Re: Problems with SSL configuration

2016-11-15 Thread Mark Thomas 
On 16/11/2016 00:47, Steve Willett wrote:
> I am trying to set up a stand-alone Tomcat server (apparently 7.0.53). 
> When I set up a simple Connector on port 8443 (no specified ciphers, and
> a simple sslProtocol="TLS") using a DigiCert Certificate I can connect.
> 
> However, if I test it with QualSys, I get an F rating because of the
> accepted insecure cipher suites.  However, when I try to use "approved"
> suites, the server can't be reached.

Are those "approved" cipher suites supported by the JVM you are using?

This might help:
http://people.apache.org/~markt/dev/TLSInfo.java

As might this:
https://wiki.apache.org/tomcat/Security/Ciphers

Mark


> 
> Connector configuration;
>  protocol="org.apache.coyote.http11.Http11Protocol"
>maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
>clientAuth="false" keyAlias="server"
> keystoreFile="/usr/share/tomcat7/conf/QA_YOURSPORTSLEAGUE_COM.jks"
> keystorePass=""
>sslEnabledProtocols="TLSv1, TLSv1.1, TLSv1.2"
> ciphers="TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384,TLS_DHE_DSS_WITH_AES_256_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDH_RSA_WITH_AES_256_CBC_SHA,TLS_DHE_DSS_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256,TLS_DHE_DSS_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDH_RSA_WITH_AES_128_CBC_SHA,TLS_DHE_DSS_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_ECDSA_WITH_RC4_128_SHA,TLS_ECDH_RSA_WITH_RC4_128_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384,TLS_DHE_DSS_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256,TLS_DHE_DSS_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_ECDSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDH_RSA_WITH_3DES_EDE_CBC_SHA,TLS_EMPTY_RENEGOTIATION_INFO_SCSVF"
> 
> />
> 
> When I try to connect to the site with Chrome I get:
> 
> 
>  This site can’t be reached
> 
> *qa.yoursportsleague.com*unexpectedly closed the connection.
> 
> 
> 
> I also have configured it to require SSL:
> 
> 
> 
> 
> Protected Context
> /*
> 
> 
> 
> CONFIDENTIAL
> 
> 
> 
> 
> 
> Any thoughts?
> 
>

RE: Problems with SSL configuration

2016-11-15 Thread John.E.Gregg 
Enable verbose SSL.

Start Tomcat with -Djavax.net.debug=ssl. That will print a lot of info to 
catalina.out.

You could also do the same thing on the client side if you used a java client, 
or something similar with OpenSSL, curl, etc.



-Original Message-
From: Steve Willett 
[st...@yoursportsleague.com]
Sent: Tuesday, November 15, 2016 05:48 PM Central Standard Time
To: users@tomcat.apache.org
Subject: Problems with SSL configuration


I am trying to set up a stand-alone Tomcat server (apparently 7.0.53).
When I set up a simple Connector on port 8443 (no specified ciphers, and
a simple sslProtocol="TLS") using a DigiCert Certificate I can connect.

However, if I test it with QualSys, I get an F rating because of the
accepted insecure cipher suites.  However, when I try to use "approved"
suites, the server can't be reached.

Connector configuration;
 

When I try to connect to the site with Chrome I get:


  This site can’t be reached

*qa.yoursportsleague.com*unexpectedly closed the connection.



I also have configured it to require SSL:




Protected Context
/*



CONFIDENTIAL





Any thoughts?


--
*Steve Willett*
YourSportsLeague.com

Re: Problems with SSL-enabled Tomcat 5.5

2009-03-13 Thread Bhuvanmp 

HI, i im also having the same problem. 
java.io.IOException: Alias name aliasName does not identify a key entry.

But i m not bale to over come it. I m using keytool not opessl. Please
suggst me.

thanks ,Bhuvan MP

bajistaman wrote:
 
 So what you did was to create a new private key, CSR and then just follow
 the instructions from your CA and everything worked?
 
 Thanks,
 
 Johann
 

-- 
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tp12394044p22491455.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 

Looks like my email client removed the tag I pasted from the server.xml file:

Connector port=443 protocol=HTTP/1.1 SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   keystoreFile=${user.home}/.keystore 
   keystorePass=changeit
   clientAuth=false sslProtocol=TLS /

Sorry about that.

Chad
_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Caldarale, Charles R 
 From: Chad Lehman [mailto:[EMAIL PROTECTED] 
 Subject: Problems Configuring SSL / JSSE
 
 I've done the .keystore stuff as outlined in the docs. 

Do you have APR enabled?  (Likely, on a Windows installation.)  If so,
you ignored the big, bold note in the doc about using OpenSSL rather
than JSSE.  Either follow the APR instructions for SSL, or rename the
tcnative-1.dll in Tomcat's bin directory to start using JSSE.

SSL using JSSE:
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

SSL using APR/OpenSSL:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 

Hi Chuck,

Thank you for the reply. I'd actually seen your responses to this in the 
archives, but I don't have APR enabled. There is no tcnative-1.dll here.

I'm wondering if there's some .jar file I'm missing or something.

Thanks again.


Chad

 Subject: RE: Problems Configuring SSL / JSSE
 Date: Sat, 1 Mar 2008 19:45:55 -0600
 From: [EMAIL PROTECTED]
 To: users@tomcat.apache.org
 
  From: Chad Lehman [mailto:[EMAIL PROTECTED] 
  Subject: Problems Configuring SSL / JSSE
  
  I've done the .keystore stuff as outlined in the docs. 
 
 Do you have APR enabled?  (Likely, on a Windows installation.)  If so,
 you ignored the big, bold note in the doc about using OpenSSL rather
 than JSSE.  Either follow the APR instructions for SSL, or rename the
 tcnative-1.dll in Tomcat's bin directory to start using JSSE.
 
 SSL using JSSE:
 http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
 
 SSL using APR/OpenSSL:
 http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
 
  - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 

_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Caldarale, Charles R 
 From: Chad Lehman [mailto:[EMAIL PROTECTED] 
 Subject: RE: Problems Configuring SSL / JSSE
 
 There is no tcnative-1.dll here.

If that's the case, then there should be an entry in the logs about APR
not being available; make sure that's the case.

Anything else in the logs, either during Tomcat startup or when you're
actually trying to make the connection?  The catalina.*.log should show
each connector starting up.

