Andre, I've attached the output from netstat -a. I see 8080 listening, but not 8443. I've also attached the screen shot of the result of running my "protected" application in Tomcat. As I mentioned, when I have Norton Security and it shuts down Windows firewall and runs its own firewall.
Don On Sun, Sep 24, 2017 at 5:52 PM, André Warnier (tomcat) <a...@ice-sa.com> wrote: > On 24.09.2017 16:08, Don Flinn wrote: > >> Andre, >> >> I apologize for not giving all my information. As you perceived, I'm >> running Windows. Other info, Windows 10, Tomcat 9, java 1.8.0_144. As you >> suggested, using netstat and telnet I found that port 8443 is not open. >> Looking further Windows firewall is controlled by Norton security. I am >> now trying to find out how to open ports in Norton security using the >> Norton blog. >> >> Thank you for your help. As is obvious, I'm a newbee in low level admin >> work. I'm hoping that when I get port 8443 open things will work. I'll >> let you know. >> >> Maybe wait just a second more, before you go digging in the firewall. > You say that you found out that "the port is not open". > That is not the same thing as > - the port /is/ open > - but it cannot be connected to > If netstat shows the port open and listening, but you cannot connect to it > with telnet, it is probably a firewall issue. > But if the port is not open, then it is a tomcat issue. > Provided that you configured tomcat properly, the port should be open, > firewall or no firewall. (A firewall can only block access by a client, to > a server port that is open. It cannot prevent a server process to open that > port for listening.) > If it isn't open, the tomcat logs should tell you why. > > > > > > Don >> >> >> >> On Sun, Sep 24, 2017 at 6:44 AM, André Warnier (tomcat) <a...@ice-sa.com> >> wrote: >> >> On 24.09.2017 02:36, Don Flinn wrote: >>> >>> I'm trying to use a self signed certificate generated in keytool. When I >>>> run the application Chrome, Firefox and internet Explorer using >>>> localhost:8080/<myapp> all the browsers do a redirect to localhost:8443 >>>> and >>>> then return This site can’t be reachedL*ocalhost* refused to connect. >>>> There is no red lined out protocol in any of the browsers. All the >>>> Tomcat >>>> logs show no errors or warnings. I can access applications that are not >>>> protected and tomcat itself. >>>> >>>> >>> I would suggest that you first re-read what you wrote above, line by >>> line, >>> and reflect quietly on what each line is telling you. >>> >>> 1) you say "localhost". That means that you are using a browser as >>> client, >>> on the same machine as the one which is running the server. >>> 2) you also say that one of the browsers is IE. >>> 3) (1) and (2) together imply that the host in a Windows server (and the >>> client also of course). >>> 4) you are not saying which version of Tomcat you are using, neither >>> which >>> version of Java, neither which version of Windows. That makes helping >>> you >>> more complicated and time-consuming, and delays any help, because now we >>> have to ask you, and you have to respond. >>> 5) "refused to connect" : before any kind of SSL dialog can even take >>> place, the browser must be able to establish a TCP connection to the >>> host:port in question. >>> "refused to connect" seens to indicate that this is not the case. >>> 6) the logs do