Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-10 Thread James Lampert 

Tim Watts wrote:

That's a possibility if it's padding the passwords as well.   I'm not an
AS/400 expert by any means.  Is /foo a preallocated file and if so could
the problem be with the way it was allocated?


The Java-400 list over at Midrange.com is also in on this (albeit not 
this specific message).


I tried putting the password, and some of the values, in single quotes, 
and others in double quotes. No change in behavior: the confirmation 
message fields were padded, and the quote marks were shown in them.


Hmm. THIS is INTERESTING!

If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL 
there can read it. FASCINATING.


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-10 Thread Tim Watts 
On Tue, 2012-01-10 at 09:35 -0800, James Lampert wrote:
 Tim Watts wrote:
  That's a possibility if it's padding the passwords as well.   I'm not an
  AS/400 expert by any means.  Is /foo a preallocated file and if so could
  the problem be with the way it was allocated?
 
 The Java-400 list over at Midrange.com is also in on this (albeit not 
 this specific message).
 
 I tried putting the password, and some of the values, in single quotes, 
 and others in double quotes. No change in behavior: the confirmation 
 message fields were padded, and the quote marks were shown in them.
 
 Hmm. THIS is INTERESTING!
 
 If I FTP a keystore created on my WinDoze box onto the 400, then KEYTOOL 
 there can read it. FASCINATING.
 
Ha!  Presumably you FTP-ed in binary mode?  Maybe that solves your
original problem too.

I know the big mainframe OSes can run Unix VMs which is what the bank
where I used to work ran all their Java servers in.  Perhaps AS/400 has
something similar and would make your app easier to manage.  Hope
there's an AS/400 expert lurking on the list; I don't think I can offer
much further help.

If you do work it out on midrange.com maybe you could post your solution
here too for others to learn from.

Good Luck.

 --
 JHHL
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 



signature.asc
Description: This is a digitally signed message part

Re: Tomcat 7 SSL activation on AS/400?

2012-01-10 Thread Christopher Schultz 
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Tim,

On 1/9/12 6:32 PM, Tim Watts wrote:
 Can you successfully run this command:
 
 keytool -list -keystore {path/to/your/keystore/file} -storepass
 {passwd-in-server.xml}

Good idea.

 If so, perhaps it's a character encoding issue?  Don't remember if 
 AS/400 uses EBCDIC as its default character set.

Er, I'm pretty sure the keystore is a well-defined binary format that
shouldn't be affected by character encoding issues.

I'm no expert, though.

Seems weird to hear that an FTP'd file works... that would imply that
keytool on your AS/400 box is somehow broken -- but only for writes.
Weird.

- -chris
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk8MnhMACgkQ9CaO5/Lv0PCkIwCfTjDnUk9Dme/VHO6Zy6KYqfBj
f5gAoJSPYN24TmOE2MXyDSTBMHv2eTpB
=31g4
-END PGP SIGNATURE-

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-10 Thread James Lampert 
Well, using a keystore created on my WinDoze box, and FTP'd to the 400 
definitely works: Port 8443 came right up.


But that still leaves open the question of why on earth keytool fails to 
create valid keystores on the 400, whether run from QShell or QP2Term.


Inquiring minds want to know.

BTW: Like any other developer distributing Java products, we have a 
keystore with the CA-signed certificate we use to sign JARs. Would that 
KS and certificate also work for SSL support on Tomcat? Or is it limited 
to JAR-signing? (Not that we would ever want to let that keystore, and 
its passwords, out of our hands!)


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Tomcat 7 SSL activation on AS/400?

2012-01-09 Thread James Lampert 

I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1).

