Re: Problems with SSL-enabled Tomcat 5.5

Thu, 30 Aug 2007 08:20:34 -0700 

aah, now I think we are getting somewhere.
Is this not the keystore that was used to generate the CSR, and also contains the private key? if not, then I don't know how it would work, you still need your private key in order to have a working SSL setup, the signed cert is only what tomcat sends to the browser, it needs the private key in order to decipher the stuff that the browser encrypts using the public key. 


so if you deleted the original keystore that was used to create the key, 
then yes, you are screwed, you need to start over, generate another key, 
get another CSR, get another signed cert from verisign etc


Filip

Werner Schalk wrote:

Hello Filip,


thanks a lot for all your support. No, that's something I already 
tried. When importing the Verisign root cert in my cacerts
file and then importing the signed cert in my keystore, he seems to be 
able to build a certificate chain because I am no
longet being asked whether I would like to trust the certificate. 
However when using that keystore then in Tomcat
(which only contains my signed cert) I am getting the second error 
("No available certificate or key

corresponds to the SSL cipher suites which are enabled.").


Any more ideas?

Bye,
Seb


----- Original Message ----- From: "Filip Hanik - Dev Lists" 
<[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Thursday, August 30, 2007 5:05 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



looks like the keyAlias="root" is not taking into effect, as the 
container complains for not finding one named "tomcat"


could be that it just looks for tomcat alias to be existent.

this is what I would try next, import the same certificate using the 
"tomcat" alias, leave the "root" alias in there.


Filip

Werner Schalk wrote:

Hello,


setting keyAlias="root" did not change anything. Then I downloaded 
the latest version of Tomcat, added the Verisign cert to my cacerts 
file
and imported my Verisign-signed SSL certificate into a new keystore. 
Unfortunately that does not change my situation: Either Tomcat is 
unable to find
my alias in the keystore file (if I specify a keyAlias) or there 
appears to be a problem with the SSL ciphers or certificate itself 
(if I don't specify a

keyAlias).


The two error message I am getting when attempting to start Tomcat 
are (see further below):


1/with keyAlias directive:
INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510
Aug 29, 2007 12:44:53 PM org.apache.coyote.http11.Http11BaseProtocol
start
SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry

at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 



2/without keyAlias directive:
java.net.SocketException: SSL handshake

errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.
at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 




Any more ideas? Is the problem maybe caused because I am creating a 
new keystore and the key of the Verisign-signed
certificate is in a separate file (my colleague deleted the original 
keystore file)? Are we screwed now?


Thank you. Any input is greatly appreciated.

Bye,
Werner.


----- Original Message ----- From: "Filip Hanik - Dev Lists" 
<[EMAIL PROTECTED]>

To: "Tomcat Users List" <users@tomcat.apache.org>
Sent: Wednesday, August 29, 2007 10:32 PM
Subject: Re: Problems with SSL-enabled Tomcat 5.5



did you set
keyAlias="root" in server.xml

Werner Schalk wrote:

Hello,


I am trying to setup a SSL-enabled Tomcat 5.5.? (5.5.20 I think) 
on a Sun Solaris 10 (Sparc) but it turns out that this appears not 
to be an easy task.
Hopefully you guys can shed some light on this. Basically I do 
have a Verisign-signed SSL certificate which I would like to add 
to my
existing Tomcat config. Now after spending hours of tweaking the 
config, I do face two problems: Either Tomcat is unable to find
my alias in the keystore file or there appears to be a problem 
with the SSL ciphers or certificate itself. Hopefully somebody 
knows what to do, this

is giving me a headache for many hours now.