Your Connector settings are almost identical to mine, other than I
don't use a variable in the keystoreFile attribute; try changing that to
an explict absolute path.  Also make sure the redirectPort is set to 443
in your port 80 Connector, and that you really did uncomment the 443
one.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems Configuring SSL / JSSE

2008-03-01 Thread Martin Gainty 
According to the doc If you are using APR make sure the
SSLEngine=NonCatalinaEngine
although in my configuration I only see Catalina and Standalone engines

question I have is Should the op configure his SSLEngine=Standalone ?

Martin
- Original Message -
From: Caldarale, Charles R [EMAIL PROTECTED]
To: Tomcat Users List users@tomcat.apache.org
Sent: Saturday, March 01, 2008 9:14 PM
Subject: RE: Problems Configuring SSL / JSSE


 From: Chad Lehman [mailto:[EMAIL PROTECTED]
 Subject: RE: Problems Configuring SSL / JSSE

 There is no tcnative-1.dll here.

If that's the case, then there should be an entry in the logs about APR
not being available; make sure that's the case.

Anything else in the logs, either during Tomcat startup or when you're
actually trying to make the connection?  The catalina.*.log should show
each connector starting up.

Your Connector settings are almost identical to mine, other than I
don't use a variable in the keystoreFile attribute; try changing that to
an explict absolute path.  Also make sure the redirectPort is set to 443
in your port 80 Connector, and that you really did uncomment the 443
one.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 

Chuck,


Thanks again. I must've been blind the first time I set this up, because I 
didn't see the part about the JSSE extensions being installed. They weren't.
However, I went and downloaded them, unzipped the .jars into the 
%JAVA_HOME%\jre\lib\ext directory, and am coming up with new errors:

INFO: Initializing Coyote HTTP/1.1 on http-80
java.lang.reflect.InvocationTargetException
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Caused by: java.lang.ExceptionInInitializerError
at sun.text.normalizer.NormalizerBase.decompose(NormalizerBase.java:707)
at 
sun.text.normalizer.NormalizerBase$NFKDMode.normalize(NormalizerBase.java:348)
at sun.text.normalizer.NormalizerBase.normalize(NormalizerBase.java:1592)
at sun.text.normalizer.NormalizerBase.normalize(NormalizerBase.java:1573)
at java.text.Normalizer.normalize(Normalizer.java:146)
at sun.security.x509.AVA.toRFC2253CanonicalString(AVA.java:986)
(ETC...)
Caused by: java.lang.RuntimeException: could not locate data
at sun.text.normalizer.NormalizerImpl.clinit(NormalizerImpl.java:44)
... 53 more


Thanks

Chad


 Subject: RE: Problems Configuring SSL / JSSE
 Date: Sat, 1 Mar 2008 20:14:27 -0600
 From: [EMAIL PROTECTED]
 To: users@tomcat.apache.org
 
  From: Chad Lehman [mailto:[EMAIL PROTECTED] 
  Subject: RE: Problems Configuring SSL / JSSE
  
  There is no tcnative-1.dll here.
 
 If that's the case, then there should be an entry in the logs about APR
 not being available; make sure that's the case.
 
 Anything else in the logs, either during Tomcat startup or when you're
 actually trying to make the connection?  The catalina.*.log should show
 each connector starting up.
 
 Your Connector settings are almost identical to mine, other than I
 don't use a variable in the keystoreFile attribute; try changing that to
 an explict absolute path.  Also make sure the redirectPort is set to 443
 in your port 80 Connector, and that you really did uncomment the 443
 one.
 
  - Chuck
 
 
 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.
 
 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 

_
Need to know the score, the latest news, or you need your Hotmail®-get your 
fix.
http://www.msnmobilefix.com/Default.aspx

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Caldarale, Charles R 
 From: Chad Lehman [mailto:[EMAIL PROTECTED] 
 Subject: RE: Problems Configuring SSL / JSSE
 
 Thanks again. I must've been blind the first time I set this 
 up, because I didn't see the part about the JSSE extensions 
 being installed. They weren't.

You don't need the JSSE extensions - they're included with all JVM
levels that Tomcat 6 runs on.  You need to undo whatever you did, since
that is likely to cause classloader problems when you have the same
classes in multiple places in a given classloader hierarchy branch.

Make sure you're looking at the doc for Tomcat 6, not anything older.

What JVM version are you using?

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 



 Subject: RE: Problems Configuring SSL / JSSE
 Date: Sat, 1 Mar 2008 20:57:11 -0600
 From: [EMAIL PROTECTED]
 To: users@tomcat.apache.org

 From: Chad Lehman [mailto:[EMAIL PROTECTED]
 Subject: RE: Problems Configuring SSL / JSSE

 Thanks again. I must've been blind the first time I set this
 up, because I didn't see the part about the JSSE extensions
 being installed. They weren't.

 You don't need the JSSE extensions - they're included with all JVM
 levels that Tomcat 6 runs on. You need to undo whatever you did, since
 that is likely to cause classloader problems when you have the same
 classes in multiple places in a given classloader hierarchy branch.

 Make sure you're looking at the doc for Tomcat 6, not anything older.

 What JVM version are you using?

Chuck,

The version is Java HotSpot Client VM 1.6.0_03-b05 (according to java -version).

_
Connect and share in new ways with Windows Live.
http://www.windowslive.com/share.html?ocid=TXT_TAGHM_Wave2_sharelife_012008
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Caldarale, Charles R 
 From: Chad Lehman [mailto:[EMAIL PROTECTED] 
 Subject: RE: Problems Configuring SSL / JSSE
 
 The version is Java HotSpot Client VM 1.6.0_03-b05 (according 
 to java -version).

That definitely has JSSE built in.  Whatever you downloaded is for a
much older JRE level, and most likely is the cause of the exceptions
you're now seeing.  Get back to where you were, and look in the logs for
the real problem.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 



 Subject: RE: Problems Configuring SSL / JSSE
 Date: Sat, 1 Mar 2008 21:15:56 -0600
 From: [EMAIL PROTECTED]
 To: users@tomcat.apache.org

 From: Chad Lehman [mailto:[EMAIL PROTECTED]
 Subject: RE: Problems Configuring SSL / JSSE

 The version is Java HotSpot Client VM 1.6.0_03-b05 (according
 to java -version).

 That definitely has JSSE built in. Whatever you downloaded is for a
 much older JRE level, and most likely is the cause of the exceptions
 you're now seeing. Get back to where you were, and look in the logs for
 the real problem.

