Re: Problems with SSL-enabled Tomcat 5.5
HI, i im also having the same problem. java.io.IOException: Alias name aliasName does not identify a key entry. But i m not bale to over come it. I m using keytool not opessl. Please suggst me. thanks ,Bhuvan MP bajistaman wrote: So what you did was to create a new private key, CSR and then just follow the instructions from your CA and everything worked? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tp12394044p22491455.html Sent from the Tomcat - User mailing list archive at Nabble.com. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Problems with SSL-enabled Tomcat 5.5
*** *** Nombre de alias: autentiacert Fecha de creación: 01-oct-2007 Tipo de entrada: trustedCertEntry Propietario: CN=pymes2.gobernalianet.es, OU=Pymes2, O=Gobernalia, L=Madrid, ST=Madrid, C=ES Emisor: [EMAIL PROTECTED], CN=Angel, OU=Pymes2, O=Gobernalia, ST=Madrid, C=ES Número de serie: 1 Válido desde: 1/10/07 18:28 hasta: 30/09/08 18:28 Huellas de certificado: MD5: 2C:D4:6F:C6:8F:A5:8D:19:45:F8:12:AF:0F:F6:CE:50 SHA1: 1E:11:C1:68:35:5F:BE:5A:8D:F4:07:61:6F:41:BE:92:86:BF:C5:98 *** *** - keytool -list -v -storepass changeit -- En of message, Thank you so much, Angel - Original Message - Hello, setting keyAlias=root did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I have the same problem than you Werner, everything looks fine but the browser is unable to verify the identity of my site. Firefox says: a) Or the browser doesn't recognize the CA that is supporting the cert. b) Or the cert is uncomplete because of a wrong server configuration. c) Or the site is pretending to be something that is not So still trying to find what is wrong. BTW, my CA gives an intermediate cert that I didn't use because agentbob's tip didn't say anything about it. Maybe I need to install as part of the process just as the CA website says. Did you have to install the intermediate one? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Hi, I tried with the Intermediate Cert as well but then I had the same problems (see below). Take a look at the comments on AgentBob's website, one is mentioning putting all certs together to make this work. At least for me it didn't and what I ended up doing was buying a new certificate unfortunately. Please let me know if you have another solution. Bye, Werner - Original Message - From: bajistaman [EMAIL PROTECTED] To: users@tomcat.apache.org Sent: Monday, September 03, 2007 2:42 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 I have the same problem than you Werner, everything looks fine but the browser is unable to verify the identity of my site. Firefox says: a) Or the browser doesn't recognize the CA that is supporting the cert. b) Or the cert is uncomplete because of a wrong server configuration. c) Or the site is pretending to be something that is not So still trying to find what is wrong. BTW, my CA gives an intermediate cert that I didn't use because agentbob's tip didn't say anything about it. Maybe I need to install as part of the process just as the CA website says. Did you have to install the intermediate one? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12461106 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
On 9/3/07, Werner Schalk [EMAIL PROTECTED] wrote: ... what I ended up doing was buying a new certificate Your CA wouldn't let you submit a new CSR and re-issue the cert?? That's surprising. -- Hassan Schroeder [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
So what you did was to create a new private key, CSR and then just follow the instructions from your CA and everything worked? Thanks, Johann -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12463871 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Ok, now it is working, I was missing the root cert.