Here is what I did (steps taken from 
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html, "Importing 
the Certificate"), please

note that I removed IPs, hostnames etc. to protect the innocent:

1) Import of the Verisign root cert into my keystore:


$ keytool -import -alias root -keystore wstest -trustcacerts -file 
verisign.crt

Enter keystore password:  XXX

Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU="VeriSign, Inc.", O=VeriSign Trust Network


[ ... ]

Certificate was added to keystore

2) Import of my Verisign-signed SSL certificate:


$ keytool -import -alias tomcat -keystore wstest -trustcacerts 
-file mysystem.crt

Enter keystore password:  XXX

[ ... ]

Certificate was added to keystore


3) Change of my Tomcat configuration in server.xml to use the new 
keystore and SSL cert:


<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"

              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"

              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS" keyAlias="tomcat"
/>

4) Restart of Tomcat and review of Tomcat log file:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]

INFO: Deploying web application archive help.war

Aug 29, 2007 12:44:53 PM 
org.apache.coyote.http11.Http11BaseProtocol start

INFO: Starting Coyote HTTP/1.1 on myhostname%2F10.10.11.32-6510

Aug 29, 2007 12:44:53 PM 
org.apache.coyote.http11.Http11BaseProtocol start

SEVERE: Error starting endpoint
java.io.IOException: Alias name tomcat does not identify a key entry

       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143) 

       at 
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109) 

       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:294) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312) 

       at 
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:150) 

       at 
org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:75)
       at 
org.apache.catalina.connector.Connector.start(Connector.java:1089)
       at 
org.apache.catalina.core.StandardService.start(StandardService.java:459) 

       at 
org.apache.catalina.core.StandardServer.start(StandardServer.java:709) 

       at 
org.apache.catalina.startup.Catalina.start(Catalina.java:551)

       at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

       at 
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39) 

       at 
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25) 


       at java.lang.reflect.Method.invoke(Method.java:585)

       at 
org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:294)
       at 
org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:432)



However my keystore DOES contain my two keys (Verisign's key as 
well as my SSL cert):


# keytool -list --keystore wstest -v
Enter keystore password:  XXX

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

Alias name: root
Creation date: Aug 29, 2007
Entry type: trustedCertEntry


Owner: OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 
VeriSign, OU=VeriSign International Server CA - Class 3, 
OU="VeriSign, Inc.", O=VeriSign Trust Network


[...]

*******************************************
*******************************************

Alias name: tomcat
Creation date: Aug 29, 2007
Entry type: trustedCertEntry

Owner: CN=myhostname, ...

[...]

*******************************************
*******************************************


Here is the first problem: Why does my alias "tomcat" not identify 
a key entry in the keystore? It does exist, doesn't it?



5) Now to get around this problem, I removed the "keyAlias" 
directive from the Tomcat config which now like like this:


<Connector port="8443" maxHttpHeaderSize="16384"
              address="myhostname" enableLookups="false"

              disableUploadTimeout="true" acceptCount="100" 
maxKeepAliveRequests="100"

              scheme="https" secure="true" clientAuth="false"
              compression="8192"
              compressableMimeType="text/javascript,text/css"
              keystoreFile="/usr/local/tomcat/conf/wstest"
              keystorePass="XXX" sslProtocol="TLS"
/>

6) Then I restarted Tomcat and here is what I get in the logs:

# svcadm disable tomcat
# rm ../logs/catalina.out
# svcadm enable tomcat
# tail -f ../logs/catalina.out

[...]


java.net.SocketException: SSL handshake 
errorjavax.net.ssl.SSLException: No available certificate or key 
corresponds to the SSL cipher suites which are enabled.



       at 
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:113) 

       at 
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:407) 

       at 
org.apache.tomcat.util.net.LeaderFollowerWorkerThread.runIt(LeaderFollowerWorkerThread.java:70) 

       at 
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:684) 


       at java.lang.Thread.run(Thread.java:595)

Aug 29, 2007 12:47:28 PM 
org.apache.tomcat.util.net.PoolTcpEndpoint acceptSocket

WARNING: Reinitializing ServerSocket

Another problem. Any ideas?


7) Then I tried to change the sslProtocol to SSL (rather than TLS) 
but that didn't change anything. The file permissions of the certs 
are okay,

they are all world-readable.


So guys any ideas on how to solve this? Has anyone ever 
encountered this problem? I searched on Google but I really was 
unable to

find a proper solution.

Any input is greatly appreciated. Thank you very much.

Best regards,
Werner.



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]

For additional commands, e-mail: [EMAIL PROTECTED] 



---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]






---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]























					Reply via email to