Hello Tomcat SSL Experts ============================ I read the official documentation on using Tomcat with SSL Support
I decided to use your "Direct SSL" solution since we are running Tomcat 3.2.3 as a stand alone product. I was wondering if you know about a related bug in which sometimes (a 1:15 ratio) the page comes up "not found". I noticed this problem happens only after I implement the "Direct SSL" solution (which involves recompiling webserver.jar with ANT for SSL support ). Do know what this problem might be related to? This problem occurs at a 1:15 ratio when we access the server via both https and http (My guess is a - webserver.jar bug resulting from my recompilation of webserver.jar with ANT for security support. But I could be wrong ) ------------------------------- By the way here are the full set of instructions that we used to implement the SSL solution with Tomcat after recompiling the webserver.jar file with ANT . ----------------------------------- DIRECTIONS FOR SETTING UP SSL WITH TOMCAT/PORTAL =================================================== PREPARE THE PORTAL SERVER --------------------------- 1. ADD SECURITY JAR FILES TO TOMCAT LIB DIRECTORY ----------------------------------------------- first put the following jar files in C:\Program Files\folder1\folder2\tomcat\lib -- jcert.jar -- jnet.jar -- jsse.jar -- webserver.jar also place these files in %JAVA_HOME%\jre\lib\ext Add %JAVA_HOME%\jre\lib\ext\jsse.jar to the CLASSPATH env variable You can download the first three security jar files from the java web site. webserver.jar is special because we had to re-compile this jar file using ANT and the 3 jar files. As a result of using ANT, webserver.jar now has special security options that makes SSL possible. We can simply send you our webserver.jar file so that you will not have to rebuild it with ANT. 2. PREPARE SERVER.XML ------------------------------- Go to C:\Program Files\folder1\folder2\tomcat\conf\server.xml and uncomment the server.xml options as seen below. <Connector className="org.apache.tomcat.service.PoolTcpConnector"> <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/> <Parameter name="port" value="8443"/> <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory" /> <Parameter name="keystore" value="<THE FILE CREATED FOR YOUR KEYSTORE>" /> <Parameter name="keypass" value="changeit"/> <Parameter name="clientAuth" value="false"/> </Connector> 3. ADD JSSE, JNET, JCERT.JAR FILE TO TOMCAT CLASSPATH ------------------------------------------------------ SET TOMCAT_JAR=%TOMCAT_LIB%\jasper.jar;%TOMCAT_LIB%\servlet.jar;%TOMCAT_LIB%\webserver.jar;%TOMCAT_LIB%\jsse.jar;%TOMCAT_LIB%\jnet.jar;%TOMCAT_LIB%\jcert.jar 4. ADD THE SECURITY PROVIDER TO THE JAVA.SECURITY PROPERTIES FILE -------------------------------------------------------------------- Edit %JAVA_HOME%/jre/lib/security/java.security Add: security.provider.2=com.sun.net.ssl.internal.ssl.Provider 5. PREPARE YOUR CSR WHICH YOU WILL SEND ---------------------------------------- * Generate key: * Use the attached cmd file genkey genkey <keystore Name> * Generate CSR: certgen <keystore Name> THIS IS WHAT THE DOS OUTPUT SHOULD LOOK LIKE C:\>keytool -genkey -alias alias<keystore Name> -keysize 1024 -validity 365 -keyalg RSA -keystore c:\<keystore Name> Enter keystore password: changeit What is your first and last name? [Unknown]: <Fully qualified name of your server> What is the name of your organizational unit? [Unknown]: <Use your keystore name> What is the name of your organization? [Unknown]: XXXXXXX What is the name of your City or Locality? [Unknown]: XXXXXXXX What is the name of your State or Province? [Unknown]: <DO NOT ABBREIVIATE YOUR STATE OR PROVINCE OR VERISIGN WILL REJECT IT> What is the two-letter country code for this unit? [Unknown]: XX Is <CN=portalssl.learningideas.com, OU=learningideas, O=learningideas, L=new york, ST=new york, C=US> correct? [no]: y Enter key password for <keystore Name> (RETURN if same as keystore password): changeit C:\>keytool -certreq -alias alias<keystore Name> -file c:\<keystore Name>.csr -keystore <keystore Name> Enter keystore password: changeit 6. GET THE SECURE SERVER ID FROM VERISIGN ------------------------------------------ You will need to get a Secure Server ID from Verisign which you can get free for 14 days. STEP #1: Go to https://www.verisign.com/ STEP #2: Click on "Get SSL Site Security >>" STEP #3: You will see a box entitled "Enable e-commerce with Commerce