Re: Tomcat APR protocol SSL certificate information.

2015-12-16 Thread Mark Thomas 
On 16/12/2015 13:26, Nithesh Kb wrote:
> [image: Inline image 1]
> 
> 
> Got this mail! ,
> Does it means can we use keystore for APR protocol using this new TC-native
> ??

It needs changes on the Tomcat side as well. Those are currently only
available in the 9.0.x source tree. They will be included in the next
9.0.x release.

Mark


> 
> 
> 
> Thanks,
> Nithesh
> 
>>
>>
> On Wed, Dec 16, 2015 at 1:09 PM, Garcia Aparici, Carlos <cgapar...@indra.es>
> wrote:
> 
>> In many of our tomcats we use the pfx directly on the conector. Its
>> similar to a keystore
>>
>>
>> Enviado de Samsung Mobile
>>
>>
>>
>>  Mensaje original 
>> De: Nithesh Kb <nitheshk...@gmail.com>
>> Fecha: 15/12/2015 16:21 (GMT+01:00)
>> Para: Tomcat Users List <users@tomcat.apache.org>
>> Asunto: Re: Tomcat APR protocol SSL certificate information.
>>
>>
>> *Thanks David,Thomas.*
>> If my understanding is not wrong.
>> Till tomcat version 8, we need to provide cert and key separately for
>> openssl ssl APR, like
>>
>> *(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
>> But tomcat 9 we can use keystore to store cert and key and configure it to
>> connector like  *keystoreFile="/aa/tomcat.**keystore"*
>>
>> *Thanks,*
>> *Nithesh*
>>
>> On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:
>>
>>> On 15/12/2015 15:07, David Newman wrote:
>>>> When you use APR the SSL implementation is coming from openssl instead
>> of
>>>> java.  openssl has no use for java keystore files.  So it becomes more
>>> like
>>>> an apache httpd config with separate files for keys and certificates.
>>>
>>> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
>>> at some point) you can use Java keystores with OpenSSL.
>>>
>>> Mark
>>>
>>>>
>>>> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
>>> wrote:
>>>>
>>>>> HI,
>>>>> I have build APR libraries Openssl and tc-native also i have created
>>>>> openssl libraries. both HTTP and HTTPS is working fine.
>>>>>
>>>>> *openssl genrsa -des3 -out server.key 2048 *
>>>>> *openssl req -new -key server.key -out server.csr*
>>>>> *cp server.key server.key.org <http://server.key.org>*
>>>>> *openssl rsa -in server.key.org <http://server.key.org> -out
>>> server.key*
>>>>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>>>>> server.crt*
>>>>>
>>>>> i get server.crt and server.key.
>>>>>
>>>>> I added this entry,in connector
>>>>>
>>>>>
>>>>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>>>>> *SSLCertificateFile="/aa/server.crt"*
>>>>> *SSLCertificateKeyFile="/aa/server.key"*
>>>>>
>>>>> *If i do this much, it will work!!*
>>>>>
>>>>> *But the question is, is it possible to put these two certificate in
>>>>> keystore and can we add only that keystore in our connector ?*
>>>>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>>>>
>>>>> *i tried this but didn't worked,*
>>>>>
>>>>> *
>>>>>
>>>
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>>>> <
>>>>>
>>>
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>>>>> *
>>>>>
>>>>> *please help me to understand these certificate stuffs. *
>>>>>
>>>>>
>>>>>
>>>>> *Thanks,*
>>>>> *Nithesh*
>>>>>
>>>>
>>>
>>>
>>> -
>>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
>>> For additional commands, e-mail: users-h...@tomcat.apache.org
>>>
>>>
>>
>> 
>> Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
>> contiene información de carácter confidencial exclusivamente dirigida a su
>> destinatario o destinatarios. Si no es vd. el destinatario indicado, queda
>> notificado que la lectura, utilización, divulgación y/o copia sin
>> autorización está prohibida en virtud de la legislación vigente. En el caso
>> de haber recibido este correo electrónico por error, se ruega notificar
>> inmediatamente esta circunstancia mediante reenvío a la dirección
>> electrónica del remitente.
>> Evite imprimir este mensaje si no es estrictamente necesario.
>>
>> This email and any file attached to it (when applicable) contain(s)
>> confidential information that is exclusively addressed to its recipient(s).
>> If you are not the indicated recipient, you are informed that reading,
>> using, disseminating and/or copying it without authorisation is forbidden
>> in accordance with the legislation in effect. If you have received this
>> email by mistake, please immediately notify the sender of the situation by
>> resending it to their email address.
>> Avoid printing this message if it is not absolutely necessary.
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

2015-12-16 Thread Nithesh Kb 
[image: Inline image 1]


Got this mail! ,
Does it means can we use keystore for APR protocol using this new TC-native
??



