Thank you Konstantin and Chris Schultz. Been trying all you suggested
Konstantin, and a heck of a lot more without much success. But I finally did
get /something/ in a log that might be helpful if anyone can interpret it.
Chris, on your observation:
I'm not sure how Apache Felix fits into this (I don't know a thing
about Felix), but:
> <Connector port="443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
> clientAuth="false" sslProtocol="TLS" />
This connector has no reference to any keystore configuration. Unless
Felix is somehow wiring that all up, then you haven't configured a viable TLS
connector.
I also don't know what role Felix plays. Apparently you spotted something
missing in the snippet above that tells you there's no connector configured.
The above is right out of the server.xml. I simply un-remmed it.
Now, my java app's configuration file DOES have an entry that references a
keystore:
##############################
# Inbound SSL Settings
##############################
org.apache.felix.https.enable=true
org.osgi.service.http.port.secure=443
org.apache.felix.https.keystore=E:\\Program Files\\Connector\\.keystore
org.apache.felix.https.keystore.password=REDACTED
org.apache.felix.https.keystore.key.password= REDACTED
org.apache.felix.https.truststore=C:\\Program
Files\\Java\\jre1.8.0_60\\lib\\security\\cacerts
org.apache.felix.https.truststore.password= REDACTED
Question -- Does anyone think " Program Files" (space) above is contributing
to the problem?
BTW the \\Connector\\ in the paths above is the install directory of my java
app, which is, I think, a different connector than that in the server.xml.
So here is the snippet from my log:
<snip>
2015-10-23 09:34:10 [o.e.j.u.c.AbstractLifeCycle] WARN - FAILED
SslContextFactory@2cc0a31e(E:\Program Files\Connector\.keystore,C:\Program
Files\Java\jre1.8.0_60\lib\security\cacerts):
java.security.UnrecoverableKeyException: Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
~[na:1.8.0_60]
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
~[na:1.8.0_60]
at sun.security.provider.JavaKeyStore$JKS.engineGetKey(Unknown Source)
~[na:1.8.0_60]
at sun.security.provider.KeyStoreDelegator.engineGetKey(Unknown Source)
~[na:1.8.0_60]
at
sun.security.provider.JavaKeyStore$DualFormatJKS.engineGetKey(Unknown Source)
~[na:1.8.0_60]
at java.security.KeyStore.getKey(Unknown Source) ~[na:1.8.0_60]
at sun.security.ssl.SunX509KeyManagerImpl.<init>(Unknown Source)
~[na:1.8.0_60]
at sun.security.ssl.KeyManagerFactoryImpl$SunX509.engineInit(Unknown
Source) ~[na:1.8.0_60]
at javax.net.ssl.KeyManagerFactory.init(Unknown Source) ~[na:1.8.0_60]
at
org.eclipse.jetty.util.ssl.SslContextFactory.getKeyManagers(SslContextFactory.java:1080)
~[na:na]
at
org.eclipse.jetty.util.ssl.SslContextFactory.doStart(SslContextFactory.java:291)
~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
~[na:na]
at
org.eclipse.jetty.server.ssl.SslSelectChannelConnector.doStart(SslSelectChannelConnector.java:612)
~[na:na]
at
org.eclipse.jetty.util.component.AbstractLifeCycle.start(AbstractLifeCycle.java:64)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyService.startConnector(JettyService.java:421)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyService.initializeHttps(JettyService.java:327)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyService.initializeJetty(JettyService.java:273)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyService.startJetty(JettyService.java:197)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyService.start(JettyService.java:130)
~[na:na]
at
org.apache.felix.http.jetty.internal.JettyActivator.doStart(JettyActivator.java:29)
~[na:na]
at
org.apache.felix.http.base.internal.AbstractActivator.start(AbstractActivator.java:41)
~[na:na]
at
org.apache.felix.http.bundle.internal.CombinedActivator.start(CombinedActivator.java:56)
~[na:na]
at
org.apache.felix.framework.util.SecureAction.startActivator(SecureAction.java:645)
~[org.apache.felix.main-4.2.1.jar:na]
at org.apache.felix.framework.Felix.activateBundle(Felix.java:2146)
~[org.apache.felix.main-4.2.1.jar:na]
at org.apache.felix.framework.Felix.startBundle(Felix.java:2064)
~[org.apache.felix.main-4.2.1.jar:na]
at
org.apache.felix.framework.Felix.setActiveStartLevel(Felix.java:1291)
~[org.apache.felix.main-4.2.1.jar:na]
at
org.apache.felix.framework.FrameworkStartLevelImpl.run(FrameworkStartLevelImpl.java:304)
~[org.apache.felix.main-4.2.1.jar:na]
at java.lang.Thread.run(Unknown Source) ~[na:1.8.0_60]
2015-10-23 09:34:11 [o.e.j.u.c.AbstractLifeCycle] WARN - FAILED
[email protected]:443: java.security.UnrecoverableKeyException:
Cannot recover key
java.security.UnrecoverableKeyException: Cannot recover key
at sun.security.provider.KeyProtector.recover(Unknown Source)
~[na:1.8.0_60]
at sun.security.provider.JavaKeyStore.engineGetKey(Unknown Source)
~[na:1.8.0_60]
<snip>
Second Question - am I supposed to import the .keystore into my cacerts file?
