file into crt and key: java.io.FileNotFoundException: /home/jm/.keystore (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:279) ... It appears that Tomcat 5.5.12 is ignorning my configuration of the https connector and looking for the default JKS keystore - which I hadnt created - therefore I created the keystore adding a self-signed certificate and yes it enabled https connection but not using the intended certificates so effectively this does not work either. Using the p12 file as the keystore: In conf/server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreType=PKCS12 keystoreFile=.p12 keystorePass=pass/ Error message using p12 file as keystore: Could not establish an encrypted connection because certificate presented by localhost is invalid or corrupted. Error Code: -8101 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server Finally, adding my p12 CA signed certificate programmatically into a JKS keystore with the root CA certificate added as: keytool -import -keystore my.keystore -storepass pass -alias eScienceRoot -file /downloads/cacert.crt In the conf/server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreFile=/home/jm/jm.keystore keystorePass=pass/ Error message from adding p12 into a JKS keystore: Could not establish an encrypted connection because certificate presented by localhost is invalid or corrupted. Error Code: -8101 javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server Thanks, Julie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS setup
Julie McCabe wrote: Thanks for the advise - ive tried various permutations of trying to use an exisiting CA signed X509 certificate to enable SSL with tomcat. From reading various mailing lists it appears this is a frequent problem but one that many people have solved using the solutions I have tried - perhaps Im missing something? My environment is Java 1.5.0_06, Tomcat 5.5.12, Fedora Core 4, my certificate is signed my the eScience CA in the UK. Here are my findings ... Splitting the p12 file into a crt and key: In the conf/server.xml Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true SSLEngine=on SSLCertificateFile=certificate.crt SSLCertificateKeyFile=certificate.key SSLPassword=pass / Error message splitting the p12 file into crt and key: java.io.FileNotFoundException: /home/jm/.keystore (No such file or directory) at java.io.FileInputStream.open(Native Method) at java.io.FileInputStream.init(FileInputStream.java:106) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactor y.java:279) ... It appears that Tomcat 5.5.12 is ignorning my configuration of the https connector and looking for the default JKS keystore - which I hadnt created - therefore I created the keystore adding a self-signed certificate and yes it enabled https connection but not using the intended certificates so effectively this does not work either. If you want your HTTPS Connector use this configuration above, you need to use APR (i. e. copy libtcnative-1.so to some directory where Tomcat can find it). http://tomcat.apache.org/tomcat-5.5-doc/apr.html Regards mks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS setup
Julie McCabe wrote: Hello, Thanks for that ... I installed APR but also needed a certificate which included the Netscape cert type set to SSL Server. ? Incidentally, I tried the other 2 methods with the new certificate but they failed - I have to set this up in Windows also - I probably need a none SSL based HTTPS enabled connector for windows? You can use APR with Windows too. AFAIR the Tomcat installer for Windows can download a pre-compiled tcnative-1.dll during the installation process. If not, sources and binaries for different platforms are available here: http://tomcat.heanet.ie/native Regards mks - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS setup
Hi, I have a ca signed p12 file from which I can extract both a certificate and key in pem format - I found some info (http://www.junlu.com/msg/85393.html) which states that you can use a p12 file as a keystore in tomcat by adding the following into the conf/server.xml file: Connector port=8443 maxHttpHeaderSize=8192 maxThreads=150 minSpareThreads=25 maxSpareThreads=75 enableLookups=false disableUploadTimeout=true acceptCount=100 scheme=https secure=true clientAuth=false sslProtocol=TLS keystoreType=PKCS12 keystoreFile=file.p12 keystorePass=somePass / When I tried this it failed with the error message: Mar 15, 2006 11:06:50 AM org.apache.tomcat.util.net.puretls.PureTLSSocketFactory init INFO: Error initializing SocketFactory java.io.IOException: Couldn't find private key in this file at COM.claymoresystems.ptls.SSLContext.loadEAYKeyFile(SSLContext.java:242) at COM.claymoresystems.ptls.SSLContext.loadEAYKeyFile(SSLContext.java:201) at org.apache.tomcat.util.net.puretls.PureTLSSocketFactory.init(PureTLSSocketFactory.java:134) at org.apache.tomcat.util.net.puretls.PureTLSSocketFactory.createSocket(PureTLSSocketFactory.java:69) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292) at org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137) at org.apache.catalina.connector.Connector.initialize(Connector.java:1016) at org.apache.catalina.core.StandardService.initialize(StandardService.java:580) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762) at org.apache.catalina.startup.Catalina.load(Catalina.java:488) at org.apache.catalina.startup.Catalina.load(Catalina.java:508) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412) Mar 15, 2006 11:06:50 AM org.apache.coyote.http11.Http11BaseProtocol init SEVERE: Error initializing endpoint Im not sure what to do - I would apprecipate some help. Env: Tomcat 5.5.12. Java 1.5.0_06, Fedora 4. Thanks, Julie. On Wednesday 08 March 2006 20:01, Dhaval Patel wrote: Hi, As I have told you before, those instructions are not working as expected against authority signed (not self-signed) certifcates. You might have to go through mail-archive of tomcat users list to find more ways to solve this. I am sure there is a solution for this. Tomcat gurus, please help !!! Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hello, Thanks for the advice, I had installed the APR as tomcat was failing to shutting down in Windows without it. Since my overall objective is to use an existing X509 certificate signed by an academic CA (not Versign or Thwate) I decided to try the openssl. I followed the steps outlined in the http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html I have an existing p12 file which is split into a key and a certificate, I only performed the openssl rsa -in userkey.pem -out server.key command to replace the passphrase from the private key. I edited the conf/server.xml file as directed and pointed the SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile to the generated server.key file. I started tomcat - no errors in the logs and when I try to connect on https://localhost:8443 I receive the following alert: Could not establish an encrypted connection because the certificate presented by localhost is invalid or corrupted. Error Code: -8101 The CA root certificate whom has signed my certificate is loaded into the browser (along with my certificate). It seems like its a problem with my certificates? Thanks, Julie. On Wednesday 08 March 2006 13:31, Dhaval Patel wrote: Hi, Based upon your description, I think you are trying to use JSSE way to enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL. If you are trying with JSSE, please remove tcnative-1.dll from your TOMCAT_HOME\bin directory. It should work fine. If you want to know how to do with OpenSSL, please go to: http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html Steps described in above URL are 100% working when you don't have Versign/Thwate signed certificate. It is not case here I believe. :) Let us know how it goes. Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hi, Ive configure SSL support as per documentation -