not show anything : that would seem to corroborate (5) : >>> tomcat does not even see this connection. iow, there is no connection. >>> >>> There are several possible reasons for this. >>> a) Tomcat never opens the port 8443 for listening on it. >>> That can be checked, with tomcat running, with the "netstat" utility >>> program, included in Windows. With the proper arguments (which I will >>> leave >>> to you as an exercise)(but "netstat -h" will help), netstat will show you >>> on which ports tomcat is listening locally. If this does not include a >>> ":8443" port, then it is not listening on that port, and certainly the >>> logs >>> of tomcat will tell you why. >>> b) tomcat does listen on port 8443, but something else is blocking access >>> to that port. >>> Then you probably have to check your local firewall settings (or whatever >>> else in whatever version of Windows may be blocking connections to a >>> port). >>> >>> Another quick way to check if tomcat (or anything) is listening on port >>> 8443 (and/or something is blocking it) would be, in a command window, to >>> run the following command : >>> telnet localhost 8443 >>> (also with tomcat running) >>> If it also tells you "no connection", then (a) or (b) above would be >>> confirmed. >>> If it connects, then you may get another message, due to the fact that it >>> expects an SSL connection. (If it did not expect an SSL connection, you'd >>> just get a blank page until you type something else). >>> Obviously, access to tomcat's port 8080 is fine, so you can compare the >>> responses above with what happens when you substitute 8080 for 8443. >>> >>> Once the above is really cleared up, then it may be worth looking at the >>> rest of the information which you sent below. >>> >>> If I set <transport-guarantee> >>> >>> CONFIDENTIAL</transport-guarantee> to NONE everything works with >>>> localhost:8080. >>>> >>>> My SSL files in tomcat - >>>> >>>> *server.xml -* >>>> >>>> Connector >>>> protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" >>>> sslImplementationName="org.apache.tomcat.util.net.jsse.JSSEI >>>> mplementation" >>>> SSLEnabled="true" acceptCount="100" clientAuth="false" >>>> disableUploadTimeout="true" enableLookups="false" maxThreads="25" >>>> port="8443" keystoreFile="c:/temp/mkeystore2.jks" keystorePass="foobar" >>>> secure="true" sslProtocol="TLS" clientAuth="false" /> >>>> >>>> *web.xml -* >>>> >>>> <security-constraint> >>>> <web-resource-collection> >>>> <web-resource-name>Financials</web-resource-name> >>>> <url-pattern>/*</url-pattern> >>>> </web-resource-collection> >>>> <user-data-constraint> >>>> <transport-guarantee>CONFIDENTIAL</transport-guarantee> >>>> </user-data-constraint> >>>> </security-constraint> >>>> >>>> *the output from my keystore list -* >>>> >>>> C:\Users\don\Documents\Mansurus\Security> "%java_home%/bin/keytool.exe" >>>> -list -v -keystore c:/temp/mkeystore2.jks >>>> Enter keystore password: >>>> >>>> Keystore type: JKS >>>> Keystore provider: SUN >>>> >>>> Your keystore contains 1 entry >>>> >>>> Alias name: tomcat >>>> Creation date: Sep 23, 2017 >>>> Entry type: PrivateKeyEntry >>>> Certificate chain length: 1 >>>> Certificate[1]: >>>> Owner: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, >>>> C=Unknown >>>> Issuer: CN=Unknown, OU=Unknown, O=Unknown, L=Unknown, ST=Unknown, >>>> C=Unknown >>>> Serial