On Mon, 21 Oct 2002, Dave Patton wrote: > Ok that sounds good then. My understanding is that it uses the keystore > set in the server.xml file. Where in server.xml is that set? I couldn't find any mention of a keystore.
> Are you send ing the request to the right > port? Yes, the URL is set in one of the <init-parameter> tags in web.xml. > I didnt see anything in your code below specifying which port to > hit. I also found this reference online and may be something to try. > > Export the certificate into a .cer file. (With internet explorer, goto > tools->internet options->content->certificates, and you can export > them). Once you have the .cer file, you need to place it in a store that > java can use... I don't have IE on my redhat 7 server, so I tried this keytool -export -alias tomcat -file /var/tomcat4/webapps/docutrak/.cer this created a .cer file in the main directory of my application. > In my case, the only certificate I wanted trusted was the one I provided > in the .cer file, so using keytool (provided with java), I imported the > certificate to a new store: > > keytool -import -alias <insert alias here> -file <insert .cer filename> > -keystore <storename here> Here is the output when I did this: ---- [root@rho docutrak]# keytool -import -alias tomcat -file .cer -keystore tomcat Enter keystore password: changeit Owner: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesa, ST=AZ, C=US Issuer: CN=rho.abstrax.nan, OU=Abstrax, O=Abstrax, L=Mesa, ST=AZ, C=US Serial number: 3d9c7da3 Valid from: Thu Oct 03 10:25:55 MST 2002 until: Wed Jan 01 10:25:55 MST 2003 Certificate fingerprints: MD5: D5:1B:9C:F0:04:0C:60:20:6B:7C:77:CE:62:CA:E8:ED SHA1: 75:C2:10:66:A3:65:3B:97:5E:7E:EE:4F:E5:67:AE:EC:DD:71:87:07 Trust this certificate? [no]: y Certificate was added to keystore --- which seemed to be just as it should. After I did this, there was a file named tomcat in my main directory. > > > If you are using a new store name, it should create a file in the > current directory with the <storename> you entered. Now, to make the > trustManager look in this store during initialization with your > application, you can need to set the javax.net.ssl.trustStore and > javax.net.ssl.trustStorePassword properties (either during runtime, or > at the command prompt) > > At the command prompt, it'd look like this: > > java -Djavax.net.ssl.trustStore=<storename> > -Djavax.net.ssl.trustStorePassword=<password> Since this was a servlet, I wasn't sure how to pass in command line parameters, so I added this code to my servlet just before trying to make the connection: System.setProperty("javax.net.ssl.trustStore","/var/tomcat4/webapps/docutrak/tomcat"); System.setProperty("javax.net.ssl.trustStorePassword","changeit"); does that have the same affect as the -d command line parameter? After doing all this, I executed my servlet from the browser with the same result: javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown > > Hope that helps. Please let me know if it does. > > > Dave Patton > > On Mon, 2002-10-21 at 11:30, [EMAIL PROTECTED] wrote: > > I generated a .keystore file for tomcat using > > keytool -genkey -alias tomcat -keyalg RSA > > > > this file was placed in /root/.keystore, the user home directory. > > I have used this .keystore to sign JAR files succesfully. Also, I > > have succesfully made an SSL connection TO tomcat from a web browser, > > I just can't seem to connect from tomcat. > > > > When Tomcat or JSSE tries to make a SSL connection, where does it > > look for the certificates? do I need to make another keystore file and > > place it somewhere else? > > > > > > --Monte Glenn Gardner > > > > > > On Mon, 21 Oct 2002, Dave Patton wrote: > > > > > Have you generated all your certificates for an ssl connection? If not > > > that will be the problem. If you have, make sure that Tomcat can find > > > the certificates in question. The Tomcat docs have a good piece on > > > hooking up SSL I followed it without a hitch. > > > > > > Dave Patton > > > > > > On Mon, 2002-10-21 at 10:34, [EMAIL PROTECTED] wrote: > > > > I have a Java Servlet running on Tomcat 4.1.12. > > > > At some point, this Servlet needs to send data to another Servlet which is > > > > right now on the same web-server, but in the future, it will be on a different > > > > web-server, also running Tomcat. I have installed the JSSE jar files in the > > > > JAVA_HOME/jre/ext/lib directory, and I can download web pages from Tomcat > > > > using https URL's. > > > > > > > > So, I open a URLConnection: > > > > try > > > > { > > > > URL servletURL = new > > > > URL(getServletConfig().getInitParameter("printServletURL")); > > > > > > > > URLConnection con = servletURL.openConnection(); > > > > > > > > con.setUseCaches(false); > > > > con.setRequestProperty("CONTENT_TYPE","application/octet-stream"); > > > > con.setDoInput(true); > > > > con.setDoOutput(true); > > > > ......... > > > > > > > > > > > > When I run the servlet, I get the following Exception > > > > SEVERE: Handshake failed > > > > javax.net.ssl.SSLHandshakeException: Received fatal alert: certificate_unknown > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.b(DashoA6275) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > > > at com.sun.net.ssl.internal.ssl.SSLSocketImpl.a(DashoA6275) > > > > > > > > > > > > So, how does one get a Java Servlet on Tomcat to act as an SSL client, and > > > > connect to another SSL server? > > > > > > > > > > > > --Monte Glenn Gardner > > > > > > > > > > > > > > > > -- > > > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > > > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > > ___________________________ > > > David H. Patton > > > C.O.S. > > > [EMAIL PROTECTED] > > > x4727 - desk > > > (202) 276-8998 - pcs > > > > > > > > > > > > > > > -- > > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > > > > > > > > > > -- > > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > > ___________________________ > David H. Patton > C.O.S. > [EMAIL PROTECTED] > x4727 - desk > (202) 276-8998 - pcs > > > > > -- > To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> > For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org> > > -- To unsubscribe, e-mail: <mailto:tomcat-user-unsubscribe@;jakarta.apache.org> For additional commands, e-mail: <mailto:tomcat-user-help@;jakarta.apache.org>