Tomcat itself runs nicely, but following the instructions on
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
I am consistently getting:
SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]] 
Throwable occurred: org.apache.catalina.LifecycleException: Failed to initialize component [Connector[HTTP/1.1-8443]] 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106)   
at org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)   
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781) 
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
at org.apache.catalina.startup.Catalina.load(Catalina.java:573)  
at org.apache.catalina.startup.Catalina.load(Catalina.java:598)  
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)   
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60) 
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37) 
at java.lang.reflect.Method.invoke(Method.java:611)  
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)
Caused by: org.apache.catalina.LifecycleException: Protocol handler initialization failed 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:939)  
at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102)   
... 12 more  
Caused by: java.io.IOException: Keystore was tampered with, or password was incorrect 
at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source)   
at java.security.KeyStore.load(KeyStore.java:414)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306) 
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)  
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)  
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369) 
at org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553)   
at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)
at org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119) 
at org.apache.catalina.connector.Connector.initInternal(Connector.java:937)  
... 13 more  
Caused by: java.security.UnrecoverableKeyException: Password verification failed  
... 26 more  


I've tried it with the default keystore name, location, and passwords; 
I've tried it with an explicit name, location, and both key and keystore 
paswords. The above exceptions are thrown consistently, except for one 
occasion when the keystore simply didn't exist where expected.


--
James H. H. Lampert

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400?

2012-01-09 Thread Chema 

    Caused by: java.io.IOException: Keystore was tampered with, or password
 was incorrect

Well, I don't know what is the problem.

I followed these steps  and it worked : http://blog.frankel.ch/ssl-your-tomcat-7

Other option is HTTP Connector in your server.xml is incorrectly configured

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400?

2012-01-09 Thread Tim Watts 
Can you successfully run this command:

keytool -list -keystore {path/to/your/keystore/file} -storepass 
{passwd-in-server.xml}

If so, perhaps it's a character encoding issue?  Don't remember if
AS/400 uses EBCDIC as its default character set.


On Mon, 2012-01-09 at 14:42 -0800, James Lampert wrote:
 I'm attempting to bring up SSL support in Tomcat 7, on an AS/400 (V6R1).
 
 Tomcat itself runs nicely, but following the instructions on
  http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html
 I am consistently getting:
  SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8443]]   

  Throwable occurred: org.apache.catalina.LifecycleException: Failed to 
  initialize component [Connector[HTTP/1.1-8443]] 
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:106) 

  at 
  org.apache.catalina.core.StandardService.initInternal(StandardService.java:559)
 
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 

  at 
  org.apache.catalina.core.StandardServer.initInternal(StandardServer.java:781)
   
  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 

  at org.apache.catalina.startup.Catalina.load(Catalina.java:573)

  at org.apache.catalina.startup.Catalina.load(Catalina.java:598)

  at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) 

  at 
  sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:60)
   
  at 
  sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:37)
   
  at java.lang.reflect.Method.invoke(Method.java:611)

  at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:281)  

  at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:449)  

  Caused by: org.apache.catalina.LifecycleException: Protocol handler 
  initialization failed 
  at 
  org.apache.catalina.connector.Connector.initInternal(Connector.java:939)

  at org.apache.catalina.util.LifecycleBase.init(LifecycleBase.java:102) 

  ... 12 more

  Caused by: java.io.IOException: Keystore was tampered with, or password was 
  incorrect 
  at com.ibm.crypto.provider.JavaKeyStore.engineLoad(Unknown Source) 

  at java.security.KeyStore.load(KeyStore.java:414)  

  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:407)
  
  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:306)
   
  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:565)

  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:505)

  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:449)
  
  at 
  org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:158)
  
  at org.apache.tomcat.util.net.JIoEndpoint.bind(JIoEndpoint.java:369)   

  at 
  org.apache.tomcat.util.net.AbstractEndpoint.init(AbstractEndpoint.java:553) 

  at org.apache.coyote.AbstractProtocol.init(AbstractProtocol.java:369)  

  at 
  org.apache.coyote.http11.AbstractHttp11JsseProtocol.init(AbstractHttp11JsseProtocol.java:119)
   
  at 
  org.apache.catalina.connector.Connector.initInternal(Connector.java:937)

  ... 13 more

  Caused by: java.security.UnrecoverableKeyException: Password verification 
  failed  
  ... 26 more

 
 I've tried it with the default keystore name, location, and passwords; 
 I've tried it with an explicit name, location, and both key and keystore 
 paswords. The above exceptions are thrown consistently, except for one 
 occasion when the keystore simply didn't exist where expected.
 
 --
 James H.