I generated a script that did all the work:
JAVA_HOME=/usr/java/latest
export JAVA_HOME
PATH=$JAVA_HOME/bin:$PATH
export PATH
THE_NAME=www.dummy.org
export THE_NAME
rm /root/.keystore
rm /usr/share/tomcat5/.keystore
openssl pkcs8 -topk8 -nocrypt -in ${THE_NAME}_key.pem -inform PEM -out
${THE_NAME}_key.der -outform DER
openssl x509 -in rootCA_cer.pem -inform PEM -out rootCA_cer.der -outform DER
openssl x509 -in intermediateCA_cer.pem -inform PEM -out
intermediateCA_cer.der -outform DER
openssl x509 -in ${THE_NAME}_cer.pem -inform PEM -out ${THE_NAME}_cer.der
-outform DER
cat ${THE_NAME}_cer.der intermediateCA_cer.der rootCA_cer.der
${THE_NAME}_all_cer.der
javac *.java
java ImportKey ${THE_NAME}_key.der ${THE_NAME}_all_cer.der
cp /root/keystore.ImportKey /root/.keystore
cp /root/.keystore /usr/share/tomcat5/.keystore
keytool -keypass changeit -storepass changeit -list
--
View this message in context:
http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12467259
Sent from the Tomcat - User mailing list archive at Nabble.com.
-
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer -- View this message in context: http://www.nabble.com/Problems-with-SSL-enabled-Tomcat-5.5-tf4349872.html#a12426259 Sent from the Tomcat - User mailing list archive at Nabble.com. - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Hello, interestingly it did not work for me in the end. Basically I can import the certificate and the private key to rebuild the original keystore using AgentBob's Java code. Fine. Then when restarting Tomcat it does not complain anymore and everything appears to be fine (Tomcat says something like Server started and no error messages whatsoever). However when connecting to the SSL-enabled site, there is no error message coming up, but any browser (IE, Firefox, Konqueror) fail to connect to the site saying that the certificate is invalid or corrupted (although one can still imspect it in the cert properties of the respective browser). Any ideas on how to debug this problem? Tomcat appears to be okay with the cert and the keystore but SSL is still not working? @Christian: Did you have the same problem in the end or did it all work for you? Bye, Werner - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, August 31, 2007 4:27 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
I think what is happening in your case is that the SSL handshake fails, not even sure if debug turned on would show it. (depending on what connector you are running) try removing the keyAlias (if you have it set) to let java decide on what cert in the keystore to use Filip Werner Schalk wrote: Hello, interestingly it did not work for me in the end. Basically I can import the certificate and the private key to rebuild the original keystore using AgentBob's Java code. Fine. Then when restarting Tomcat it does not complain anymore and everything appears to be fine (Tomcat says something like Server started and no error messages whatsoever). However when connecting to the SSL-enabled site, there is no error message coming up, but any browser (IE, Firefox, Konqueror) fail to connect to the site saying that the certificate is invalid or corrupted (although one can still imspect it in the cert properties of the respective browser). Any ideas on how to debug this problem? Tomcat appears to be okay with the cert and the keystore but SSL is still not working? @Christian: Did you have the same problem in the end or did it all work for you? Bye, Werner - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Friday, August 31, 2007 4:27 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 you need the private key in order to run SSL, but you can import the private key, so ask the folks from your company for the private key, here is the info how you import it, someone else posted it this week http://www.agentbob.info/agentbob/79.html Filip bajistaman wrote: I'm having the same problem. Some people from my company created the Certificate Signing Request and the only thing that I've received was an email with the certificate, then I tried to install it and I had the same problems that Werner has. Do I have to do all over again from Tomcat from the private key, CSR, ...? Thanks, Johann #Generate a private key keytool -storepass changeit -genkey -alias tomcat -keyalg RSA #Generate the Certificate Signing Request (CSR) keytool -storepass changeit -certreq -alias tomcat -file name.csr #Send the CSR to get a certificate #Import the intermediate cert keytool -storepass changeit -import -alias intermediateCA -trustcacerts -file intermediateCA.cer #Import the cert keytool -storepass changeit -import -alias tomcat -trustcacerts -file name.cer - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To start a new topic, e-mail: users@tomcat.apache.org To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Problems with SSL-enabled Tomcat 5.5
