On Mon, 30 Jul 2001, Christopher Cain wrote:
> (Two different mails snipped and referenced below :-)
>
> "Craig R. McClanahan" wrote:
> >
> > Yes, that should be "conf/server/lib". Alternatively (and the way I run
> > it), you can put these three JAR files in $JAVA_HOME/jre/lib/ext.
>
> A few things here. First, it is unnecessary, then, to have the JSSE jars
> in the Tomcat hierarchy if they are installed extensions (/jre/lib/ext)?
>
That is correct. That's the way my setup works.
> Second, and just out of curiousity, the "server/lib" directory appears
> to have moved up to the $TCHOME rather than underneath the "conf"
> subdirectory. Was that a typo on your part, or does the container
> actually search that path (in which case one would now have to manually
> create it)?
>
Yes, the above is a typo -- it's really "$CATALINA_HOME/server/lib".
> > Just uncommenting the 8443 connector example in the standard
> > conf/server.xml works for me.
>
> But I still need to point it to my keystore, right? Basically, I
> uncommented the section and added "keystoreFile" and "keystorePass"
> attributes to the Connector tag. The second Http connector section now
> reads this:
>
> <Connector className="org.apache.catalina.connector.http.HttpConnector"
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="true" acceptCount="10" debug="0"
> scheme="https" secure="true"
> keystoreFile="/usr/local/tomcat/conf/my.keystore"
> keystorePass="mypass">
> <Factory className="org.apache.catalina.net.SSLServerSocketFactory"
> clientAuth="false" protocol="TLS"/>
> </Connector>
>
> Again, all I changed was to add the two keystore attribs.
>
I didn't, because the defaults work for me:
keystoreFile - Default is ".keystore" in the user home directory
of the user that is running Tomcat.
keystorePass - "changeit" (as the docco in server.xml tells you to do
You can, of course, override these values as you have done, if you have
done something different.
> > You also have to set up your JSSE environment according to the
> > instructions immediately above this connector entry.
>
> I think so. I have JSSE 1.0.2, with the 3 jars in jre/lib/ext (and also
> in the system classpath, although not that Catalina cares, of course). I
> have the "com.sun.net.ssl..." provider in the security file (I assume
> the pecking order doesn't matter). My keystore was generated with:
>
> keytool -genkey -alias tomcat -keyalg RSA -keystore my.keystore
> -keypasswd thepassword -storepasswd thepassword
>
The shouldn't you set keystorePass to "thepassword" instead of "mypass"?
> Key and store passwords are the same. "my.keystore" is in the tomcat
> conf directory and world-readable.
>
> > What do your log files say?
>
> First of all, the silent failure bit I mentioned this morning was simply
> my own goofiness. No message was thrown on the command line, and there
> were no errors in the catalina_log... file, but I somehow missed the
> "catalina.out" file (my only defense is that it was 2:00am at the time
> :-) Below is the stack trace from that file.
>
> PATHETIC DISCLAIMER:
>
> I haven't tried to track it down yet, as I just now discovered this log
> file. Although nothing jumps out at me from viewing the calling stack,
> it may well be something braindead. I suppose this is technically a bit
> of dev-list abuse now, but I am still familiarizing myself with the 4.0
> codebase and am not yet up to speed on the container startup process. If
> nothing appears obvious from my setup and/or stack trace, feel free to
> call me a bum and tell me to track it down my own damn self. I simply
> couldn't resist an invitation such as "What do your log files say" =)
> (Although on the upshot, I can definitely promise you a "Standalone SSL
> Configuration and Troubleshooting" doc once this is all said and done.)
>
Looks like the kind of problem you will have if the classes are BOTH in
the system extensions directory AND in the Tomcat hierarchy. You really
don't want to do that.
> - Christopher
>
> P.S. TC4 takes about 2 minutes to start up on my P133 Redhat 7.1 box
> with 256M of RAM. Is that normal or excessive? I'll definitely track
> that one down myself, I just want to know if that is out of the ordinary
> and therefore something I should even check into. I know for a fact that
> "javac" compilations are almost surrealistically slow on that machine,
> so maybe it has something to do with that. *shrug*
>
The largest time consumer in the Tomcat code is creating multiple
SAXParserFactory instances in XmlMapper, which is apparently pretty
expensive. There's already an enhancement request logged to reuse the
first one you create instead, which we'll get to at some point.
Tomcat 4 on my system (800mHz, 512mb) starts up with just the standard
apps in less than 5 seconds. Of course, if you've got an app with
load-on-startup servlets that take a long time (such as Cocoon), then it's
not really Tomcat's fault anyway :-).
> Anyway, thanks a ton for the SSL assistance!
>
Craig
> ----------------------
>
> Starting service Tomcat-Standalone
> Apache Tomcat/4.0-b6
> initProxy: java.security.NoSuchAlgorithmException: Class
> com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext
> not a SSLContext
> java.security.NoSuchAlgorithmException: Class
> com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext
> not a SSLContext
> at com.sun.net.ssl.b.a([DashoPro-V1.2-120198])
> at com.sun.net.ssl.SSLContext.getInstance([DashoPro-V1.2-120198])
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:385)
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:328)
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:281)
> at
> org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:905)
> at
> org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1078)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:360)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:458)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:737)
> at org.apache.catalina.startup.Catalina.execute(Catalina.java:657)
> at org.apache.catalina.startup.Catalina.process(Catalina.java:178)
> at java.lang.reflect.Method.invoke(Native Method)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202)
> Catalina.start: LifecycleException: HttpConnector[8443].open:
> java.io.IOException: java.security.NoSuchAlgorithmException: Class
> com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext
> not a SSLContext
> LifecycleException: HttpConnector[8443].open: java.io.IOException:
> java.security.NoSuchAlgorithmException: Class
> com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext
> not a SSLContext
> at
> org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1080)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:360)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:458)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:737)
> at org.apache.catalina.startup.Catalina.execute(Catalina.java:657)
> at org.apache.catalina.startup.Catalina.process(Catalina.java:178)
> at java.lang.reflect.Method.invoke(Native Method)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202)
> ----- Root Cause -----
> java.io.IOException: java.security.NoSuchAlgorithmException: Class
> com.sun.net.ssl.internal.ssl.SSLContextImpl configured for SSLContext
> not a SSLContext
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.initProxy(SSLServerSocketFactory.java:409)
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.initialize(SSLServerSocketFactory.java:328)
> at
>
>org.apache.catalina.net.SSLServerSocketFactory.createSocket(SSLServerSocketFactory.java:281)
> at
> org.apache.catalina.connector.http.HttpConnector.open(HttpConnector.java:905)
> at
> org.apache.catalina.connector.http.HttpConnector.start(HttpConnector.java:1078)
> at
> org.apache.catalina.core.StandardService.start(StandardService.java:360)
> at
> org.apache.catalina.core.StandardServer.start(StandardServer.java:458)
> at org.apache.catalina.startup.Catalina.start(Catalina.java:737)
> at org.apache.catalina.startup.Catalina.execute(Catalina.java:657)
> at org.apache.catalina.startup.Catalina.process(Catalina.java:178)
> at java.lang.reflect.Method.invoke(Native Method)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:202)
> Stopping service Tomcat-Standalone
>