Chuck, 

Thank you for all the help so far. I undid the previous step. Back to square 
one. In the console window of Eclipse there's this:

INFO: The Apache Tomcat Native library which allows optimal performance in 
production environments was not found on the java.library.path...

Otherwise, the logs don't appear to be generated when Tomcat is run from 
Eclipse. 

Additionally, there's this: 

INFO: Starting Coyote HTTP/1.1 on http-443
Mar 1, 2008 8:19:35 PM org.apache.jk.common.ChannelSocket init

...which indicates that Tomcat is being told to start a Connector on 443, 
doesn't it? That comes after the exceptions are listed in the log.

---
When I browse jasper.jar, I see that org.apache.jk is an empty package. Could 
that be a problem? Additionally, I tried to put import org.apache.jk.server; 
into a dummy servlet, and Eclipse complained that it could not be resolved 
(found). Could that be what's wrong?


Chad
_
Need to know the score, the latest news, or you need your Hotmail®-get your 
fix.
http://www.msnmobilefix.com/Default.aspx
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Caldarale, Charles R 
 From: Chad Lehman [mailto:[EMAIL PROTECTED] 
 Subject: RE: Problems Configuring SSL / JSSE
 
 INFO: The Apache Tomcat Native library which allows optimal 
 performance in production environments was not found on the 
 java.library.path...

Good; that means APR really isn't installed.

 Otherwise, the logs don't appear to be generated when Tomcat 
 is run from Eclipse. 

They're generated, but they may be well hidden.  Try running Tomcat by
itself, not under Eclipse; sometimes IDEs create more confusion than
they're worth.

 INFO: Starting Coyote HTTP/1.1 on http-443
 Mar 1, 2008 8:19:35 PM org.apache.jk.common.ChannelSocket init

The associated timestamp line actually precedes the INFO, WARNING, etc.,
line, so you've actually got pieces of two separate log entries there.
It does indicate that port 443 is active.

 When I browse jasper.jar, I see that org.apache.jk is an 
 empty package. Could that be a problem?

No, and jasper.jar has nothing to do with Tomcat operating as a server;
it's only for compilation of JSP files.  

 Additionally, I tried to put import org.apache.jk.server;
 into a dummy servlet

You're off in the weeds here.  The jk module is used for communication
between httpd (which you don't have or need) and Tomcat itself.  In
fact, you should probably comment out the AJP Connector, normally on
port 8009 - you won't be using it, and it just consumes resources
(albeit not much).

Clean things up, run Tomcat by itself, and see what happens.  Look in
the logs for any problems.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems Configuring SSL / JSSE

2008-03-01 Thread Chad Lehman 

[ISSUE RESOLVED]

 Subject: RE: Problems Configuring SSL / JSSE
 Date: Sat, 1 Mar 2008 21:54:09 -0600
 From: [EMAIL PROTECTED]
 To: users@tomcat.apache.org

 From: Chad Lehman [mailto:[EMAIL PROTECTED]
 Subject: RE: Problems Configuring SSL / JSSE

 INFO: The Apache Tomcat Native library which allows optimal
 performance in production environments was not found on the
 java.library.path...

 Good; that means APR really isn't installed.

 Otherwise, the logs don't appear to be generated when Tomcat
 is run from Eclipse.

 They're generated, but they may be well hidden. Try running Tomcat by
 itself, not under Eclipse; sometimes IDEs create more confusion than
 they're worth.

 INFO: Starting Coyote HTTP/1.1 on http-443
 Mar 1, 2008 8:19:35 PM org.apache.jk.common.ChannelSocket init

 The associated timestamp line actually precedes the INFO, WARNING, etc.,
 line, so you've actually got pieces of two separate log entries there.
 It does indicate that port 443 is active.

 When I browse jasper.jar, I see that org.apache.jk is an
 empty package. Could that be a problem?

 No, and jasper.jar has nothing to do with Tomcat operating as a server;
 it's only for compilation of JSP files.

 Additionally, I tried to put import org.apache.jk.server;
 into a dummy servlet

 You're off in the weeds here. The jk module is used for communication
 between httpd (which you don't have or need) and Tomcat itself. In
 fact, you should probably comment out the AJP , normally on
 port 8009 - you won't be using it, and it just consumes resources
 (albeit not much).

 Clean things up, run Tomcat by itself, and see what happens. Look in
 the logs for any problems.

Chuck,

Running Tomcat by itself worked. Some .jar file I inserted into Eclipse is 
messing something up, I suppose.

Thanks a lot for the help!

+1

Chad
_
Shed those extra pounds with MSN and The Biggest Loser!
http://biggestloser.msn.com/
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-10-02 Thread Angel Quintana 
***
***
Nombre de alias: autentiacert
Fecha de creación: 01-oct-2007
Tipo de entrada: trustedCertEntry

Propietario: CN=pymes2.gobernalianet.es, OU=Pymes2, O=Gobernalia,
L=Madrid, ST=Madrid, C=ES
Emisor: [EMAIL PROTECTED], CN=Angel,
OU=Pymes2, O=Gobernalia, ST=Madrid, C=ES
Número de serie: 1
Válido desde: 1/10/07 18:28 hasta: 30/09/08 18:28
Huellas de certificado:
MD5:  2C:D4:6F:C6:8F:A5:8D:19:45:F8:12:AF:0F:F6:CE:50
SHA1: 1E:11:C1:68:35:5F:BE:5A:8D:F4:07:61:6F:41:BE:92:86:BF:C5:98
***
***
- keytool -list -v -storepass changeit
--

En of message,

Thank you so much,

Angel

- Original Message -
Hello,
setting keyAlias=root did not change anything. Then I downloaded the
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore.
Unfortunately that does not change my situation: Either Tomcat is
unable to find my alias in the keystore file (if I specify a keyAlias)
or there appears to be a problem with the SSL ciphers or certificate
itself (if I don't specify a

keyAlias).


The two error message I am getting when attempting to start Tomcat are
(see further below):

1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry

at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)

2/without keyAlias directive:
java.net.SocketException: SSL handshake

errorjavax.net.ssl.SSLException: No available certificate or key
corresponds to the SSL cipher suites which are enabled. at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)

Any more ideas? Is the problem maybe caused because I am creating a
new keystore and the key of the Verisign-signed certificate is in a
separate file (my colleague deleted the original keystore file)? Are
we screwed now?

Thank you. Any input is greatly appreciated.

Bye,
Werner.


- Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-09-03 Thread bajistaman 

I have the same problem than you Werner, everything looks fine but the
browser is unable to verify the identity of my site. Firefox says:
a) Or the browser doesn't recognize the CA that is supporting the cert.
b) Or the cert is uncomplete because of a wrong server configuration.
c) Or the site is pretending to be something that is not

So still trying to find what is wrong. 
BTW, my CA gives an intermediate cert that I didn't use because agentbob's
tip didn't say anything about it. Maybe I need to install as part of the
process just as the CA website says. Did you have to install the
intermediate one?

Thanks,

Johann

-- 
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-09-03 Thread Werner Schalk 

Hi,

I tried with the Intermediate Cert as well but then I had the same problems 
(see below). Take a look at the
comments on AgentBob's website, one is mentioning putting all certs together 
to make this work.
At least for me it didn't and what I ended up doing was buying a new 
certificate unfortunately.

Please let me know if you have another solution.

Bye,
Werner

- Original Message - 
From: bajistaman [EMAIL PROTECTED]

To: users@tomcat.apache.org
Sent: Monday, September 03, 2007 2:42 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5




I have the same problem than you Werner, everything looks fine but the
browser is unable to verify the identity of my site. Firefox says:
a) Or the browser doesn't recognize the CA that is supporting the cert.
b) Or the cert is uncomplete because of a wrong server configuration.
c) Or the site is pretending to be something that is not

So still trying to find what is wrong.
BTW, my CA gives an intermediate cert that I didn't use because agentbob's
tip didn't say anything about it. Maybe I need to install as part of the
process just as the CA website says. Did you have to install the
intermediate one?

Thanks,

Johann

--
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106

Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-09-03 Thread Hassan Schroeder 
On 9/3/07, Werner Schalk [EMAIL PROTECTED] wrote:

 ... what I ended up doing was buying a new certificate

Your CA wouldn't let you submit a new CSR and re-issue the cert??
That's surprising.

-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-09-03 Thread bajistaman 

So what you did was to create a new private key, CSR and then just follow the
instructions from your CA and everything worked?

Thanks,

Johann
-- 
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12463871
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-09-03 Thread bajistaman 

Ok, now it is working, I was missing the root cert.

I generated a script that did all the work:

JAVA_HOME=/usr/java/latest
export JAVA_HOME

PATH=$JAVA_HOME/bin:$PATH
export PATH

THE_NAME=www.dummy.org
export THE_NAME

rm /root/.keystore
rm /usr/share/tomcat5/.keystore

openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out
${THE_NAME}_key.der -outform DER

openssl x509 -in rootCA_cer.pem -inform PEM -out rootCA_cer.der -outform DER

openssl x509 -in intermediateCA_cer.pem -inform PEM -out
intermediateCA_cer.der -outform DER

openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der
-outform DER

cat ${THE_NAME}_cer.der intermediateCA_cer.der rootCA_cer.der 
${THE_NAME}_all_cer.der

javac *.java

java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der

cp /root/keystore.ImportKey /root/.keystore

cp /root/.keystore /usr/share/tomcat5/.keystore

keytool -keypass changeit -storepass changeit -list
-- 
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12467259
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-31 Thread bajistaman 

I'm having the same problem. Some people from my company created the
Certificate Signing Request and the only thing that I've received was an
email with the certificate, then I tried to install it and I had the same
problems that Werner has. Do I have to do all over again from Tomcat from
the private key, CSR, ...?

Thanks,

Johann

#Generate a private key
keytool -storepass changeit -genkey -alias tomcat -keyalg RSA

#Generate the Certificate Signing Request (CSR)
keytool -storepass changeit -certreq -alias tomcat -file name.csr 

#Send the CSR to get a certificate

#Import the intermediate cert
keytool -storepass changeit -import -alias intermediateCA -trustcacerts
-file intermediateCA.cer

#Import the cert
keytool -storepass changeit -import -alias tomcat -trustcacerts -file
name.cer

-- 
View this message in context: 
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12426259
Sent from the Tomcat - User mailing list archive at Nabble.com.


-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-31 Thread Filip Hanik - Dev Lists 
you need the private key in order to run SSL, but you can import the 
private key, so ask the folks from your company for the private key, 
here is the info how you import it,

someone else posted it this week
http://www.agentbob.info/agentbob/79.html

Filip

bajistaman wrote:

I'm having the same problem. Some people from my company created the
Certificate Signing Request and the only thing that I've received was an
email with the certificate, then I tried to install it and I had the same
problems that Werner has. Do I have to do all over again from Tomcat from
the private key, CSR, ...?

Thanks,

Johann

#Generate a private key
keytool -storepass changeit -genkey -alias tomcat -keyalg RSA

#Generate the Certificate Signing Request (CSR)
keytool -storepass changeit -certreq -alias tomcat -file name.csr 


#Send the CSR to get a certificate

#Import the intermediate cert
keytool -storepass changeit -import -alias intermediateCA -trustcacerts
-file intermediateCA.cer

#Import the cert
keytool -storepass changeit -import -alias tomcat -trustcacerts -file
name.cer

  



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-31 Thread Werner Schalk 

Hello,

interestingly it did not work for me in the end. Basically I can import the 
certificate and the private key to rebuild
the original keystore using AgentBob's Java code. Fine. Then when restarting 
Tomcat it does not complain anymore and everything appears
to be fine (Tomcat says something like Server started and no error 
messages whatsoever). However when
connecting to the SSL-enabled site, there is no error message coming up, but 
any browser (IE, Firefox, Konqueror)
fail to connect to the site saying that the certificate is invalid or 
corrupted (although one can still imspect it in
the cert properties of the respective browser). Any ideas on how to debug 
this problem? Tomcat appears to be

okay with the cert and the keystore but SSL is still not working?

@Christian: Did you have the same problem in the end or did it all work for 
you?


Bye,
Werner

- Original Message - 
From: Filip Hanik - Dev Lists [EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Friday, August 31, 2007 4:27 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


you need the private key in order to run SSL, but you can import the 
private key, so ask the folks from your company for the private key, here 
is the info how you import it,

someone else posted it this week
http://www.agentbob.info/agentbob/79.html

Filip

bajistaman wrote:

I'm having the same problem. Some people from my company created the
Certificate Signing Request and the only thing that I've received was an
email with the certificate, then I tried to install it and I had the same
problems that Werner has. Do I have to do all over again from Tomcat from
the private key, CSR, ...?