Site Services" STEP #4: Click Try STEP #5: Fill out the form with your name, company name etc. STEP #6: Click Continue STEP #7: Following the Instructions. STEP 1 of 5 ask you to Generate a CSR for that machine. You may have generated the CSR in the previous step. STEP#8: Copy and paste your CSR contents into the textarea that they provide. Your CSR will be stored in your root directory. Example: C:\>STEPHENSCSR3.csr They will email you the Test Server ID aka certificate in 1 hour. You will use it in the next step. STEP#9: Download the browser certificate (getcacert.cer) file from the emailed faq hyperlink. STEP#10: You will install this in the test browsers AND the keystore that you created above. INSTALLING IT INTO THE BROWSER -------------------------------- The reason that you install the certificate (getcacert.cer) into browser is so that you can view your trial SSL encrypted web page. 1. To install it, just right click on the big E for internet explorer. 2. left click on properties 3. click the Content Tab 4. click the certificates button 5. click the trusted root certificate authority tab. 6. click import button below. 7. click next browse to getcacert.cer which you just downloaded you will have to change the file types drop down menu to .509 to view .cer STEP#11 IMPORT YOUR CERTIFICATE INTO THE KEYSTORE ---------------------------------------------------- At the bottom of the email that you received from verisign you will see the certificate. It looks like this -----BEGIN CERTIFICATE----- MIIDSjCCAvSgAwIBAgIQeATS9bW/1b4FJ2rgbNvsfjANBgkqhkiG9w0BAQUFADCBqTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExURC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25seS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTIzMDAwMDAwWhcNMDMwMjA2MjM1OTU5WjCBiTELMAkGA1UEBhMCVVMxETAPBgNVBAgTCG5ldyB5b3JrMREwDwYDVQQHFAhuZXcgeW9yazEWMBQGA1UEChQNbGVhcm5pbmdpZGVhczEWMBQGA1UECxQNbGVhcm5pbmdpZGVhczEkMCIGA1UEAxQbcG9ydGFsc3NsLmxlYXJuaW5naWRlYXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC6FBSo7sX+NnlJ8+MhfDrx8bxya0MG+fFj1ckw94m/wZ5f2R36MVLlTkIclw67H9rjt9I08QV0F6lvc/pFKejBA1/r3Mn/JKDajqWBQspbO7OUA+Ax2x9EZVv+ryFceyAaMqoKIAPBESlDbMVtNMP/MVhpk5GWK4OXN0BN7nO9ywIDAQABo4HRMIHOAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdDQS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADQQDEnPe/ULuSvm6ytN1xF6TZWzeVrJrVz76HdDLuU6ttZYLrDoreeQrqwloSqQEH/D8rLhnxBHU6hO/GvS0VNFcW -----END CERTIFICATE----- 1. COPY AND PASTE IT INTO A NOTE PADE FILE Called for example learningideas.cer 2. YOU WILL HAVE TO EDIT IT FOR IT TO WORK WITH TOMCAT******************** CHANGE THE BEGIN AND END MARKERS TO LOOK LIKE THIS. AND Put 2 carriage returns at the end of the file. -----BEGIN PKCS#7----- MIIDUDCCAvqgAwIBAgIQMuN1e9aKSRVovPLjBWqUzjANBgkqhkiG9w0BAQUFADCBqTEWMBQGA1UEChMNVmVyaVNpZ24sIEluYzFHMEUGA1UECxM+d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1Rlc3RDUFMgSW5jb3JwLiBCeSBSZWYuIExpYWIuIExURC4xRjBEBgNVBAsTPUZvciBWZXJpU2lnbiBhdXRob3JpemVkIHRlc3Rpbmcgb25seS4gTm8gYXNzdXJhbmNlcyAoQylWUzE5OTcwHhcNMDMwMTIzMDAwMDAwWhcNMDMwMjA2MjM1OTU5WjCBjzELMAkGA1UEBhMCVVMxETAPBgNVBAgTCG5ldyB5b3JrMREwDwYDVQQHFAhuZXcgeW9yazEZMBcGA1UEChQQbGVhcm5pbmdpZGVhczEyMzEZMBcGA1UECxQQbGVhcm5pbmdpZGVhczEyMzEkMCIGA1UEAxQbcG9ydGFsc3NsLmxlYXJuaW5naWRlYXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCkgnChNApD6/0+/I4Gryyx/8I67RBNnBKjzvPVVzBvF1pCM2uMjmzc+7/aQTKYz9KzDdtkoxfw08mjW61hMoQzjpig2rmRxrYcsuezOKob5pMOG3XAzRXDP/0TVkoQfRjSVcGhmCaS8P5mDuEXd/Cx3TYqX4M6XD3kkc/s62dXDQIDAQABo4HRMIHOMAkGA1UdEwQCMAAwCwYDVR0PBAQDAgWgMEIGA1UdHwQ7MDkwN6A1oDOGMWh0dHA6Ly9jcmwudmVyaXNpZ24uY29tL1NlY3VyZVNlcnZlclRlc3RpbmdDQS5jcmwwUQYDVR0gBEowSDBGBgpghkgBhvhFAQcVMDgwNgYIKwYBBQUHAgEWKmh0dHA6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvVGVzdENQUzAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBQUHAwIwDQYJKoZIhvcNAQEFBQADQQCWp0pNmZTkhngjfh7N3JULBc3imtTM0hrDCwch+knYfYK/wulSqNgk5U8yIaDCC3QpmYvNHr16ZiVrWdx/ERgp -----END PKCS#7----- 3. put the modificed certificate file in the root - Name it C:/certificatetomcat<keystore Name>.cer so the batch file will work keyimp <keystore Name> POSSIBLE ERRORS ---------------- If you tried to copy and save the certificate into a wordpad, you would have added lot's of characters to the file making the certificate no longer valid. SOLUTION ----------- Please re-copy the text from your verisign email and save it in notepad. ====================================================== __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]