Ed,
On 5/24/21 16:25, Ed Rouse wrote:
This works for me. In server.xml:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true">
<SSLHostConfig>
<Certificate certificateKeystoreFile="C:\Program
Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts"
type="RSA" />
</SSLHostConfig>
</Connector>
If you really put your server's key into C:\Program
Files\Java\openjdk_1.8.0.242\jre\lib\security\cacerts you are making a
mistake IMHO. That file is supposed to contain the JVM's trust store.
You shouldn't be modifying it at all, let alone to put a private key
into it.
-chris
From: Ezsra McDonald <ezsra.mcdon...@gmail.com>
Sent: Monday, May 24, 2021 4:10 PM
To: Tomcat Users List <users@tomcat.apache.org>
Subject: Re: Tomcat SSL stops working after an undetermined amount of time
[External email: Use caution! Do not open attachments or click on links from
unknown senders or unexpected emails.]
Chris,
Thanks for your response.
These Tomcat servers are something I inherited. I do not know what this
bouncycastle.crypto is. If it is making my setup complicated how do I get
around it? Is it part of the org.apache.coyote.http11.Http11NioProtocol?
What would you recommend I use instead? My end goal is to just enable
TLS/SSL on the connectors.
--Ez
On Mon, May 24, 2021 at 1:56 PM Christopher Schultz <
ch...@christopherschultz.net<mailto:ch...@christopherschultz.net>> wrote:
Ezsra,
On 5/24/21 10:30, Ezsra McDonald wrote:
I am enabling SSL debugging this morning. I did catch this in the log for
an instance that started erroring out this morning. Seems like it may be
too generic to help solve my problem. Here it is:
24-May-2021 09:25:44.609 SEVERE [catalina-exec-51]
org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun
java.lang.NullPointerException
at org.bouncycastle.crypto.signers.PSSSigner.generateSignature(Unknown
Source)
at org.bouncycastle.jce.provider.JDKPSSSigner.engineSign(Unknown Source)
Oh. You are using BouncyCastle. I've never tried to do that. I'm not
sure how well BC will work with Tomcat. We don't officially support that
configuration, but that doesn't mean we won't try to help.
There will be a presentation at this year's ApacheCon @Home 2021 about
configuring Tomcat for FIPS and it will include how to configure Tomcat
with BC (including FIPS). Obviously, you don't want to wait around until
the conference to get things working, but perhaps the presenter is
lurking on the list ... ?
I don't have an email address for the presenter, so I can't give you a
reference. :/
-chris
---------------------------------------------------------------------
To unsubscribe, e-mail:
users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org>
For additional commands, e-mail:
users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
