SSL No Certificate file specified or invalid file format

2010-11-23 Thread Scott Li 
Hi All,
 When I want to config SSL in Tomcat: apache-tomcat-7.0.4 in windows XP,
 there is some error below , anyone can tell me what is the problem?

step 1:
I generate client /server java key store by code as follow:

import java.io.FileOutputStream;
import java.math.BigInteger;
import java.security.InvalidKeyException;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SecureRandom;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.util.Date;
import javax.security.auth.x500.X500Principal;
import javax.security.auth.x500.X500PrivateCredential;
import org.bouncycastle.jce.provider.asymmetric.ec.KeyPairGenerator;
import org.bouncycastle.x509.X509V3CertificateGenerator;
/**
 *
 * Tomcat HTTPS client/server key Certificate generator
 *
 */
public class TomcatKey {
 //Client Certificate
 static String TRUST_STORE_NAME = client;
 static char[] TRUST_STORE_PASSWORD = test.toCharArray();

 //Server Certificate
 static String SERVER_NAME = server;
 static char[] SERVER_PASSWORD = test.toCharArray();
 static String SERVER_HOST = localhost;
 /**
  * @param args
  */
 public static void main(String[] args) {
  try {
   // trustsotre, my root certificate
   KeyStore store = KeyStore.getInstance(JKS);
   // initialize
   store.load(null, null);
   KeyPair rootPair = generateKeyPair();
   X500PrivateCredential rootCredential = createRootCredential(rootPair);
   store.setCertificateEntry(TRUST_STORE_NAME, rootCredential
 .getCertificate());
   store.store(new FileOutputStream(TRUST_STORE_NAME + .keystore),
 TRUST_STORE_PASSWORD);
   // server credentials
   store = KeyStore.getInstance(JKS);
   store.load(null, null);
   store.setKeyEntry(SERVER_NAME, rootCredential.getPrivateKey(),
 SERVER_PASSWORD, new Certificate[] { rootCredential
   .getCertificate() });
   store.store(new FileOutputStream(SERVER_NAME + .keystore),
 SERVER_PASSWORD);
  } catch (NoSuchAlgorithmException e) {
   e.printStackTrace();
  } catch (NoSuchProviderException e) {
   e.printStackTrace();
  } catch (Exception e) {
   e.printStackTrace();
  }
 }
 //generate Key Pair
 public static KeyPair generateKeyPair() throws NoSuchAlgorithmException,
   NoSuchProviderException {
  // create the keys
  java.security.KeyPairGenerator generator =
KeyPairGenerator.getInstance(RSA);
  generator.initialize(1024, new SecureRandom());
  return generator.generateKeyPair();
 }
 //generate certificate
 public static X500PrivateCredential createRootCredential(KeyPair rootPair)
throws Exception {
  X509Certificate rootCert = generateX509V3RootCertificate(rootPair);
  return new X500PrivateCredential(rootCert, rootPair.getPrivate());
 }

 public static X509Certificate generateX509V3RootCertificate(KeyPair
pair)throws NoSuchAlgorithmException,
 NoSuchProviderException, CertificateEncodingException, InvalidKeyException,
 IllegalStateException, SignatureException {

  X509V3CertificateGenerator certGen = new X509V3CertificateGenerator();

  certGen.setSerialNumber(BigInteger.valueOf(System.currentTimeMillis()));

  certGen.setIssuerDN(new X500Principal(CN= + SERVER_HOST+ , OU=GoldenSF,
O=SHA, C=cn));

  certGen.setNotBefore(new Date(System.currentTimeMillis() - 5000L));

  certGen.setSubjectDN(new X500Principal(CN= + SERVER_HOST+ ,
OU=GoldenSF, O=SHA, C=cn));

  certGen.setPublicKey(pair.getPublic());

  certGen.setSignatureAlgorithm(SHA1WithRSA);

  certGen.setNotAfter(new Date(System.currentTimeMillis() +
Integer.MAX_VALUE));

  return certGen.generate(pair.getPrivate(), new SecureRandom());
 }
}


step2:
put the files in apache-tomcat-7.0.4/conf : client.keystore, and
server.keystore

step3:
then update server.xml as follow:

?xml version='1.0' encoding='utf-8'?
Server port=8005 shutdown=SHUTDOWN
  Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on /
  Listener className=org.apache.catalina.core.JasperListener /
  Listener
className=org.apache.catalina.core.JreMemoryLeakPreventionListener /
  Listener
className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener /
  GlobalNamingResources
Resource name=UserDatabase auth=Container
  type=org.apache.catalina.UserDatabase
  description=User database that can be updated and saved
  factory=org.apache.catalina.users.MemoryUserDatabaseFactory
  pathname=conf/tomcat-users.xml /
  /GlobalNamingResources
  Service name=Catalina
  Connector port=443 SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
  protocol=org.apache.coyote.http11.Http11AprProtocol
   keystoreFile=conf/server.keystore keystorePass=test
 truststoreFile =conf/client.keystore truststorePass=test/
 Connector

