Re: Tomcat crashes after startup
Chris, You need to have a key in your keystore with the alias tomcat as well. If you have been following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration, you have either missed or misinterpreted a step. I actually followed the document here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html because I am using Tomcat 6. I also did import the cert with the alias tomcat (see screenshot below). Is there an order in which to import the certs? I imported the server cert first, then the CA, then the root cert. I would advise against using the same keystore for both the keystore and the truststore. The trust store is only used for validating client certificates and, IMO, should be kept separate from the certificates you use for the web service itself. These config settings were in place long before I worked here... I was just copying the info from the old server.xml and adding in the new keystore info. If we do not Use any client certs can I remove the truststore line? Thanks, Justin ** This email and any files transmitted with it are intended solely for the use of the individual or agency to whom they are addressed. If you have received this email in error please notify the Navy Exchange Service Command e-mail administrator. This footnote also confirms that this email message has been scanned for the presence of computer viruses. Thank You! **
Re: Tomcat crashes after startup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin, On 12/13/11 8:35 AM, Justin Larose wrote: I actually followed the document here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html because I am using Tomcat 6. Okay. You just hadn't mentioned that (version) before. I also did import the cert with the alias tomcat (see screenshot below). Is there an order in which to import the certs? I imported the server cert first, then the CA, then the root cert. Your screenshot has been suppressed from the list. Instead, can you post a text copy/paste for a keytool -list? I would advise against using the same keystore for both the keystore and the truststore. The trust store is only used for validating client certificates and, IMO, should be kept separate from the certificates you use for the web service itself. These config settings were in place long before I worked here... I was just copying the info from the old server.xml and adding in the new keystore info. If we do not Use any client certs can I remove the truststore line? Almost certainly. You probably want to fix one problem at a time, though. :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7nsIkACgkQ9CaO5/Lv0PD1EgCeNlYJ1udAFvbU4LGOw0lAxrKc s/0An3XMoGo1WCkYjRe7OhJ9gkdj1GlK =ANqY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat crashes after startup
Chris, Here is the first few lines of the output.. I don't think I want to copy my entire cert here. ___ F:\Serena\Dimensions 2009 R2\Common Tools\jre\6.0\binkeytool -list -v -keystore wcmdev-ssl.jks -alias tomcat Enter keystore password: Alias name: tomcat Creation date: Nov 10, 2011 Entry type: trustedCertEntry Owner: CN=wcmdev.nexweb.us, OU=USN, OU=PKI, OU=DoD, O=U.S. Government, C=US Thanks, Justin LaRose Database Web Services Administrator NEXCOM (757) 631-3443 justin.lar...@nexweb.org From: Christopher Schultz ch...@christopherschultz.net To: Tomcat Users List users@tomcat.apache.org Date: 12/13/2011 03:08 PM Subject:Re: Tomcat crashes after startup -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin, On 12/13/11 8:35 AM, Justin Larose wrote: I actually followed the document here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html because I am using Tomcat 6. Okay. You just hadn't mentioned that (version) before. I also did import the cert with the alias tomcat (see screenshot below). Is there an order in which to import the certs? I imported the server cert first, then the CA, then the root cert. Your screenshot has been suppressed from the list. Instead, can you post a text copy/paste for a keytool -list? I would advise against using the same keystore for both the keystore and the truststore. The trust store is only used for validating client certificates and, IMO, should be kept separate from the certificates you use for the web service itself. These config settings were in place long before I worked here... I was just copying the info from the old server.xml and adding in the new keystore info. If we do not Use any client certs can I remove the truststore line? Almost certainly. You probably want to fix one problem at a time, though. :) - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7nsIkACgkQ9CaO5/Lv0PD1EgCeNlYJ1udAFvbU4LGOw0lAxrKc s/0An3XMoGo1WCkYjRe7OhJ9gkdj1GlK =ANqY -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Tomcat crashes after startup