Thanks,
Nithesh

>
>
On Wed, Dec 16, 2015 at 1:09 PM, Garcia Aparici, Carlos <cgapar...@indra.es>
wrote:

> In many of our tomcats we use the pfx directly on the conector. Its
> similar to a keystore
>
>
> Enviado de Samsung Mobile
>
>
>
>  Mensaje original 
> De: Nithesh Kb <nitheshk...@gmail.com>
> Fecha: 15/12/2015 16:21 (GMT+01:00)
> Para: Tomcat Users List <users@tomcat.apache.org>
> Asunto: Re: Tomcat APR protocol SSL certificate information.
>
>
> *Thanks David,Thomas.*
> If my understanding is not wrong.
> Till tomcat version 8, we need to provide cert and key separately for
> openssl ssl APR, like
>
> *(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
> But tomcat 9 we can use keystore to store cert and key and configure it to
> connector like  *keystoreFile="/aa/tomcat.**keystore"*
>
> *Thanks,*
> *Nithesh*
>
> On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:
>
> > On 15/12/2015 15:07, David Newman wrote:
> > > When you use APR the SSL implementation is coming from openssl instead
> of
> > > java.  openssl has no use for java keystore files.  So it becomes more
> > like
> > > an apache httpd config with separate files for keys and certificates.
> >
> > True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> > at some point) you can use Java keystores with OpenSSL.
> >
> > Mark
> >
> > >
> > > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
> > wrote:
> > >
> > >> HI,
> > >> I have build APR libraries Openssl and tc-native also i have created
> > >> openssl libraries. both HTTP and HTTPS is working fine.
> > >>
> > >> *openssl genrsa -des3 -out server.key 2048 *
> > >> *openssl req -new -key server.key -out server.csr*
> > >> *cp server.key server.key.org <http://server.key.org>*
> > >> *openssl rsa -in server.key.org <http://server.key.org> -out
> > server.key*
> > >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> > >> server.crt*
> > >>
> > >> i get server.crt and server.key.
> > >>
> > >> I added this entry,in connector
> > >>
> > >>
> > >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> > >> *SSLCertificateFile="/aa/server.crt"*
> > >> *SSLCertificateKeyFile="/aa/server.key"*
> > >>
> > >> *If i do this much, it will work!!*
> > >>
> > >> *But the question is, is it possible to put these two certificate in
> > >> keystore and can we add only that keystore in our connector ?*
> > >> *something like, keystoreFile="/aa/tomcat.keystore"*
> > >>
> > >> *i tried this but didn't worked,*
> > >>
> > >> *
> > >>
> >
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> > >> <
> > >>
> >
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> > >>> *
> > >>
> > >> *please help me to understand these certificate stuffs. *
> > >>
> > >>
> > >>
> > >> *Thanks,*
> > >> *Nithesh*
> > >>
> > >
> >
> >
> > -
> > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> > For additional commands, e-mail: users-h...@tomcat.apache.org
> >
> >
>
> 
> Este correo electrónico y, en su caso, cualquier fichero anexo al mismo,
> contiene información de carácter confidencial exclusivamente dirigida a su
> destinatario o destinatarios. Si no es vd. el destinatario indicado, queda
> notificado que la lectura, utilización, divulgación y/o copia sin
> autorización está prohibida en virtud de la legislación vigente. En el caso
> de haber recibido este correo electrónico por error, se ruega notificar
> inmediatamente esta circunstancia mediante reenvío a la dirección
> electrónica del remitente.
> Evite imprimir este mensaje si no es estrictamente necesario.
>
> This email and any file attached to it (when applicable) contain(s)
> confidential information that is exclusively addressed to its recipient(s).
> If you are not the indicated recipient, you are informed that reading,
> using, disseminating and/or copying it without authorisation is forbidden
> in accordance with the legislation in effect. If you have received this
> email by mistake, please immediately notify the sender of the situation by
> resending it to their email address.
> Avoid printing this message if it is not absolutely necessary.
>

Tomcat APR protocol SSL certificate information.