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-09 Thread James Lampert 

Tim Watts (from the Tomcat Users List) wrote:

Can you successfully run this command:

keytool -list -keystore {path/to/your/keystore/file} -storepass 
{passwd-in-server.xml}


It gives the same error message. And yes, EBCDIC is the default encoding 
for AS/400s. The attributes on /foo show that it has a CCSID of 819, 
though, which (if my memory and the IBM docs are correct) is ASCII.


Here's a QShell transcript from a test I ran specifically so that I 
could post everything without betraying any passwords:



keytool -genkey -alias foo -keyalg RSA -keystore /foo
  Enter keystore password: 
bar  
  What is your first and last name?
[Unknown]: 
James Lampert
  What is the name of your organizational unit?
[Unknown]: 
Development Lab  
  What is the name of your organization?   
[Unknown]: 
Touchtone Corporation
  What is the name of your City or Locality?   
[Unknown]: 
Costa Mesa   
  What is the name of your State or Province?  
[Unknown]: 
California  
  What is the two-letter country code for this unit?  
[Unknown]:
US  
  Is CN=James Lampert
  
  
  
  , OU=Development Lab  
  
  
  
  , O=Touchtone Corporation 
, L=Costa Mesa 
 
 
 
   , ST=California 
 
 
 
   , C=US  
 
 
 
   correct? (type yes or no)

[no]:
yes   

  Enter key password for foo: 
  (RETURN if same as keystore password):
bar   
  $   
keytool -list  -keystore /foo -storepass bar
  keytool error (likely untranslated): java.io.IOException: Keystore was tampered with, or password was incorrect 
  $   


Another thought occurred to me: Could the trailing blanks shown in the 
confirmation message have anything to do with the problem?


--
JHHL

-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat 7 SSL activation on AS/400? (Cross-posted to JAVA400)

2012-01-09 Thread Tim Watts 
On Mon, 2012-01-09 at 15:55 -0800, James Lampert wrote:
 Tim Watts (from the Tomcat Users List) wrote:
  Can you successfully run this command:
  
  keytool -list -keystore {path/to/your/keystore/file} -storepass 
  {passwd-in-server.xml}
 
 It gives the same error message. And yes, EBCDIC is the default encoding 
 for AS/400s. The attributes on /foo show that it has a CCSID of 819, 
 though, which (if my memory and the IBM docs are correct) is ASCII.
 
 Here's a QShell transcript from a test I ran specifically so that I 
 could post everything without betraying any passwords:
 
  keytool -genkey -alias foo -keyalg RSA -keystore /foo
Enter keystore password: 
  bar  
What is your first and last name?
  [Unknown]: 
  James Lampert
What is the name of your organizational unit?
  [Unknown]: 
  Development Lab  
What is the name of your organization?   
  [Unknown]: 
  Touchtone Corporation
What is the name of your City or Locality?   
  [Unknown]: 
  Costa Mesa   
What is the name of your State or Province?  
  [Unknown]: 
  California  
What is the two-letter country code for this unit?  
  [Unknown]:
  US  
Is CN=James Lampert



, OU=Development Lab  



, O=Touchtone Corporation 
  , L=Costa Mesa 
   
   
   
 , ST=California 
   
   
   
 , C=US  
   
   
   
 correct? (type yes or no)
  [no]:
  yes   
  
Enter key password for foo: 
(RETURN if same as keystore password):
  bar   
$ 

  keytool -list  -keystore /foo -storepass bar   
   
keytool error (likely untranslated): java.io.IOException: Keystore was 
  tampered with, or password was incorrect 
$ 

 
 Another thought occurred to me: Could the trailing blanks shown in the 
 confirmation message have anything to do with the problem?
 
That's a possibility if it's padding the passwords as well.   I'm not an
AS/400 expert by any means.  Is /foo a preallocated file and if so could
the problem be with the way it was allocated?

Perhaps what's encrypted in the file was ASCII but the keystrokes in
your shell (and chars in server.xml file) are EBCDIC?

 --
 JHHL
 
 -
 To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
 For additional commands, e-mail: users-h...@tomcat.apache.org
 



signature.asc
Description: This is a digitally signed message part