Mark,
Am 06.07.2018 11:27, schrieb Sandels Mark (RTH) OUH:
Hi Tomcat users
I have now configured the tomcat configuration file (server.xml) to
use TLS (see relevant sections of server.xml). I created a keystore
(using the jdk keystore command) for my existing certificate.
I am getting "This site cannot be reached" from my browser (Chrome)
when I enter the URL https://oxnetmdms04:8443/OracleStatus
Can anyone tell what I am doing wrong? (wrt:
https://tomcat.apache.org/tomcat-9.0-doc/ssl-howto.html)
What do the logfiles say? Really important to check this, as they will
lead you the way - before you ask here and we ask what they say ;-) .
Keystore command used:
"%JAVA_HOME%\bin\keytool" -import -alias mdms04 -file certificate.crt
-keystore publicKey.store
Relevant sections from Server.xml:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150" SSLEnabled="true"
<SSLHostConfig>
<Certificate
certificateKeystoreFile="conf/localhost-rsa.jks"
type="RSA" />
</SSLHostConfig>
</Connector>
....
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector
protocol="org.apache.coyote.http11.Http11NioProtocol"
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="%CATALINA_HOME%\conf\keystore\publicKey.store"
keystorePass="mdms04"
clientAuth="false" sslProtocol="TLS"/>
To me it looks like you have a config error. If that is the relevant
part of your config, you have a double 8443 connector.
And mdms04 is not the password it's the keyAlias!
Did you use the standard password of changeit? (keystorePass="changeit")
Plus if you don't set an alias name in the connector, Tomcat uses the
default "tomcat"
Now for the new and better config in Tomcat 8.5/9:
<SSLHostConfig
hostName="oxnetmdms04"
honorCipherOrder="true"
certificateVerification="none"
protocols="TLSv1.1+TLSv1.2"
ciphers="ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS">
<Certificate
certificateKeystoreFile="${catalina.home}/conf/keystore/publicKey.store"
certificateKeystorePassword="<your password to the
keystore>"
certificateKeyAlias="mdms04"
type="RSA" />
</SSLHostConfig>
And from the naming: you should have the *private* key of the server in
the publicKey.store !
Hope this helps.
Peter
PS and BTW: You don't have to use keytool as I told you before.
Mark Sandels
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