Hello, setting keyAlias=root did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias=root in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the Certificate), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: Connector port=8443 maxHttpHeaderSize=16384 address=myhostname enableLookups=false disableUploadTimeout=true acceptCount=100 maxKeepAliveRequests=100 scheme=https secure=true clientAuth=false compression=8192 compressableMimeType=text/javascript,text/css keystoreFile=/usr/local/tomcat/conf/wstest keystorePass=XXX sslProtocol=TLS keyAlias=tomcat / 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75
Re: Problems with SSL-enabled Tomcat 5.5
looks like the keyAlias=root is not taking into effect, as the container complains for not finding one named tomcat could be that it just looks for tomcat alias to be existent. this is what I would try next, import the same certificate using the tomcat alias, leave the root alias in there. Filip Werner Schalk wrote: Hello, setting keyAlias=root did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias=root in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the Certificate), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: Connector port=8443 maxHttpHeaderSize=16384 address=myhostname enableLookups=false disableUploadTimeout=true acceptCount=100 maxKeepAliveRequests=100 scheme=https secure=true clientAuth=false compression=8192 compressableMimeType=text/javascript,text/css keystoreFile=/usr/local/tomcat/conf/wstest keystorePass=XXX sslProtocol=TLS keyAlias=tomcat / 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint
Re: Problems with SSL-enabled Tomcat 5.5
Hello Filip, thanks a lot for all your support. No, that's something I already tried. When importing the Verisign root cert in my cacerts file and then importing the signed cert in my keystore, he seems to be able to build a certificate chain because I am no longet being asked whether I would like to trust the certificate. However when using that keystore then in Tomcat (which only contains my signed cert) I am getting the second error (No available certificate or key corresponds to the SSL cipher suites which are enabled.). Any more ideas? Bye, Seb - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, August 30, 2007 5:05 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 looks like the keyAlias=root is not taking into effect, as the container complains for not finding one named tomcat could be that it just looks for tomcat alias to be existent. this is what I would try next, import the same certificate using the tomcat alias, leave the root alias in there. Filip Werner Schalk wrote: Hello, setting keyAlias=root did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias=root in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the Certificate), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: Connector port=8443 maxHttpHeaderSize=16384 address=myhostname enableLookups=false disableUploadTimeout=true acceptCount=100 maxKeepAliveRequests=100 scheme=https secure=true clientAuth=false compression=8192 compressableMimeType=text/javascript,text/css keystoreFile=/usr/local/tomcat/conf/wstest keystorePass=XXX sslProtocol=TLS keyAlias=tomcat / 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs
Re: Problems with SSL-enabled Tomcat 5.5
aah, now I think we are getting somewhere. Is this not the keystore that was used to generate the CSR, and also contains the private key? if not, then I don't know how it would work, you still need your private key in order to have a working SSL setup, the signed cert is only what tomcat sends to the browser, it needs the private key in order to decipher the stuff that the browser encrypts using the public key. so if you deleted the original keystore that was used to create the key, then yes, you are screwed, you need to start over, generate another key, get another CSR, get another signed cert from verisign etc Filip Werner Schalk wrote: Hello Filip, thanks a lot for all your support. No, that's something I already tried. When importing the Verisign root cert in my cacerts file and then importing the signed cert in my keystore, he seems to be able to build a certificate chain because I am no longet being asked whether I would like to trust the certificate. However when using that keystore then in Tomcat (which only contains my signed cert) I am getting the second error (No available certificate or key corresponds to the SSL cipher suites which are enabled.). Any more ideas? Bye, Seb - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Thursday, August 30, 2007 5:05 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 looks like the keyAlias=root is not taking into effect, as the container complains for not finding one named tomcat could be that it just looks for tomcat alias to be existent. this is what I would try next, import the same certificate using the tomcat alias, leave the root alias in there. Filip Werner Schalk wrote: Hello, setting keyAlias=root did not change anything. Then I downloaded the latest version of Tomcat, added the Verisign cert to my cacerts file and imported my Verisign-signed SSL certificate