Good Morning Franck,
yesterday, you did a great job, trying to help me. I appreciate that!
But... I am running out of ideas. Regarding the password: presently, I
am using "changeit" for everything (just to get in running), but I still
have no success.
Yesterday, I sent anouther eMail explaining, what I am doing.
Could you please have a look at it and tell me your judgement? And what
I could try additionally?
You would really help a man in trouble.
Thank you very much.
Klaus
This is what I do:
CREATE KEY:
------------------------------------------------------------------------------------------------------
../../java/bin/keytool -genkey -alias tomcat -keyalg RSA -keystore
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -export -alias tomcat -file
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore
/opt/wt24/apache-tomcat-5.5.16/conf/.keystore
../../java/bin/keytool -import -file
/opt/wt24/apache-tomcat-5.5.16/conf/tomcat-server.crt -keystore
/opt/wt24/apache-tomcat-5.5.16/conf/cacerts
In this process, I use the same password for all
------------------------------------------------------------------------------------------------------
SERVER.XML looks like this:
------------------------------------------------------------------------------------------------------
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="secret"
debug="0"
keystoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/.keystore"
truststoreFile="/opt/wt24/apache-tomcat-5.5.16/conf/cacerts"
truststorePass="password as used in key-creation"
/>
-----------------------------------------------------------------------------------------------------
When I START TOMCAT, the log shows:
----------------------------------------------------------------------------------------------------
INFO: Starting Coyote HTTP/1.1 on http-80
12.04.2006 19:43:55 org.apache.coyote.http11.Http11BaseProtocol start
SCHWERWIEGEND: Error starting endpoint
java.io.IOException: Keystore was tampered with, or password was incorrect
at
sun.security.provider.JavaKeyStore.engineLoad(JavaKeyStore.java:768)
at java.security.KeyStore.load(KeyStore.java:1150)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:282)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:222)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:141)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:88)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
at
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150)
at
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
at
org.apache.catalina.connector.Connector.start(Connector.java:1089)
at
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
SCHWERWIEGEND: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler
start failed: java.io.IOException: Keystore was tampered with, or passwor
d was incorrect
at
org.apache.catalina.connector.Connector.start(Connector.java:1096)
at
org.apache.catalina.core.StandardService.start(StandardService.java:459)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:709)
at org.apache.catalina.startup.Catalina.start(Catalina.java:551)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:275)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:413)
12.04.2006 19:43:55 org.apache.catalina.startup.Catalina start
INFO: Server startup in 4215 ms
--------------------------------------------------------------------------------------------
Franck Borel schrieb:
Hi Klaus,
Hi Franck, still tomcat moans that the keystore was tampered or
password was incorrect.
I am not sure about the password. With all questions, I gave my own
and allways the same. Was that correct?
Yes, use your own password. 'Changeit' is only an example which is
principally used for tests.
Don't give up!
-- Franck
Klaus
Franck Borel schrieb:
Sorry to disturb you again, but all the entries in my server.xml do
not seem to be the problem.
*At present, TOMCAT states, that my .keystore was tampered or my
password was incorrect.*
But I did everything over and over again, and right!
My trouble is that there are lots of descriptions of how to produce
keys and certificates. One describes the signing of a key, the
other descibes how to write a keystore. But all of them do not
really fit together. Is there any step-by-step document for the
full process?
I found a script which looks like:
------------------------------------------------------------------------------------------
openssl req -new -out server.csr
openssl rsa -in privkey.pem -out server.key
openssl x509 -in server.csr -out server.crt -req -signkey
server.key -days 365
To get the keystore, I added:
java/bin/keytool -import -keystore /root/.keystore -file server.crt
-alias wt24ca
------------------------------------------------------------------------------------------
Do I need the keystore, or can I go with the server.ke and server.crt?
Please help, I am working around and around ...
Klaus
Ok, Klaus. I think the problem is that Tomcat don't accept your
openssl crt. Tomcat operates only with JKS or PKCS12 (--> OpenSSL)
format keystores and there are some limitations on the support for
PKCS12. So, try this:
1) keytool -genkey -alias tomcat -keyalg RSA -keystore
/opt/tomcat/bin/.keystore --> creates key
2) keytool -export -alias tomcat -file tomcat-server.crt -keystore
/opt/tomcat/bin/.keystore --> creates certificate and signs it with
your key
3) keytool -import -file tomcat-server.crt -keystore
/opt/tomcat/conf/cacerts --> creates a Keystore cacerts and add your
certificate
Now, edit your server.xml:
<Connector port="443"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookup="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile = "conf/.keystore"
keystorePass = "secret"
truststoreFile = "conf/cacerts"/>
This should work.
-- Franck
Franck Borel schrieb:
Hi Klaus,
Hi Franck,
thank you for your hint. But I am not sure, which parameter is
which file.
To make things clear, here my procedure:
------------------------------------------------------------------------
> openssl req -x509 -newkey rsa:512 -keyout
./demoCA/private/cakey.pem -out ./demoCA/cacert.pem -days 1095
> openssl genrsa -out ./key.pem 512 -days 1095
> openssl req -new -key ./key.pem -out ./req.pem -days 1095
> openssl ca -in ./req.pem -out ./cert.pem -days 1095
> chown -R root:root ./cert
> chmod -R 700 ./cert
then I cleaned cet.pem by hand (take out text before
"-------BEGIN CERTIFICATE-----------"
The final step:
../java/bin/keytool -import -keystore ../tomcat/conf/.keystore
-file ./cert.pem -alias wt24ca
----------------------------------------------------------------------
Setting up SSL is described in diffent documents so differenly,
that it is hard to be sure of what to do. The above, I extraced
from several descriptions.
Could cou please tell me, which file from the above is used in
server.xml?
You made a mix with to different tools (openssl and Java Keytool).
I don't now if this is working. Anyway, here is an example of the
element Connector with your values:
<Connector port="443"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookup="false"
acceptCount="100"
debug="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"/>
Don't forget to edit your /webapps/web.xml:
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
-- Franck
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
------------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
--
*Klaus-F. Kaal*
Geschäftsführer
*TIMO/logic/ GmbH*
Singener Str. 42d
D-78256 Steisslingen
phone +49 7738 97096
fax +49 7738 97094
web www.timologic.com <http://www.timologic.com/>
mail [EMAIL PROTECTED] <mailto:[EMAIL PROTECTED]>
------------------------------------------------------------------------
*Das hat es bisher noch nicht gegeben:*
*WebTresor24* <http://www.webtresor24.de>
*
Das Online Backup mit dem innovativen Sorglos - Konzept
Wir sorgen dafür, dass Ihr Backup nie wieder vergessen wird!*
------------------------------------------------------------------------
*
*