Thanks,

Johann

#Generate a private key
keytool -storepass changeit -genkey -alias tomcat -keyalg RSA

#Generate the Certificate Signing Request (CSR)
keytool -storepass changeit -certreq -alias tomcat -file name.csr
#Send the CSR to get a certificate

#Import the intermediate cert
keytool -storepass changeit -import -alias intermediateCA -trustcacerts
-file intermediateCA.cer

#Import the cert
keytool -storepass changeit -import -alias tomcat -trustcacerts -file
name.cer





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-31 Thread Filip Hanik - Dev Lists 
I think what is happening in your case is that the SSL handshake fails, 
not even sure if debug turned on would show it. (depending on what 
connector you are running)


try removing the keyAlias (if you have it set) to let java decide on 
what cert in the keystore to use


Filip

Werner Schalk wrote:

Hello,

interestingly it did not work for me in the end. Basically I can 
import the certificate and the private key to rebuild
the original keystore using AgentBob's Java code. Fine. Then when 
restarting Tomcat it does not complain anymore and everything appears
to be fine (Tomcat says something like Server started and no error 
messages whatsoever). However when
connecting to the SSL-enabled site, there is no error message coming 
up, but any browser (IE, Firefox, Konqueror)
fail to connect to the site saying that the certificate is invalid or 
corrupted (although one can still imspect it in
the cert properties of the respective browser). Any ideas on how to 
debug this problem? Tomcat appears to be

okay with the cert and the keystore but SSL is still not working?

@Christian: Did you have the same problem in the end or did it all 
work for you?


Bye,
Werner

- Original Message - From: Filip Hanik - Dev Lists 
[EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Friday, August 31, 2007 4:27 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


you need the private key in order to run SSL, but you can import the 
private key, so ask the folks from your company for the private key, 
here is the info how you import it,

someone else posted it this week
http://www.agentbob.info/agentbob/79.html

Filip

bajistaman wrote:

I'm having the same problem. Some people from my company created the
Certificate Signing Request and the only thing that I've received 
was an
email with the certificate, then I tried to install it and I had the 
same
problems that Werner has. Do I have to do all over again from Tomcat 
from

the private key, CSR, ...?

Thanks,

Johann

#Generate a private key
keytool -storepass changeit -genkey -alias tomcat -keyalg RSA

#Generate the Certificate Signing Request (CSR)
keytool -storepass changeit -certreq -alias tomcat -file name.csr
#Send the CSR to get a certificate

#Import the intermediate cert
keytool -storepass changeit -import -alias intermediateCA -trustcacerts
-file intermediateCA.cer

#Import the cert
keytool -storepass changeit -import -alias tomcat -trustcacerts -file
name.cer





-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED] 



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-30 Thread Werner Schalk 

Hello,

setting keyAlias=root did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is unable to 
find
my alias in the keystore file (if I specify a keyAlias) or there appears to 
be a problem with the SSL ciphers or certificate itself (if I don't specify 
a

keyAlias).

The two error message I am getting when attempting to start Tomcat are (see 
further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)


2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key corresponds 
to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)


Any more ideas? Is the problem maybe caused because I am creating a new 
keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.

- Original Message - 
From: Filip Hanik - Dev Lists [EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias=root in server.xml

Werner Schalk wrote:

Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun 
Solaris 10 (Sparc) but it turns out that this appears not to be an easy 
task.
Hopefully you guys can shed some light on this. Basically I do have a 
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the config, 
I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with the 
SSL ciphers or certificate itself. Hopefully somebody knows what to do, 
this

is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the 
Certificate), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, 
Inc., O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


Connector port=8443 maxHttpHeaderSize=16384
  address=myhostname enableLookups=false
  disableUploadTimeout=true acceptCount=100 
maxKeepAliveRequests=100

  scheme=https secure=true clientAuth=false
  compression=8192
  compressableMimeType=text/javascript,text/css
  keystoreFile=/usr/local/tomcat/conf/wstest
  keystorePass=XXX sslProtocol=TLS keyAlias=tomcat
/

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294)
   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
   at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
   at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-30 Thread Filip Hanik - Dev Lists 
looks like the keyAlias=root is not taking into effect, as the 
container complains for not finding one named tomcat


could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the 
tomcat alias, leave the root alias in there.


Filip

Werner Schalk wrote:

Hello,

setting keyAlias=root did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is 
unable to find
my alias in the keystore file (if I specify a keyAlias) or there 
appears to be a problem with the SSL ciphers or certificate itself (if 
I don't specify a

keyAlias).

The two error message I am getting when attempting to start Tomcat are 
(see further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 



2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 



Any more ideas? Is the problem maybe caused because I am creating a 
new keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.

- Original Message - From: Filip Hanik - Dev Lists 
[EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias=root in server.xml

Werner Schalk wrote:

Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on 
a Sun Solaris 10 (Sparc) but it turns out that this appears not to 
be an easy task.
Hopefully you guys can shed some light on this. Basically I do have 
a Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with 
the SSL ciphers or certificate itself. Hopefully somebody knows what 
to do, this

is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing 
the Certificate), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU=VeriSign, Inc., O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


Connector port=8443 maxHttpHeaderSize=16384
  address=myhostname enableLookups=false
  disableUploadTimeout=true acceptCount=100 
maxKeepAliveRequests=100

  scheme=https secure=true clientAuth=false
  compression=8192
  compressableMimeType=text/javascript,text/css
  keystoreFile=/usr/local/tomcat/conf/wstest
  keystorePass=XXX sslProtocol=TLS keyAlias=tomcat
/

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 

   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) 

   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-30 Thread Werner Schalk 

Hello Filip,

thanks a lot for all your support. No, that's something I already tried. 
When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be able 
to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate. However 
when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error (No 
available certificate or key

corresponds to the SSL cipher suites which are enabled.).


Any more ideas?

Bye,
Seb

- Original Message - 
From: Filip Hanik - Dev Lists [EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


looks like the keyAlias=root is not taking into effect, as the container 
complains for not finding one named tomcat


could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the 
tomcat alias, leave the root alias in there.


Filip

Werner Schalk wrote:

Hello,

setting keyAlias=root did not change anything. Then I downloaded the 
latest version of Tomcat, added the Verisign cert to my cacerts file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is unable 
to find
my alias in the keystore file (if I specify a keyAlias) or there appears 
to be a problem with the SSL ciphers or certificate itself (if I don't 
specify a

keyAlias).

