-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 James,
On 1/5/15 11:37 AM, James H. H. Lampert wrote: > People on both the Tomcat and Java400-L Lists nailed the problem: > it turned out to be a PTF issue. For those playing-along at home: PTF = "Program Temporary Fix". It's IBM's term for "patch", which just means that "having one's PTFs fully in order" means "up-to-date on all patches". > Once the customer got the box's PTFs fully in order, Tomcat started > up without a problem, a self-signed certificate brought up their > SSL, and our WAR file uploaded and deployed normally. > > They still need to fix their firewall to plumb at least one more > port to the outside world, and of course, they need to get their > certificate signed by a well-known CA, but other than that, they > seem to be fine now. Glad to hear it. Any idea what the missing PTF(s) actually covered? > One observation: it seems that for some reason, while Keystore > Explorer (on my Mac) seems to work at least as well as Keytool for > most keystore operations, for some reason, Java keystores that > *originate* in Keystore Explorer get rejected (at least by Tomcat > running on IBM Midrange boxes), whereas those orignating in Keytool > work just fine (but Keytool, for some reason, doesn't seem to work > at all on IBM Midrange boxes). Puzzling. Does keytool show the same contents for both keystores -- the one originating from within Keystore Explorer and the one created initially using keytool? I've had limited success using portecle -- you might try that as an independent third-party for looking at the contents of the keystore files. Honestly, I find the whole keystore thing to be a good idea, but one that often seriously blurs the lines between what various things are. When you use keytool to create a new server key, it automatically creates a certificate paired with that key. In order to create a CSR in "keytool", you use "certreq" but you can only create a CSR for an existing certificate. Finally, when you get the certificate signed by a CA, you import it into your keystore and it either overwrites or aliases the existing certificate (I don't feel like going through all the motions to check it all right now to see how it works). I like being able to do things like have each artifact in a separate file and use them separately. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 Comment: GPGTools - http://gpgtools.org iQIcBAEBCAAGBQJUqxFWAAoJEBzwKT+lPKRYSNUQALCCyrW2QyUgKt6xb/PDoWTc waIhBxgA0L9q67CPaYEHY5PSHbdWkqX7jOGFsBNVbGNqlUhyU8xJWZLPYi8Zy9aF Yg8V+6N48YMXdHP703z9qHSWIMNP1peuOAUFuZTotlxoBjgcZTi/ggC+CWRh9XK9 dFIXvNIWJGs+AKDEWi4dOA7mGz/vDoiXHdcrfgExw9s+XgpQEhb1WmobuCAd0DWJ UBimm7pWfjT338PnA+jFKZGzGKQu2wAnt0VmwayUQXoWWK8nrEqJEyZch1wNBJuL 5k2RbAogVYzoVGim+HwqBsBeyH0TnL6qL7Tqvl8hamAgg4wb4G/AVWLFpJTK2OTP zObMHl8AwVN4ywyEqpTDHxvFQwtwyV8P0fVcDDOoQe28pjKJ68MpWkHT0lTySqFc w3xvPIUXcXLfZ4QHIz2r8YmPJ2J2SjQ2BQ5tVQtp7+AdxmUX1c/uD9E3prUa22ZH mSSqYWJGmxPPWE3cWfjkgHxEtSAULrzupBCXqFIZ+wfmB6Qim+CuXA7SkKE57jh9 RyRNAO5xvKVMcZmaDqLbSHXBb2BWQZrpdDo8hVTt8/2tavVqXuhNsVb9/zYzoWaz tHemQguoN61NorKwWPeGq0xiCYam/+EXYrIk0+d9Q2QRNuqE1j8wfyYorEmh0kZY /2O6Q5FeDRakZlnoOZb5 =iPFJ -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org