number: 6b5fe428 >>>> Valid from: Sat Sep 23 12:57:19 EDT 2017 until: Sun Sep 23 12:57:19 EDT >>>> 2018 >>>> Certificate fingerprints: >>>> MD5: 11:9D:2C:50:4A:09:9D:17:2F:46:3C:AF:AF:E5:59:EE >>>> SHA1: 63:EF:21:21:3C:22:82:46:21:84: >>>> 9C:81:C6:B0:C1:EC:0F:1C:87:31 >>>> SHA256: >>>> 4E:75:D6:6A:6C:23:84:E0:36:AF:CF:1E:56:7D:18:6E:A1:BE:E5:EE: >>>> 0B:E5:7B:2A:01:96:DF:49:CA:F1:50:C7 >>>> Signature algorithm name: SHA256withRSA >>>> Version: 3 >>>> >>>> Extensions: >>>> >>>> #1: ObjectId: 2.5.29.14 Criticality=false >>>> SubjectKeyIdentifier [ >>>> KeyIdentifier [ >>>> 0000: 46 C9 48 D4 54 2A 54 CE 24 1F 22 ED 1D FC 6E 14 >>>> F.H.T*T.$."...n.. >>>> 0010: BE 6F 4A 49 .oJI >>>> ] >>>> ] >>>> >>>> What am I doing wrong? I want to get a self-signed keystore working >>>> before >>>> I purchase a commercial certificate. >>>> >>>> Don >>>> >>>> >>>> >>> --------------------------------------------------------------------- >>> To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org >>> For additional commands, e-mail: users-h...@tomcat.apache.org >>> >>> >>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
C:\Users\don\Documents\Mansurus\Security>netstat -a Active Connections Proto Local Address Foreign Address State TCP 0.0.0.0:80 donwork:0 LISTENING TCP 0.0.0.0:135 donwork:0 LISTENING TCP 0.0.0.0:443 donwork:0 LISTENING TCP 0.0.0.0:445 donwork:0 LISTENING TCP 0.0.0.0:554 donwork:0 LISTENING TCP 0.0.0.0:2869 donwork:0 LISTENING TCP 0.0.0.0:3389 donwork:0 LISTENING TCP 0.0.0.0:5357 donwork:0 LISTENING TCP 0.0.0.0:8009 donwork:0 LISTENING TCP 0.0.0.0:8080 donwork:0 LISTENING TCP 0.0.0.0:10243 donwork:0 LISTENING TCP 0.0.0.0:49664 donwork:0 LISTENING TCP 0.0.0.0:49665 donwork:0 LISTENING TCP 0.0.0.0:49666 donwork:0 LISTENING TCP 0.0.0.0:49667 donwork:0 LISTENING TCP 0.0.0.0:49668 donwork:0 LISTENING TCP 0.0.0.0:49672 donwork:0 LISTENING TCP 0.0.0.0:49711 donwork:0 LISTENING TCP 0.0.0.0:49721 donwork:0 LISTENING TCP 0.0.0.0:49722 donwork:0 LISTENING TCP 127.0.0.1:5354 donwork:0 LISTENING TCP 127.0.0.1:5354 donwork:49669 ESTABLISHED TCP 127.0.0.1:5354 donwork:49670 ESTABLISHED TCP 127.0.0.1:8005 donwork:0 LISTENING TCP 127.0.0.1:27015 donwork:0 LISTENING TCP 127.0.0.1:27015 donwork:49787 ESTABLISHED TCP 127.0.0.1:49344 donwork:0 LISTENING TCP 127.0.0.1:49669 donwork:5354 ESTABLISHED TCP 127.0.0.1:49670 donwork:5354 ESTABLISHED TCP 127.0.0.1:49673 donwork:49674 ESTABLISHED TCP 127.0.0.1:49674 donwork:49673 ESTABLISHED TCP 127.0.0.1:49675 donwork:49676 ESTABLISHED TCP 127.0.0.1:49676 donwork:49675 ESTABLISHED TCP 127.0.0.1:49770 donwork:49771 ESTABLISHED TCP 127.0.0.1:49771 donwork:49770 ESTABLISHED TCP 127.0.0.1:49772 donwork:49773 ESTABLISHED TCP 127.0.0.1:49773 donwork:49772 ESTABLISHED TCP 127.0.0.1:49774 donwork:49775 ESTABLISHED TCP 127.0.0.1:49775 donwork:49774 ESTABLISHED TCP 127.0.0.1:49776 donwork:49777 ESTABLISHED TCP 127.0.0.1:49777 donwork:49776 ESTABLISHED TCP 127.0.0.1:49787 donwork:27015 ESTABLISHED TCP 192.168.1.163:139 donwork:0 LISTENING TCP 192.168.1.163:49792 17.248.136.45:https CLOSE_WAIT TCP 192.168.1.163:49794 17.249.140.69:5223 ESTABLISHED TCP 192.168.1.163:49804 atl26s16-in-f10:https CLOSE_WAIT TCP 192.168.1.163:50542 atl26s13-in-f10:https CLOSE_WAIT TCP 192.168.1.163:50544 atl26s13-in-f10:https CLOSE_WAIT TCP 192.168.1.163:50545 atl26s13-in-f10:https CLOSE_WAIT TCP 192.168.1.163:51165 