The two error message I am getting when attempting to start Tomcat are 
(see further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)


2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113)


Any more ideas? Is the problem maybe caused because I am creating a new 
keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.

- Original Message - From: Filip Hanik - Dev Lists 
[EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias=root in server.xml

Werner Schalk wrote:

Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a 
Sun Solaris 10 (Sparc) but it turns out that this appears not to be an 
easy task.
Hopefully you guys can shed some light on this. Basically I do have a 
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with the 
SSL ciphers or certificate itself. Hopefully somebody knows what to do, 
this

is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the 
Certificate), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, 
Inc., O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


Connector port=8443 maxHttpHeaderSize=16384
  address=myhostname enableLookups=false
  disableUploadTimeout=true acceptCount=100 
maxKeepAliveRequests=100

  scheme=https secure=true clientAuth=false
  compression=8192
  compressableMimeType=text/javascript,text/css
  keystoreFile=/usr/local/tomcat/conf/wstest
  keystorePass=XXX sslProtocol=TLS keyAlias=tomcat
/

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-30 Thread Filip Hanik - Dev Lists 

aah, now I think we are getting somewhere.
Is this not the keystore that was used to generate the CSR, and also 
contains the private key?
if not, then I don't know how it would work, you still need your private 
key in order to have a working SSL setup, the signed cert is only what 
tomcat sends to the browser, it needs the private key in order to 
decipher the stuff that the browser encrypts using the public key.


so if you deleted the original keystore that was used to create the key, 
then yes, you are screwed, you need to start over, generate another key, 
get another CSR, get another signed cert from verisign etc


Filip

Werner Schalk wrote:

Hello Filip,

thanks a lot for all your support. No, that's something I already 
tried. When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be 
able to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate. 
However when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error 
(No available certificate or key

corresponds to the SSL cipher suites which are enabled.).


Any more ideas?

Bye,
Seb

- Original Message - From: Filip Hanik - Dev Lists 
[EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5


looks like the keyAlias=root is not taking into effect, as the 
container complains for not finding one named tomcat


could be that it just looks for tomcat alias to be existent.
this is what I would try next, import the same certificate using the 
tomcat alias, leave the root alias in there.


Filip

Werner Schalk wrote:

Hello,

setting keyAlias=root did not change anything. Then I downloaded 
the latest version of Tomcat, added the Verisign cert to my cacerts 
file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is 
unable to find
my alias in the keystore file (if I specify a keyAlias) or there 
appears to be a problem with the SSL ciphers or certificate itself 
(if I don't specify a

keyAlias).

The two error message I am getting when attempting to start Tomcat 
are (see further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 



2/without keyAlias directive:
java.net.SocketException: SSL handshake
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 



Any more ideas? Is the problem maybe caused because I am creating a 
new keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.

- Original Message - From: Filip Hanik - Dev Lists 
[EMAIL PROTECTED]

To: Tomcat Users List users@tomcat.apache.org
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias=root in server.xml

Werner Schalk wrote:

Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) 
on a Sun Solaris 10 (Sparc) but it turns out that this appears not 
to be an easy task.
Hopefully you guys can shed some light on this. Basically I do 
have a Verisign-signed SSL certificate which I would like to add 
to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem 
with the SSL ciphers or certificate itself. Hopefully somebody 
knows what to do, this

is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing 
the Certificate), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU=VeriSign, Inc., O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts 
-file mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my

Re: Problems with SSL-enabled Tomcat 5.5

2007-08-29 Thread Filip Hanik - Dev Lists 

did you set
keyAlias=root in server.xml

Werner Schalk wrote:

Hello,

I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a 
Sun Solaris 10 (Sparc) but it turns out that this appears not to be an 
easy task.
Hopefully you guys can shed some light on this. Basically I do have a 
Verisign-signed SSL certificate which I would like to add to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem with 
the SSL ciphers or certificate itself. Hopefully somebody knows what 
to do, this

is giving me a headache for many hours now.

Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the 
Certificate), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:

$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX
Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, 
Inc., O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:

$ keytool -import -alias tomcat -keystore wstest -trustcacerts -file 
mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore

3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


Connector port=8443 maxHttpHeaderSize=16384
  address=myhostname enableLookups=false
  disableUploadTimeout=true acceptCount=100 
maxKeepAliveRequests=100

  scheme=https secure=true clientAuth=false
  compression=8192
  compressableMimeType=text/javascript,text/css
  keystoreFile=/usr/local/tomcat/conf/wstest
  keystorePass=XXX sslProtocol=TLS keyAlias=tomcat
/

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol 
start

SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry
   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 

   at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

   at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) 

   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) 

   at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 

   at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 

   at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
   at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
   at 
org.apache.catalina.core.StandardService.start(StandardService.java:459)
   at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)

   at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
   at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
   at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

   at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


   at java.lang.reflect.Method.invoke(Method.java:585)
   at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
   at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)

However my keystore DOES contain my two keys (Verisign's key as well 
as my SSL cert):


# keytool -list --keystore wstest -v
Enter keystore password:  XXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, 
Inc., O=VeriSign Trust Network


[...]

***
***

Alias name: tomcat
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: CN=myhostname, ...

[...]

***
***

Here is the first problem: Why does my alias tomcat not identify a 
key entry in the keystore? It does exist, doesn't it?


5) Now to get around this problem, I removed the keyAlias directive 
from the Tomcat

RE: Problems with SSL

2007-08-09 Thread Peter Crowther 
 From: Dario Hernan [mailto:[EMAIL PROTECTED] 
 java.lang.ClassNotFoundException: SSL not found in
[...]
 parent=gnu.gcj.runtime.SystemClassLoader

Install and use the Sun JDK, not Gnu.  As I recall, the Gnu
implementation doesn't contain the Sun SSL classes that Tomcat expects.

- Peter

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Dario Hernan 
I'm use the IBM JDK on RedHat Enterprise Linux 5


On 8/9/07, Peter Crowther [EMAIL PROTECTED] wrote:
  From: Dario Hernan [mailto:[EMAIL PROTECTED]
  java.lang.ClassNotFoundException: SSL not found in
 [...]
  parent=gnu.gcj.runtime.SystemClassLoader

 Install and use the Sun JDK, not Gnu.  As I recall, the Gnu
 implementation doesn't contain the Sun SSL classes that Tomcat expects.