Group, Can anyone help me with this error below from the catalina.log? I have attached my server.xml as well. I have done some searches on the internet and cannot find much on this error. SEVERE: Error initializing endpoint java.io.IOException: AnyCert TrustManagerFactory not available at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:527) at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:156) at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:538) at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176) at org.apache.catalina.connector.Connector.initialize(Connector.java:1022) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Dec 12, 2011 3:08:45 PM org.apache.catalina.core.StandardService initialize SEVERE: Failed to initialize connector [Connector[HTTP/1.1-8543]] LifecycleException: Protocol handler initialization failed: java.io.IOException: AnyCert TrustManagerFactory not available at org.apache.catalina.connector.Connector.initialize(Connector.java:1024) at org.apache.catalina.core.StandardService.initialize(StandardService.java:703) at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:838) at org.apache.catalina.startup.Catalina.load(Catalina.java:538) at org.apache.catalina.startup.Catalina.load(Catalina.java:562) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source) at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source) at java.lang.reflect.Method.invoke(Unknown Source) at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:261) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413) Server.xml . Server port=8405 shutdown=Shutdown.SerenaCommonTomcat !-- Listener className=org.apache.catalina.core.AprLifecycleListener SSLEngine=on / -- Listener className=org.apache.catalina.core.JasperListener/ Listener className=org.apache.catalina.mbeans.ServerLifecycleListener/ Listener className=org.apache.catalina.mbeans.GlobalResourcesLifecycleListener/ GlobalNamingResources !-- Editable user database that can also be used by UserDatabaseRealm to authenticate users -- Resource name=UserDatabase auth=Container type=org.apache.catalina.UserDatabase description=User database that can be updated and saved factory=org.apache.catalina.users.MemoryUserDatabaseFactory pathname=conf/tomcat-users.xml / /GlobalNamingResources Service name=Catalina Connector connectionTimeout=2 port=18080 protocol=HTTP/1.1 redirectPort=8443 server=Unknown Web Server/1.0/ !-- Define a SSL HTTP/1.1 Connector on port 8443, using only 128-bit+ encryption (remove ciphers attribute if not needed). -- !-- Connector port=8443 protocol=HTTP/1.1 SSLEnabled=true maxThreads=150 scheme=https secure=true clientAuth=false sslProtocol=TLS ciphers=TLS_DHE_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_RC4_128_MD5, SSL_RSA_WITH_RC4_128_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, SSL_RSA_WITH_3DES_EDE_CBC_SHA server=Unknown Web Server/1.0/ -- Connector SSLEnabled=true acceptCount=100 clientAuth=false disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/sample-ssl.jks keystorePass=* maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 port=8443 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreFile=conf/sample-ssl.jks truststorePass=*/ Connector SSLEnabled=true acceptCount=100 clientAuth=true disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/sample-ssl.jks keystorePass=* maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 port=8543 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreAlgorithm=AnyCert truststoreFile=conf/sample-ssl.jks truststorePass=*/ !-- Define an AJP 1.3 Connector on port 8409. -- Connector port=8409 protocol=AJP/1.3 redirectPort=8443 server=Unknown Web
Re: Tomcat crashes after startup
On 12/12/2011 20:20, Justin Larose wrote: Group, Can anyone help me with this error below from the catalina.log? I have attached my server.xml as well. I have done some searches on the internet and cannot find much on this error. SEVERE: Error initializing endpoint java.io.IOException: AnyCert TrustManagerFactory not available Seems pretty clear to me. Connector ... port=8543 ... truststoreAlgorithm=AnyCert .../ Fix your broken connector configuration or provide a JSSE implementation that includes this custom truststoreAlgorithm. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat crashes after startup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin, Mark already answered your question, but ... On 12/12/11 3:20 PM, Justin Larose wrote: Connector connectionTimeout=2 port=18080 protocol=HTTP/1.1 redirectPort=8443 server=Unknown Web Server/1.0/ :( Really? Masking the server name? At least say Apache Tomcat or something like that. Security By Obscurity doesn't actually solve any security problems. Note that the default value for the server string is Apache-Coyote/1.1 which doesn't really give an attacker any meaningful information. Connector SSLEnabled=true acceptCount=100 clientAuth=false disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/sample-ssl.jks keystorePass=* maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 port=8443 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreFile=conf/sample-ssl.jks truststorePass=*/ Note: no server attribute, here... attackers can still see you are using Apache-Coyote/1.1. Connector SSLEnabled=true acceptCount=100 clientAuth=true disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/sample-ssl.jks keystorePass=* maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25 port=8543 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreAlgorithm=AnyCert truststoreFile=conf/sample-ssl.jks truststorePass=*/ Same here. !