Hi Mark,
Thanks for your quick response.
I should have been a little more clear. That snip was copied when I had only
one key entry in my keystore and both the passwords were the same.
Now coming to the actual issue. As long as there is only one key in the
keystore, it works perfectly fine and I can provide different passwords for
keystore and private key using keystorePass and keyPass options and it works
flawlessly. But the issue seems to be happening when I have multiple key
entries and that I store those key entries using different passwords. Then it
throws the error
For eg :
I have a keystore named servercerts. The keystore password is "changed"
In the keystore, I have 3 private keys (tomcatcert, adminuicert, wscert)
The password for tomcatcert is "fortomcat"
The password for adminuicert is "foradminui"
The password for wscert is "forwebserver"
Now I configured my server.xml to be
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true" clientAuth="false"
sslProtocol="TLS" keyAlias ="adminuicert" keyPass="foradminui"
keystoreFile="bin/servercerts" keystorePass="changed"/>
Then when I start my tomcat, I run into this error. To be specific, with single
key entry in the keystore everything works fine. With multiple key entries and
different passwords, it throws the error.
Am I missing something here. Can you confirm whether it works fine in the above
scenario. I use jdk1.6.0_32 to generate the keystore.
Regards,
Arun
-----Original Message-----
From: Mark Thomas [mailto:[email protected]]
Sent: Friday, July 06, 2012 3:55 PM
To: Tomcat Users List
Subject: Re: Possible issue with Tomcat 7.0.27 SSL keystore configuration
On 06/07/2012 10:04, Arun John (arujohn) wrote:
> Hi Team,
>
> I am currently facing an issue with SSL configuration in Tomcat
> 7.0.27. I have one keystore with three private keys to be used by
> different components . The password I am using for the keystore file
> is "changed". The requirement is such that I should be using three
> different password for the three private keys I store in my keystore.
> I have configured my server.xml to allow https connections, basically
> modified the connectors.
>
> <Connector port="7443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true" clientAuth="false"
> sslProtocol="TLS" keyAlias ="adminuicert"
> keystoreFile="bin/.keystore" keystorePass="changed"/>
You have not specified the password for the key. Why would you expect this to
work?
> I am running into an issue here. When I configure different key
> passwords for my private keys different from my keystore password I am
> running into an exception saying it cannot recover the key. I have
> attached the catalina log. I am not finding a way to provide the
> private key password in the server.xml
Then read the Tomcat 7 documentation.
> When I googled, I found that in Tomcat 5.5 it was not possible and
> found the below bug. Not sure whether the bug is fixed in latest
> release https://issues.apache.org/bugzilla/show_bug.cgi?id=38217
That is a 5+ year old bug against a version of the software 2 major versions
earlier than the one you are using. What do you think the chances are of it
being relevant here? Hint: If you had read the HTTP SSL configuration
documentation for Tomcat 7 you would know the answer to that question.
<snip />
> Right now I am clueless
Clue may be found by reading the documentation for the version of the software
you are trying to use.
> on how to fix the issue. It would be of great help, if someone can
> help me with a solution/workaround
Read the documentation.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