 - Peter

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Hassan Schroeder 
On 8/9/07, Dario Hernan [EMAIL PROTECTED] wrote:
 I'm use the IBM JDK on RedHat Enterprise Linux 5

You might /want/ to, but your error message says otherwise :-)

Check your JAVA_HOME and PATH statements; or run `java -version`
and see what you get.

-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Dario Hernan 
This is the output of the PATH
echo $PATH
/usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin

And the JAVA_HOME
echo JAVA_HOME
JAVA_HOME

the JAVA_HOME is not setting and in the PATH there isn't something about java
but in the tomcat5.conf I have this line,
JAVA_HOME=/usr/lib/jvm/jre-1.5.0-ibm/bin/java
Is possible that tomcat is taking the java config from another site?



On 8/9/07, Hassan Schroeder [EMAIL PROTECTED] wrote:
 On 8/9/07, Dario Hernan [EMAIL PROTECTED] wrote:
  I'm use the IBM JDK on RedHat Enterprise Linux 5

 You might /want/ to, but your error message says otherwise :-)

 Check your JAVA_HOME and PATH statements; or run `java -version`
 and see what you get.

 --
 Hassan Schroeder  [EMAIL PROTECTED]

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems with SSL

2007-08-09 Thread Caldarale, Charles R 
 From: Dario Hernan [mailto:[EMAIL PROTECTED] 
 Subject: Re: Problems with SSL
 
 echo $PATH
 /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:
 /sbin:/bin:/usr/sbin:/usr/bin:/root/bin

That tells us nothing.

 echo JAVA_HOME

That should be:
echo $JAVA_HOME

Also do:

java -version

as previously requested, just to be sure.  You could also try
deinstalling the GNU version, just to be safe.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Dario Hernan 
[EMAIL PROTECTED] ~]# java -version
java version 1.5.0
Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20070201 (SR4))
IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32
j9vmxi3223-20070201 (JIT enabled)
J9VM - 20070131_11312_lHdSMR
JIT  - 20070109_1805ifx1_r8
GC   - 200701_09)
JCL  - 20070126


On 8/9/07, Caldarale, Charles R [EMAIL PROTECTED] wrote:
  From: Dario Hernan [mailto:[EMAIL PROTECTED]
  Subject: Re: Problems with SSL
 
  echo $PATH
  /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:
  /sbin:/bin:/usr/sbin:/usr/bin:/root/bin

 That tells us nothing.

  echo JAVA_HOME

 That should be:
 echo $JAVA_HOME

 Also do:

 java -version

 as previously requested, just to be sure.  You could also try
 deinstalling the GNU version, just to be safe.

  - Chuck


 THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
 MATERIAL and is thus for use only by the intended recipient. If you
 received this in error, please contact the sender and delete the e-mail
 and its attachments from all computers.

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Dario Hernan 
I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME
correctly, now when I start the tomcat, it use the correct jvm
ps ax |grep tomcat
 9122 ?Sl 0:05 /usr/lib/jvm/jre-1.5.0-ibm/bin/java
-Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/tomcat5/common/lib
-Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/tomcat5/common/lib
-Djava.endorsed.dirs=/usr/share/tomcat5/common/endorsed -classpath
/usr/lib/jvm/jre-1.5.0-ibm/lib/tools.jar:/usr/share/tomcat5/bin/bootstrap.jar:/usr/share/tomcat5/bin/commons-logging-api.jar:/usr/share/java/mx4j/mx4j-impl.jar:/usr/share/java/mx4j/mx4j-jmx.jar
-Dcatalina.base=/usr/share/tomcat5 -Dcatalina.home=/usr/share/tomcat5
-Djava.io.tmpdir=/usr/share/tomcat5/temp
org.apache.catalina.startup.Bootstrap

But, on the log file appear some errors.
I attached the log file.
Thanks for your advice.





On 8/9/07, Dario Hernan [EMAIL PROTECTED] wrote:
 [EMAIL PROTECTED] ~]# java -version
 java version 1.5.0
 Java(TM) 2 Runtime Environment, Standard Edition (build pxi32dev-20070201 
 (SR4))
 IBM J9 VM (build 2.3, J2RE 1.5.0 IBM J9 2.3 Linux x86-32
 j9vmxi3223-20070201 (JIT enabled)
 J9VM - 20070131_11312_lHdSMR
 JIT  - 20070109_1805ifx1_r8
 GC   - 200701_09)
 JCL  - 20070126


 On 8/9/07, Caldarale, Charles R [EMAIL PROTECTED] wrote:
   From: Dario Hernan [mailto:[EMAIL PROTECTED]
   Subject: Re: Problems with SSL
  
   echo $PATH
   /usr/kerberos/sbin:/usr/kerberos/bin:/usr/local/sbin:/usr/local/bin:
   /sbin:/bin:/usr/sbin:/usr/bin:/root/bin
 
  That tells us nothing.
 
   echo JAVA_HOME
 
  That should be:
  echo $JAVA_HOME
 
  Also do:
 
  java -version
 
  as previously requested, just to be sure.  You could also try
  deinstalling the GNU version, just to be safe.
 
   - Chuck
 
 
  THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
  MATERIAL and is thus for use only by the intended recipient. If you
  received this in error, please contact the sender and delete the e-mail
  and its attachments from all computers.
 
  -
  To start a new topic, e-mail: users@tomcat.apache.org
  To unsubscribe, e-mail: [EMAIL PROTECTED]
  For additional commands, e-mail: [EMAIL PROTECTED]
 
 