into a new keystore. Unfortunately that does not change my situation: Either Tomcat is unable to find my alias in the keystore file (if I specify a keyAlias) or there appears to be a problem with the SSL ciphers or certificate itself (if I don't specify a keyAlias). The two error message I am getting when attempting to start Tomcat are (see further below): 1/with keyAlias directive: INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 2/without keyAlias directive: java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No available certificate or key corresponds to the SSL cipher suites which are enabled. at org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) Any more ideas? Is the problem maybe caused because I am creating a new keystore and the key of the Verisign-signed certificate is in a separate file (my colleague deleted the original keystore file)? Are we screwed now? Thank you. Any input is greatly appreciated. Bye, Werner. - Original Message - From: Filip Hanik - Dev Lists [EMAIL PROTECTED] To: Tomcat Users List users@tomcat.apache.org Sent: Wednesday, August 29, 2007 10:32 PM Subject: Re: Problems with SSL-enabled Tomcat 5.5 did you set keyAlias=root in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the Certificate), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my
Re: Problems with SSL-enabled Tomcat 5.5
did you set keyAlias=root in server.xml Werner Schalk wrote: Hello, I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) on a Sun Solaris 10 (Sparc) but it turns out that this appears not to be an easy task. Hopefully you guys can shed some light on this. Basically I do have a Verisign-signed SSL certificate which I would like to add to my existing Tomcat config. Now after spending hours of tweaking the config, I do face two problems: Either Tomcat is unable to find my alias in the keystore file or there appears to be a problem with the SSL ciphers or certificate itself. Hopefully somebody knows what to do, this is giving me a headache for many hours now. Here is what I did (steps taken from http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, Importing the Certificate), please note that I removed IPs, hostnames etc. to protect the innocent: 1) Import of the Verisign root cert into my keystore: $ keytool -import -alias root -keystore wstest -trustcacerts -file verisign.crt Enter keystore password: XXX Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [ ... ] Certificate was added to keystore 2) Import of my Verisign-signed SSL certificate: $ keytool -import -alias tomcat -keystore wstest -trustcacerts -file mysystem.crt Enter keystore password: XXX [ ... ] Certificate was added to keystore 3) Change of my Tomcat configuration in server.xml to use the new keystore and SSL cert: Connector port=8443 maxHttpHeaderSize=16384 address=myhostname enableLookups=false disableUploadTimeout=true acceptCount=100 maxKeepAliveRequests=100 scheme=https secure=true clientAuth=false compression=8192 compressableMimeType=text/javascript,text/css keystoreFile=/usr/local/tomcat/conf/wstest keystorePass=XXX sslProtocol=TLS keyAlias=tomcat / 4) Restart of Tomcat and review of Tomcat log file: # svcadm disable tomcat # rm ../logs/catalina.out # svcadm enable tomcat # tail -f ../logs/catalina.out [...] INFO: Deploying web application archive help.war Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510 Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol start SEVERE: Error starting endpoint java.io.IOException: Alias name tomcat does not identify a key entry at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) at org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) at org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) at org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) at org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75) at org.apache.catalina.connector.Connector.start(Connector.java:1089) at org.apache.catalina.core.StandardService.start(StandardService.java:459) at org.apache.catalina.core.StandardServer.start(StandardServer.java:709) at org.apache.catalina.startup.Catalina.start(Catalina.java:551) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) at java.lang.reflect.Method.invoke(Method.java:585) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432) However my keystore DOES contain my two keys (Verisign's key as well as my SSL cert): # keytool -list --keystore wstest -v Enter keystore password: XXX Keystore type: jks Keystore provider: SUN Your keystore contains 2 entries Alias name: root Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign, OU=VeriSign International Server CA - Class 3, OU=VeriSign, Inc., O=VeriSign Trust Network [...] *** *** Alias name: tomcat Creation date: Aug 29, 2007 Entry type: trustedCertEntry Owner: CN=myhostname, ... [...] *** *** Here is the first problem: Why does my alias tomcat not identify a key entry in the keystore? It does exist, doesn't it? 5) Now to get around this problem, I removed the keyAlias directive from the Tomcat