When I open the cacerts file that came with the java install, it contains
30-40 certifs (key-pairs?) that I didn't create.
Thanks all for any leads or answers to my SSL noob questions you can provide.
__________________________________________
Gregory Beyer
[email protected]
-----Original Message-----
From: Konstantin Kolinko [mailto:[email protected]]
Sent: Friday, October 16, 2015 10:54 PM
To: Tomcat Users List <[email protected]>
Subject: Re: Tomcat answers on port 80, not on 443
2015-10-15 20:48 GMT+03:00 Beyer, Gregory L <[email protected]>:
>
> Hello,
>
> I'm trying to get my web app, which is otherwise running fine on port 80 to
> respond on SSL. Sorry if this is a resend. I only just started getting
> list messages so my first may not have gone. Don't intend to bump.
>
> Scenario:
>
> The server in question is a Windows12 web application host running Tomcat
> 8.0.26. Running on Tomcat is a java application which accepts port 80
> connections from another host across the 'net. I have firewall rules
> configured to allow port 80 and 443 traffic between the servers. 80 This is
> working fine. I'm not running IIS - only Tomcat.
>
> However, we don't want to have our data stream exposed clear text over the
> internet - we need to use SSL.
>
> I have used %JAVA_HOME%\bin\keytool to generate a keystore and then have
> configured the InBound SSL Settings in my apps config.properties file with
> the path to the keystore and the password. The # lines are variations on the
> path to the truststore that I have attempted unsuccessfully. I'm using the
> default certificate, below. Webclients will not be connecting so we don't
> need a commercial certificate. This is a server to server web call.
>
> ##############################
> # Inbound SSL Settings
> ##############################
>
> org.apache.felix.https.enable=true
> org.osgi.service.http.port.secure=443
> org.apache.felix.https.keystore=E:\keystore\scilexcon
> #org.apache.felix.https.keystore=./keystore/scilexcon
> org.apache.felix.https.keystore.password=redacted
> org.apache.felix.https.keystore.key.password= redacted
> org.apache.felix.https.truststore=E:\keystore\scilexcon
> #org.apache.felix.https.truststore=C:\Program
> Files\Java\jre1.8.0_60\lib\security\cacerts
> #org.apache.felix.https.truststore=./keystore/scilexcon
> org.apache.felix.https.truststore.password= redacted
>
1)
Is above a *.properties file? If so then '\' works as an escape symbol and
must be doubled (\\). Usually people just use '/' instead, it usually works
with Java.
> ./keystore/scilexcon
2)
"." is the current directory when you start a program. It may be different
depending on you you start it. (E.g. for Tomcat started explicitly via
startup.bat vs started as a service it may be different).
> I've also configured the java runtime of my application with the trustore
> path:
>
> -Djavax.net.ssl.trustStore=E:\keystore\scilexcon
>
>
>
> An http connect to my connect runtime is successful. http://<hostname>
> https://<hostname> times out
>
> Netstat -a reveals that port 443 is listening on <hostname>
>
>
> Documents I have used so far is one documenting the Inbound SSL
> connections of my apps config file, and the SLL documentation of
> Apache Tomcat http://<hostname>8080/docs/ssl-howto.html
>
> In my server.xml, I've unremmed the connector section and changed the
> connector port to 443:
>
>
> <Connector port="443" protocol="org.apache.coyote.http11.Http11NioProtocol"
> maxThreads="150" SSLEnabled="true" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
>
>
> Define an AJP 1.3 Connector on port 8009 -->
> <Connector port="8009" protocol="AJP/1.3" redirectPort="443" />
>
> I've looked through my logs, but don't find anything to indicate why it just
> clocks until timing out. Maybe I'm missing something?
>
> Having read the SSL howto, I don't think I've missed anything.
3)
https://wiki.apache.org/tomcat/FAQ/Troubleshooting_and_Diagnostics#Common_Troubleshooting_Scenario
Try connecting with a web browser or a standard tool (like wget, openssl
client) to check that HTTPS works.
Look into an access log.
Take a series of thread dumps (for your client as well).
4) Is Java trusing your self-signed server certificate (so that it is able to
connect to it)?
Old versions of Java (Java 6) use SSLv2Hello when initialing a HTTPS
connection. That protocol is disabled by default in current versions of Tomcat.
https://wiki.apache.org/tomcat/Security/POODLE
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