2015-12-15 Thread Nithesh Kb 
HI,
I have build APR libraries Openssl and tc-native also i have created
openssl libraries. both HTTP and HTTPS is working fine.

*openssl genrsa -des3 -out server.key 2048 *
*openssl req -new -key server.key -out server.csr*
*cp server.key server.key.org *
*openssl rsa -in server.key.org  -out server.key*
*openssl x509 -req -days 365 -in server.csr -signkey server.key -out
server.crt*

i get server.crt and server.key.

I added this entry,in connector


*protocol="org.apache.coyote.http11.Http11AprProtocol"*
*SSLCertificateFile="/aa/server.crt"*
*SSLCertificateKeyFile="/aa/server.key"*

*If i do this much, it will work!!*

*But the question is, is it possible to put these two certificate in
keystore and can we add only that keystore in our connector ?*
*something like, keystoreFile="/aa/tomcat.keystore"*

*i tried this but didn't worked,*

*http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
*

*please help me to understand these certificate stuffs. *



*Thanks,*
*Nithesh*

Re: Tomcat APR protocol SSL certificate information.

2015-12-15 Thread David Newman 
When you use APR the SSL implementation is coming from openssl instead of
java.  openssl has no use for java keystore files.  So it becomes more like
an apache httpd config with separate files for keys and certificates.

On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:

> HI,
> I have build APR libraries Openssl and tc-native also i have created
> openssl libraries. both HTTP and HTTPS is working fine.
>
> *openssl genrsa -des3 -out server.key 2048 *
> *openssl req -new -key server.key -out server.csr*
> *cp server.key server.key.org *
> *openssl rsa -in server.key.org  -out server.key*
> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> server.crt*
>
> i get server.crt and server.key.
>
> I added this entry,in connector
>
>
> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> *SSLCertificateFile="/aa/server.crt"*
> *SSLCertificateKeyFile="/aa/server.key"*
>
> *If i do this much, it will work!!*
>
> *But the question is, is it possible to put these two certificate in
> keystore and can we add only that keystore in our connector ?*
> *something like, keystoreFile="/aa/tomcat.keystore"*
>
> *i tried this but didn't worked,*
>
> *
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> <
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >*
>
> *please help me to understand these certificate stuffs. *
>
>
>
> *Thanks,*
> *Nithesh*
>

Re: Tomcat APR protocol SSL certificate information.

2015-12-15 Thread Garcia Aparici, Carlos 
In many of our tomcats we use the pfx directly on the conector. Its similar to 
a keystore


Enviado de Samsung Mobile



 Mensaje original 
De: Nithesh Kb <nitheshk...@gmail.com>
Fecha: 15/12/2015 16:21 (GMT+01:00)
Para: Tomcat Users List <users@tomcat.apache.org>
Asunto: Re: Tomcat APR protocol SSL certificate information.


*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas <ma...@apache.org> wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb <nitheshk...@gmail.com>
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org <http://server.key.org>*
> >> *openssl rsa -in server.key.org <http://server.key.org> -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>


Este correo electrónico y, en su caso, cualquier fichero anexo al mismo, 
contiene información de carácter confidencial exclusivamente dirigida a su 
destinatario o destinatarios. Si no es vd. el destinatario indicado, queda 
notificado que la lectura, utilización, divulgación y/o copia sin autorización 
está prohibida en virtud de la legislación vigente. En el caso de haber 
recibido este correo electrónico por error, se ruega notificar inmediatamente 
esta circunstancia mediante reenvío a la dirección electrónica del remitente.
Evite imprimir este mensaje si no es estrictamente necesario.

This email and any file attached to it (when applicable) contain(s) 
confidential information that is exclusively addressed to its recipient(s). If 
you are not the indicated recipient, you are informed that reading, using, 
disseminating and/or copying it without authorisation is forbidden in 
accordance with the legislation in effect. If you have received this email by 
mistake, please immediately notify the sender of the situation by resending it 
to their email address.
Avoid printing this message if it is not absolutely necessary.