atl26s14-in-f10:https CLOSE_WAIT TCP 192.168.1.163:51166 atl26s14-in-f13:https CLOSE_WAIT TCP 192.168.1.163:51302 atl26s13-in-f10:https CLOSE_WAIT TCP 192.168.1.163:51303 atl26s15-in-f13:https CLOSE_WAIT TCP 192.168.1.163:51407 yv-in-f188:5228 ESTABLISHED TCP 192.168.1.163:51491 a104-118-220-173:http ESTABLISHED TCP 192.168.1.163:51554 199.16.157.105:https ESTABLISHED TCP 192.168.1.163:51738 HPA28954:3910 TIME_WAIT TCP 192.168.1.163:51747 ec2-23-23-215-107:http ESTABLISHED TCP 192.168.1.163:51748 206-121:https ESTABLISHED TCP 192.168.1.163:51749 206-121:https ESTABLISHED TCP 192.168.1.163:51750 206-121:https ESTABLISHED TCP 192.168.1.163:51751 206-121:https ESTABLISHED TCP 192.168.1.163:51754 162.243.53.59:http ESTABLISHED TCP 192.168.1.163:51784 s3-us-west-2:https ESTABLISHED TCP 192.168.1.163:52151 a104-118-220-158:https CLOSE_WAIT TCP 192.168.1.163:52152 a104-118-220-158:https CLOSE_WAIT TCP 192.168.1.163:52153 a104-118-220-158:https CLOSE_WAIT TCP 192.168.1.163:52155 a23-74-5-12:https CLOSE_WAIT TCP 192.168.1.163:52159 a23-74-5-12:https CLOSE_WAIT TCP 192.168.1.163:52167 a104-118-220-158:https CLOSE_WAIT TCP 192.168.1.163:57880 msnbot-65-52-108-211:https ESTABLISHED TCP 192.168.1.163:57982 40.114.95.106:https ESTABLISHED TCP 192.168.1.163:58920 ya-in-f125:5222 ESTABLISHED TCP [::]:80 donwork:0 LISTENING TCP [::]:135 donwork:0 LISTENING TCP [::]:443 donwork:0 LISTENING TCP [::]:445 donwork:0 LISTENING TCP [::]:554 donwork:0 LISTENING TCP [::]:2869 donwork:0 LISTENING TCP [::]:3389 donwork:0 LISTENING TCP [::]:5357 donwork:0 LISTENING TCP [::]:8009 donwork:0 LISTENING TCP [::]:8080 donwork:0 LISTENING TCP [::]:10243 donwork:0 LISTENING TCP [::]:49664 donwork:0 LISTENING TCP [::]:49665 donwork:0 LISTENING TCP [::]:49666 donwork:0 LISTENING TCP [::]:49667 donwork:0 LISTENING TCP [::]:49668 donwork:0 LISTENING TCP [::]:49672 donwork:0 LISTENING TCP [::]:49711 donwork:0 LISTENING TCP [::]:49722 donwork:0 LISTENING TCP [::1]:8080 donwork:51757 TIME_WAIT TCP [::1]:51758 donwork:8080 TIME_WAIT UDP 0.0.0.0:500 *:* UDP 0.0.0.0:3389 *:* UDP 0.0.0.0:3544 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:3702 *:* UDP 0.0.0.0:4500 *:* UDP 0.0.0.0:5004 *:* UDP 0.0.0.0:5005 *:* UDP 0.0.0.0:5050 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5353 *:* UDP 0.0.0.0:5355 *:* UDP 0.0.0.0:49666 *:* UDP 0.0.0.0:49670 *:* UDP 0.0.0.0:52744 *:* UDP 0.0.0.0:53693 *:* UDP 0.0.0.0:58393 *:* UDP 0.0.0.0:62508 *:* UDP 0.0.0.0:63687 *:* UDP 127.0.0.1:1900 *:* UDP 127.0.0.1:49664 *:* UDP 127.0.0.1:49665 *:* UDP 127.0.0.1:50311 *:* UDP 127.0.0.1:50312 *:* UDP 127.0.0.1:54023 *:* UDP 127.0.0.1:54024 *:* UDP 127.0.0.1:55499 *:* UDP 127.0.0.1:59328 *:* UDP 127.0.0.1:59329 *:* UDP 192.168.1.163:137 *:* UDP 192.168.1.163:138 *:* UDP 192.168.1.163:1900 *:* UDP 192.168.1.163:5353 *:* UDP 192.168.1.163:55498 *:* UDP 192.168.1.163:62367 *:* UDP [::]:500 *:* UDP [::]:3389 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:3702 *:* UDP [::]:4500 *:* UDP [::]:5004 *:* UDP [::]:5005 *:* UDP [::]:5353 *:* UDP [::]:5353 *:* UDP [::]:5353 *:* UDP [::]:5355 *:* UDP [::]:49667 *:* UDP [::]:49671 *:* UDP [::]:52745 *:* UDP [::]:62509 *:* UDP [::1]:1900 *:* UDP [::1]:5353 *:* UDP [::1]:55497 *:* UDP [fe80::f06d:63af:5f00:f6e1%5]:1900 *:* UDP [fe80::f06d:63af:5f00:f6e1%5]:55496 *:*
--------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org