Does your tomcat user have access to the /root directory?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:Monte.Gardner@;asu.edu]
Sent: 23 October 2002 16:58
To: Tomcat Users List
Subject: RE: SSL Servlet Client
I wrote the sample code that you gave me below.
I also changed the file permission on /root/keystore to all
chmod 777 /root/.keystore
and I got the following erroor
java.io.FileNotFoundException: /root/.keystore (Permission denied)
at java.io.FileInputStream.open(Native Method)
Why would the permission be denied if the file has full file pemissons?
--Monte Glenn Gardner
On Wed, 23 Oct 2002, Bodycombe, Andrew wrote:
> You can see if your certificate is located in the cacerts file by using
the
> following command:
>
> keytool -list -keystore $JAVA_HOME/jre/lib/security/cacerts
>
> Putting your certificates in here is not recommended (see the keytool
> documentation)
>
> Another thing you could do is set your default trust manager, by executing
> your client with
> the system property javax.net.ssl.trustStore set to /root/.keystore
> and set javax.net.ssl.trustStorePassword to changeit.
>
> (java -Djavax.net.ssl.trustStore=/root/.keystore
> -Djavax.net.ssl.trustStorePassword=changeit ...)
>
> Alternatively, you can do this within your code:
>
> {
> Keystore ks = KeyStore.getInstance("JKS");
> ks.load(new FileInputStream("/root/.keystore"), "changeit");
> TrustManagerFactory tmFactory =
> TrustManagerFactory.getInstance("RSA");
> SSLContext ctx = SSLContext.getInstance("SSL");
> ctx.init(null, tmFactory.getTrustManagers(), null);
> SSLSocketFactory socketFactory = ctx.getSocketFactory();
> HttpsUrlConnection.setDefaultSSLSocketFactory(socketFactory);
> }
>
> You can now create HttpsUrlConnections to talk to your SSL server (via the
> URL.openConnection method)
> The SSL handshake should authenticate using the certificates in your
> /root/.keystore file.
> See the JDK1.4 javadoc, (or JSSE) for more information
>
> One other thing that may help is setting javax.net.debug=all inside
tomcat,
>
> export CATALINA_OPTS="-Djavax.net.debug=all"
>
> before restarting tomcat. This will give you a lot of debugging
information
> for SSL which could be useful.
>
>
> Hope this helps,
> Andy
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:Monte.Gardner@;asu.edu]
> Sent: 22 October 2002 20:48
> To: Tomcat Users List
> Subject: Re: SSL Servlet Client
>
>
> OK, I think I've got to where I understand the problem more clearly
> then i did yesterday. Here it is. When I followed the tomcat ssl how to
> and typed
> keytool -genkey -alias tomcat -keyalg RSA
> it created a keystore file called /root/.keystore in which a key aliased
> by 'tomcat' was stored. This key is what tomcat uses to present a
> certificate
> to any client that requests an SSL session.
>
> Now what I want to do is create a Java Client that will connect to Tomcat
> via SSL and communicate with one of it's servlets. When Tomcat receives
> the request, it sends it's 'tomcat' certificate. However, when the Java
> client receives that certificate, it looks in a list of certificates found
> in
> $JAVA_HOME/jre/lib/security/cacerts
> and doesn't find a certificate that matches the one it receives, so it
> throws an exception:
> javax.net.ssl.SSLHandshakeException: Received fatal alert:
> certificate_unknown
>
> So, what I need to do is put a copy of the Tomcat certificate in the
cacerts
> file. So I tried using a combination of keytool -import / -export to copy
> the certificate over. It seemed like I was succesfull in doing so, but
> when I rebooted tomcat and ran the webpage again, I got the same
> exception. Have I misunderstood the problem or the key management
> process somehow?
>
> here is the console output from when I tried to copy the certificate:
>
> [root@rho /root]# keytool -export -alias tomcat -file cert.cer -keystore
> .keysto re
> Enter keystore password: changeit
> Certificate stored in file <cert.cer>
> [root@rho /root]# keytool -import -alias tomcat -file cert.cer -keystore
> $DOCUTRAK/tomcat
> Enter keystore password: changeit
> Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
> Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesz, ST=AZ, C=US
> Serial number: 3db5698b
> Valid from: Tue Oct 22 08:06:51 MST 2002 until: Mon Jan 20 08:06:51 MST
2003
> Certificate fingerprints:
> MD5: 84:A4:4B:0D:F9:AE:2B:D2:4D:DD:84:0C:8F:D7:DD:EC
> SHA1: 67:AF:81:96:98:3F:0B:B3:84:BF:73:62:2A:45:05:C5:19:9C:F8:F1
> Trust this certificate? [no]: y
> Certificate was added to keystore
>
>
> --
> To unsubscribe, e-mail:
> <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail:
> <mailto:tomcat-user-help@;jakarta.apache.org>
>
> --
> To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
> For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
>
>
--
To unsubscribe, e-mail:
<mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail:
<mailto:tomcat-user-help@;jakarta.apache.org>
--
To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>