Re: Tomcat APR protocol SSL certificate information.

2015-12-15 Thread Mark Thomas 
On 15/12/2015 15:07, David Newman wrote:
> When you use APR the SSL implementation is coming from openssl instead of
> java.  openssl has no use for java keystore files.  So it becomes more like
> an apache httpd config with separate files for keys and certificates.

True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
at some point) you can use Java keystores with OpenSSL.

Mark

> 
> On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb  wrote:
> 
>> HI,
>> I have build APR libraries Openssl and tc-native also i have created
>> openssl libraries. both HTTP and HTTPS is working fine.
>>
>> *openssl genrsa -des3 -out server.key 2048 *
>> *openssl req -new -key server.key -out server.csr*
>> *cp server.key server.key.org *
>> *openssl rsa -in server.key.org  -out server.key*
>> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
>> server.crt*
>>
>> i get server.crt and server.key.
>>
>> I added this entry,in connector
>>
>>
>> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
>> *SSLCertificateFile="/aa/server.crt"*
>> *SSLCertificateKeyFile="/aa/server.key"*
>>
>> *If i do this much, it will work!!*
>>
>> *But the question is, is it possible to put these two certificate in
>> keystore and can we add only that keystore in our connector ?*
>> *something like, keystoreFile="/aa/tomcat.keystore"*
>>
>> *i tried this but didn't worked,*
>>
>> *
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>> <
>> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
>>> *
>>
>> *please help me to understand these certificate stuffs. *
>>
>>
>>
>> *Thanks,*
>> *Nithesh*
>>
> 


-
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Re: Tomcat APR protocol SSL certificate information.

2015-12-15 Thread Nithesh Kb 
*Thanks David,Thomas.*
If my understanding is not wrong.
Till tomcat version 8, we need to provide cert and key separately for
openssl ssl APR, like
*(SSLCertificateFile="/aa/server.crt"SSLCertificateKeyFile="/aa/server.key")*
But tomcat 9 we can use keystore to store cert and key and configure it to
connector like  *keystoreFile="/aa/tomcat.**keystore"*

*Thanks,*
*Nithesh*

On Tue, Dec 15, 2015 at 8:40 PM, Mark Thomas  wrote:

> On 15/12/2015 15:07, David Newman wrote:
> > When you use APR the SSL implementation is coming from openssl instead of
> > java.  openssl has no use for java keystore files.  So it becomes more
> like
> > an apache httpd config with separate files for keys and certificates.
>
> True, but as of Tomcat 9 (and will hopefully be back-ported to an 8.1.x
> at some point) you can use Java keystores with OpenSSL.
>
> Mark
>
> >
> > On Tue, Dec 15, 2015 at 5:12 AM, Nithesh Kb 
> wrote:
> >
> >> HI,
> >> I have build APR libraries Openssl and tc-native also i have created
> >> openssl libraries. both HTTP and HTTPS is working fine.
> >>
> >> *openssl genrsa -des3 -out server.key 2048 *
> >> *openssl req -new -key server.key -out server.csr*
> >> *cp server.key server.key.org *
> >> *openssl rsa -in server.key.org  -out
> server.key*
> >> *openssl x509 -req -days 365 -in server.csr -signkey server.key -out
> >> server.crt*
> >>
> >> i get server.crt and server.key.
> >>
> >> I added this entry,in connector
> >>
> >>
> >> *protocol="org.apache.coyote.http11.Http11AprProtocol"*
> >> *SSLCertificateFile="/aa/server.crt"*
> >> *SSLCertificateKeyFile="/aa/server.key"*
> >>
> >> *If i do this much, it will work!!*
> >>
> >> *But the question is, is it possible to put these two certificate in
> >> keystore and can we add only that keystore in our connector ?*
> >> *something like, keystoreFile="/aa/tomcat.keystore"*
> >>
> >> *i tried this but didn't worked,*
> >>
> >> *
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >> <
> >>
> http://stackoverflow.com/questions/17695297/importing-the-private-key-public-certificate-pair-in-the-java-keystore
> >>> *
> >>
> >> *please help me to understand these certificate stuffs. *
> >>
> >>
> >>
> >> *Thanks,*
> >> *Nithesh*
> >>
> >
>
>
> -
> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: users-h...@tomcat.apache.org
>
>