Re: SSL No Certificate file specified or invalid file format

2010-11-23 Thread Konstantin Kolinko 
2010/11/24 Scott Li scott...@gwghk.com:
 信息: Loaded APR based Apache Tomcat Native library 1.1.20.
 010-11-24 9:36:38 org.apache.catalina.core.AprLifecycleListener init
 信息: APR capabilities: IPv6 [true], sendfile [true], accept filters [false],
 random [true].
 010-11-24 9:36:38 org.apache.coyote.http11.Http11AprProtocol init

As mentioned in the docs, there are two SSL implementations that can
be used by Tomcat:
- one provided by Java runtime,
- another provided by OpenSSL library (called through APR/Tomcat-Native).

Their configurations are very different.

The above log fragment shows that you are using the APR one.


To configure it correctly:
 see docs.

To disable it:
 a) remove bin\tcnative-1.dll
 b) remove  Listener className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on / line from server.xml.

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: SSL No Certificate file specified or invalid file format

2010-11-23 Thread Scott Li 
It works,  Thank you very much Konstantin Kolinko!

I disabled APR by following these steps:
 a) remove bin\tcnative-1.dll
 b) remove  Listener
className=org.apache.catalina.core.AprLifecycleListener
SSLEngine=on / line from server.xml.

c) remove 'protocol=http11.Http11AprProtocol' from server.xml's Connector
,
   changed as follow:
 Connector port=443 SSLEnabled=true
   maxThreads=150 scheme=https secure=true
   clientAuth=false sslProtocol=TLS
   keystoreFile=conf/server.keystore keystorePass=test
 truststoreFile =conf/client.keystore truststorePass=test/

then https://localhost/ can open.


and my question is what is the configurations with OpenSSL library (called
through APR/Tomcat-Native).
I have read the
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#SSL_and_Tomcat
but it seems not have the configurations of APR, Can you give me the docs
link you metioned?
or send to my email: sc...@222m.net, Thanks!





在 2010年11月24日 上午9:54,Konstantin Kolinko knst.koli...@gmail.com写道:

 2010/11/24 Scott Li scott...@gwghk.com:
  信息: Loaded APR based Apache Tomcat Native library 1.1.20.
  010-11-24 9:36:38 org.apache.catalina.core.AprLifecycleListener init
  信息: APR capabilities: IPv6 [true], sendfile [true], accept filters
 [false],
  random [true].
  010-11-24 9:36:38 org.apache.coyote.http11.Http11AprProtocol init

 As mentioned in the docs, there are two SSL implementations that can
 be used by Tomcat:
 - one provided by Java runtime,
 - another provided by OpenSSL library (called through APR/Tomcat-Native).

 Their configurations are very different.

 The above log fragment shows that you are using the APR one.


 To configure it correctly:
  see docs.

 To disable it:
  a) remove bin\tcnative-1.dll
  b) remove  Listener
 className=org.apache.catalina.core.AprLifecycleListener
 SSLEngine=on / line from server.xml.

 Best regards,
 Konstantin Kolinko

 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org





Thanks  Regards,

Scott Li

Re: SSL No Certificate file specified or invalid file format

2010-11-23 Thread Konstantin Kolinko 
2010/11/24 Scott Li scott...@gwghk.com:
 It works,  Thank you very much Konstantin Kolinko!

 I disabled APR by following these steps:
  a) remove bin\tcnative-1.dll
  b) remove  Listener
 className=org.apache.catalina.core.AprLifecycleListener
 SSLEngine=on / line from server.xml.

 c) remove 'protocol=http11.Http11AprProtocol' from server.xml's Connector
 ,
   changed as follow:
     Connector port=443 SSLEnabled=true
               maxThreads=150 scheme=https secure=true
               clientAuth=false sslProtocol=TLS
               keystoreFile=conf/server.keystore keystorePass=test
     truststoreFile =conf/client.keystore truststorePass=test/

 then https://localhost/ can open.


 and my question is what is the configurations with OpenSSL library (called
 through APR/Tomcat-Native).
 I have read the
 http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#SSL_and_Tomcat
 but it seems not have the configurations of APR, Can you give me the docs
 link you metioned?

http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support

Best regards,
Konstantin Kolinko

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org