Re: HTTPS setup
Hi, Based upon your description, I think you are trying to use JSSE way to enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL. If you are trying with JSSE, please remove tcnative-1.dll from your TOMCAT_HOME\bin directory. It should work fine. If you want to know how to do with OpenSSL, please go to: http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html Steps described in above URL are 100% working when you don't have Versign/Thwate signed certificate. It is not case here I believe. :) Let us know how it goes. Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hi, Ive configure SSL support as per documentation - I created the keystore and a self - signed certificate with the default password, uncommented the 8443 connector for https in the conf/server.xml file. The problem is that I cannot connect to https://localhost:8443 via the browser, in the log file there are no errors and it appears as the 8443 port is open as: INFO: Starting Coyote HTTP/1.1 on http-8443 Nothing is logged to the log file when access to 8443 is attempted, the browser processes and eventually times out with the following alert: The connection to localhost:8443 has terminated unexpectedly. Some data may have been transferred. Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP Regards, Julie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS setup
Hello, Thanks for the advice, I had installed the APR as tomcat was failing to shutting down in Windows without it. Since my overall objective is to use an existing X509 certificate signed by an academic CA (not Versign or Thwate) I decided to try the openssl. I followed the steps outlined in the http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html I have an existing p12 file which is split into a key and a certificate, I only performed the openssl rsa -in userkey.pem -out server.key command to replace the passphrase from the private key. I edited the conf/server.xml file as directed and pointed the SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile to the generated server.key file. I started tomcat - no errors in the logs and when I try to connect on https://localhost:8443 I receive the following alert: Could not establish an encrypted connection because the certificate presented by localhost is invalid or corrupted. Error Code: -8101 The CA root certificate whom has signed my certificate is loaded into the browser (along with my certificate). It seems like its a problem with my certificates? Thanks, Julie. On Wednesday 08 March 2006 13:31, Dhaval Patel wrote: Hi, Based upon your description, I think you are trying to use JSSE way to enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL. If you are trying with JSSE, please remove tcnative-1.dll from your TOMCAT_HOME\bin directory. It should work fine. If you want to know how to do with OpenSSL, please go to: http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html Steps described in above URL are 100% working when you don't have Versign/Thwate signed certificate. It is not case here I believe. :) Let us know how it goes. Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hi, Ive configure SSL support as per documentation - I created the keystore and a self - signed certificate with the default password, uncommented the 8443 connector for https in the conf/server.xml file. The problem is that I cannot connect to https://localhost:8443 via the browser, in the log file there are no errors and it appears as the 8443 port is open as: INFO: Starting Coyote HTTP/1.1 on http-8443 Nothing is logged to the log file when access to 8443 is attempted, the browser processes and eventually times out with the following alert: The connection to localhost:8443 has terminated unexpectedly. Some data may have been transferred. Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP Regards, Julie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: HTTPS setup
Hi, As I have told you before, those instructions are not working as expected against authority signed (not self-signed) certifcates. You might have to go through mail-archive of tomcat users list to find more ways to solve this. I am sure there is a solution for this. Tomcat gurus, please help !!! Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hello, Thanks for the advice, I had installed the APR as tomcat was failing to shutting down in Windows without it. Since my overall objective is to use an existing X509 certificate signed by an academic CA (not Versign or Thwate) I decided to try the openssl. I followed the steps outlined in the http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html I have an existing p12 file which is split into a key and a certificate, I only performed the openssl rsa -in userkey.pem -out server.key command to replace the passphrase from the private key. I edited the conf/server.xml file as directed and pointed the SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile to the generated server.key file. I started tomcat - no errors in the logs and when I try to connect on https://localhost:8443 I receive the following alert: Could not establish an encrypted connection because the certificate presented by localhost is invalid or corrupted. Error Code: -8101 The CA root certificate whom has signed my certificate is loaded into the browser (along with my certificate). It seems like its a problem with my certificates? Thanks, Julie. On Wednesday 08 March 2006 13:31, Dhaval Patel wrote: Hi, Based upon your description, I think you are trying to use JSSE way to enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL. If you are trying with JSSE, please remove tcnative-1.dll from your TOMCAT_HOME\bin directory. It should work fine. If you want to know how to do with OpenSSL, please go to: http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html Steps described in above URL are 100% working when you don't have Versign/Thwate signed certificate. It is not case here I believe. :) Let us know how it goes. Regards, D --- Julie McCabe [EMAIL PROTECTED] wrote: Hi, Ive configure SSL support as per documentation - I created the keystore and a self - signed certificate with the default password, uncommented the 8443 connector for https in the conf/server.xml file. The problem is that I cannot connect to https://localhost:8443 via the browser, in the log file there are no errors and it appears as the 8443 port is open as: INFO: Starting Coyote HTTP/1.1 on http-8443 Nothing is logged to the log file when access to 8443 is attempted, the browser processes and eventually times out with the following alert: The connection to localhost:8443 has terminated unexpectedly. Some data may have been transferred. Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP Regards, Julie. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