/etc/profile: line 31: 1: Permission denied
Using CATALINA_BASE:   /usr/share/tomcat5
Using CATALINA_HOME:   /usr/share/tomcat5
Using CATALINA_TMPDIR: /usr/share/tomcat5/temp
Using JRE_HOME:
09-ago-2007 15:29:20 org.apache.coyote.http11.Http11BaseProtocol pause
INFORMACIàN: Pausing Coyote HTTP/1.1 on http-8081
09-ago-2007 15:29:20 org.apache.catalina.connector.Connector pause
GRAVE: Protocol handler pause failed
java.lang.NullPointerException
at org.apache.catalina.connector.Connector.pause(Connector.java:1032)
at 
org.apache.catalina.core.StandardService.stop(StandardService.java:489)
at org.apache.catalina.core.StandardServer.stop(StandardServer.java:734)
at org.apache.catalina.startup.Catalina.stop(Catalina.java:602)
at org.apache.catalina.startup.Catalina.start(Catalina.java:577)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:615)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
09-ago-2007 15:29:20 org.apache.catalina.connector.Connector pause
GRAVE: Protocol handler pause failed
java.lang.NullPointerException
at org.apache.jk.server.JkMain.pause(JkMain.java:679)
at org.apache.jk.server.JkCoyoteHandler.pause(JkCoyoteHandler.java:163)
at org.apache.catalina.connector.Connector.pause(Connector.java:1032)
at 
org.apache.catalina.core.StandardService.stop(StandardService.java:489)
at org.apache.catalina.core.StandardServer.stop(StandardServer.java:734)
at org.apache.catalina.startup.Catalina.stop(Catalina.java:602)
at org.apache.catalina.startup.Catalina.start(Catalina.java:577)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:64)
at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:615)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
09-ago-2007 15:29:21 org.apache.catalina.core.StandardService stop
INFORMACIàN: Parando servicio Catalina
09-ago-2007 15:29:21 org.apache.catalina.core.ApplicationContext log
INFORMACIàN: SessionListener: contextDestroyed()
09-ago-2007 15:29:21 org.apache.catalina.core.ApplicationContext

Re: Problems with SSL

2007-08-09 Thread Hassan Schroeder 
On 8/9/07, Dario Hernan [EMAIL PROTECTED] wrote:
 I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME
 correctly, now when I start the tomcat, it use the correct jvm

That's progress :-)

 But, on the log file appear some errors.

Is this a Tomcat that was bundled with RedHat, as it appears? If so,
you would save yourself a lot of time (and headaches) by removing it
and re-installing  via a tar file from the actual Tomcat download site.

-- 
Hassan Schroeder  [EMAIL PROTECTED]

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems with SSL

2007-08-09 Thread Dario Hernan 
Yes, I installed it through yum installer, are there difference
between it and tar file?

On 8/9/07, Hassan Schroeder [EMAIL PROTECTED] wrote:
 On 8/9/07, Dario Hernan [EMAIL PROTECTED] wrote:
  I changed the file /etc/bin/dtomcat5 and put there the JAVA_HOME
  correctly, now when I start the tomcat, it use the correct jvm

 That's progress :-)

  But, on the log file appear some errors.

 Is this a Tomcat that was bundled with RedHat, as it appears? If so,
 you would save yourself a lot of time (and headaches) by removing it
 and re-installing  via a tar file from the actual Tomcat download site.

 --
 Hassan Schroeder  [EMAIL PROTECTED]

 -
 To start a new topic, e-mail: users@tomcat.apache.org
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]



-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems with SSL

2007-08-09 Thread Caldarale, Charles R 
 From: Dario Hernan [mailto:[EMAIL PROTECTED] 
 Subject: Re: Problems with SSL
 
 Yes, I installed it through yum installer, are there difference
 between it and tar file?

Yes, the .tar file works.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

RE: Problems with SSL

2007-08-09 Thread Caldarale, Charles R 
 From: Dario Hernan [mailto:[EMAIL PROTECTED] 
 Subject: Re: Problems with SSL
 
 -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/t
 omcat5/common/lib
 -Dcatalina.ext.dirs=/usr/share/tomcat5/shared/lib:/usr/share/t
 omcat5/common/lib

Why do you have that property specified twice?  For that matter, why do
you have it specified at all?

 -classpath /usr/lib/jvm/jre-1.5.0-ibm/lib/tools.jar:
 /usr/share/tomcat5/bin/bootstrap.jar:
 /usr/share/tomcat5/bin/commons-logging-api.jar:
 /usr/share/java/mx4j/mx4j-impl.jar:
 /usr/share/java/mx4j/mx4j-jmx.jar

Typically, the only thing needed on the -classpath is bootstrap.jar; you
certainly don't need tools.jar anymore.  Why are the other jars there?
The MX4J classes are not needed with a true JRE 5 implementation.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems configuring SSL connector

2006-04-21 Thread Markus Schönhaber 
EddieE wrote:
 I'm using keystore files so I needed to add these to server.xml.
 I'm using native libraries since it appears that these are required if you
 want to use a non-default keystoreFile.

No. With APR (the native libs) you'll have to configure the OpenSSL way:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS

 I added tcnative-1.dll and 
 openssl.exe to the PATH.
 I tried both JDK 1.4 compatibility and 1.5 and get the same results. The
 server starts OK but the https connector will only work as http.
 I tried sslProtocol=TLS, SSL and leaving it out.
 What am I doing something wrong?

You're mixing the .keystore config with the APR connector that uses OpenSSL. 
If you want to use the .keystore, don't use the native libs.

If your keystore file is not in the default location, set the keystoreFile 
attribute of the Connector appropriately:
http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL%20Support

Regards
  mks

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Problems configuring SSL connector

2006-04-21 Thread Dhaval Patel 
Yes. Markus is right.

When you add tcnative-1.dll, it means you are enabling APR support in tomcat, 
which is good.

For detail instruction, visit: 
http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html

There is only one problem in the steps described in above link. It works 100% 
correctly with
self-signed certificate but it does not work with Versign/Thwatte signed 
certificate. People have
tested it. So just read the link and follow the steps. It is not difficult at 
all and best of all
it works.

Let us know how it goes with you.

Regards,
D

--- Markus Sch�nhaber [EMAIL PROTECTED] wrote:

 EddieE wrote:
  I'm using keystore files so I needed to add these to server.xml.
  I'm using native libraries since it appears that these are required if you
  want to use a non-default keystoreFile.
 
 No. With APR (the native libs) you'll have to configure the OpenSSL way:
 http://tomcat.apache.org/tomcat-5.5-doc/apr.html#HTTPS
 
  I added tcnative-1.dll and 
  openssl.exe to the PATH.
  I tried both JDK 1.4 compatibility and 1.5 and get the same results. The
  server starts OK but the https connector will only work as http.
  I tried sslProtocol=TLS, SSL and leaving it out.
  What am I doing something wrong?
 
 You're mixing the .keystore config with the APR connector that uses OpenSSL. 
 If you want to use the .keystore, don't use the native libs.
 
 If your keystore file is not in the default location, set the keystoreFile 
 attribute of the Connector appropriately:
 http://tomcat.apache.org/tomcat-5.5-doc/config/http.html#SSL%20Support
 
 Regards
 � mks
 
 -
 To unsubscribe, e-mail: [EMAIL PROTECTED]
 For additional commands, e-mail: [EMAIL PROTECTED]
 
 


__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]