-- Define an AJP 1.3 Connector on port 8409. -- Connector port=8409 protocol=AJP/1.3 redirectPort=8443 server=Unknown Web Server/1.0/ I'm not sure if the AJP connector will return a Server response header to the web server. Most web servers will overwrite this value so that the client sees the proxy server's Server response header. Engine defaultHost=localhost name=Catalina !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ If you really are concerned about security, then you shouldn't be using UserDatabaseRealm. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7maHkACgkQ9CaO5/Lv0PCv1QCfWTlqSbf79C0YW81G2FAXLbBK T3UAnA3XgEwv9njrL2YyG8WNx7SKCA4x =Jp6s -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat crashes after startup
=true enableLookups=false keyAlias=tomcat keystoreFile=conf/wcmdev-ssl.jks keystorePass= maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25port=8443 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreFile=conf/wcmdev-ssl.jks truststorePass=/ Connector SSLEnabled=true acceptCount=100 clientAuth=true disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/wcmdev-ssl.jks keystorePass= maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25port=8543 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreFile=conf/wcmdev-ssl.jks truststorePass=/ !-- Define an AJP 1.3 Connector on port 8409. -- Connector port=8409 protocol=AJP/1.3 redirectPort=8443 server=Unknown Web Server/1.0/ Engine defaultHost=localhost name=Catalina !-- This Realm uses the UserDatabase configured in the global JNDI resources under the key UserDatabase. Any edits that are performed against this UserDatabase are immediately available for use by the Realm. -- Realm className=org.apache.catalina.realm.UserDatabaseRealm resourceName=UserDatabase/ Host appBase=webapps autoDeploy=true name=localhost unpackWARs=true xmlNamespaceAware=false xmlValidation=false/ /Engine /Service /Server Thanks, Justin From: Mark Thomas ma...@apache.org To: Tomcat Users List users@tomcat.apache.org Date: 12/12/2011 03:29 PM Subject:Re: Tomcat crashes after startup On 12/12/2011 20:20, Justin Larose wrote: Group, Can anyone help me with this error below from the catalina.log? I have attached my server.xml as well. I have done some searches on the internet and cannot find much on this error. SEVERE: Error initializing endpoint java.io.IOException: AnyCert TrustManagerFactory not available Seems pretty clear to me. Connector ... port=8543 ... truststoreAlgorithm=AnyCert .../ Fix your broken connector configuration or provide a JSSE implementation that includes this custom truststoreAlgorithm. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org ** This email and any files transmitted with it are intended solely for the use of the individual or agency to whom they are addressed. If you have received this email in error please notify the Navy Exchange Service Command e-mail administrator. This footnote also confirms that this email message has been scanned for the presence of computer viruses. Thank You! **
Re: Tomcat crashes after startup
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Justin, On 12/12/11 3:49 PM, Justin Larose wrote: I edited the connector with the information for the new certificate I just installed (not the old self signed one) and now I am seeing this error: [snip] java.io.IOException: Alias name tomcat does not identify a key entry You need to have a key in your keystore with the alias tomcat as well. If you have been following http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Configuration, you have either missed or misinterpreted a step. Connector SSLEnabled=true acceptCount=100 clientAuth=false disableUploadTimeout=true enableLookups=false keyAlias=tomcat keystoreFile=conf/wcmdev-ssl.jks keystorePass= maxHttpHeaderSize=8192 maxSpareThreads=75 maxThreads=150 minSpareThreads=25port=8443 scheme=https secure=true sslProtocol=TLS strategy=ms truststoreFile=conf/wcmdev-ssl.jks truststorePass=/ I would advise against using the same keystore for both the keystore and the truststore. The trust store is only used for validating client certificates and, IMO, should be kept separate from the certificates you use for the web service itself. - -chris -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk7mcdgACgkQ9CaO5/Lv0PBsDACfTjv3vJqiBMdl3v1TInDyRYku gIsAnjVQNgh4eyeH2tSwyfSIeIN4GsDJ =XlwU -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org