Update on this thing Tomcat+SSL+keystore thing:
I dug into the Tomcat 5.5.25 source code to see what's really going on.
Here's what I found - hopefully it's useful to someone.
Tomcat SSL <Connector> entries accept the following parameters:
- keystorePass (password for the JKS (Java keystore)
- keypass (password for the key inside the JKS
- keystoreFile (keystore location in filesystem)
At least Tomcat 5.5.20 (older, yes) supports only the "keystoreFile"
parameter. The "keypass" and "keystorePass" get messed up somehow, no
matter how they're defined in the <Connector> part. The default password
("changeit") is used instead.
In Tomcat 5.5.21 a Java property check was added to the code to allow a
property (javax.net.keystorePassword or something) to define the
keystore password.
In Tomcat 5.5.25 it seems to be possible to use a different keystore
password and key password. One of them has to be the default
("changeit"), can't remember which. I didn't have time to check this
properly.
There's also a "bug" in Tomcat SSL Howto - I'll file a bug report on it
unless it's has been done already. At least on 5.5.20 the "keystoreFile"
parameters has to be inserted straight into <Connector>, contrary to
what the Howto says. This is easily verifiable with "strace".
Unless somebody proves me wrong, I would consider the parameters
"keypass" and "keystorePass" useless with Tomcat 5.5.x versions. There
is no practical way to change those without Java debugging and/or
patching, which is beyond the skill of most system admins. If the
parameters are indeed usable, please update the Tomcat 5.5 SSL
documentation to reflect their correct usage. Alternatively tell me how
to use them correctly and I'll file a patch to the SSL howto.
This configuration hell aside, Tomcat has been a real workhorse. Keep on
the good work!
Best regards,
Samuli
Some additional info:
Debian Etch w/o system-wide Java installation
These are included in the Funambol sync server bundle (6.5.12):
Java Runtime environment 1.5.0
Tomcat 5.5.20
First of all, instead of recipes, I'd prefer to be pointed at
information on how to debug this problem. I'm not a professional Java
developer so all these Servlet/Java/log4j/properties/Connector/Factory
things are a bit strange for me.
Anyways, here are the HTTPS/SSL connector settings that I've tried to no
avail. Please tell me which one _should_ work, or if they are all
faulty. The paths are correct.
<!-- This is based strictly on Tomcat 5.5 SSL Howto. Still -->
<!-- it does not work. The keystoreFile should be in -->
<!-- Connector part, not Factory part. Feel free to -->
<!-- verify with "strace" to see what I mean. -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="something"
keyAlias="tomcat">
<Factory clientAuth="false" protocol="TLS"
keystoreFile="/root/newkeystore"/>
</Connector>
<!-- Another variant with keystorePass in Connector -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="something"
keyAlias="tomcat"
keystoreFile="/root/newkeystore">
<Factory clientAuth="false" protocol="TLS"/>
</Connector>
<!-- Another variant with keystorePass inside Factory -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keyAlias="tomcat"
keystoreFile="/root/newkeystore">
<Factory clientAuth="false" protocol="TLS"
keystorePass="something"/>
</Connector>
<!-- Another variant without Factory part -->
<Connector port="443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
keystorePass="something"
keyAlias="tomcat"
keystoreFile="/root/newkeystore"/>
So none of these work. Any ideas?
Hi!
I migrated from Tomcat 5.0 to Tomcat 5.5. I had SSL working in Tomcat
5.0 with both a self-created certificate and a signed (trusted)
certificate, both inside a Java keystore (JKS).
Now, with Tomcat 5.5 the SSL connector refuses to start with the
dreaded "keystore was tampered with" error. This only happens _if_ I
change the keystore password to anything else than "changeit".
I already searched the mailinglist archives, Tomcat Wiki, Tomcat
Howto's and Google. No definitive answers. Just lots of contradicting
information. I also read the Tomcat 5.5 SSL HOWTO carefully so I'm
positive I did miss anything.
Anyways, the process in a nutshell:
First I create a new Java keystore (JKS) with keytool, like this:
keytool -genkey -alias tomcat -keyalg RSA -keystore /root/newkeystore
Next I move on to modifying the server.xml. No matter what I do, I
can't get Tomcat to use the correct password. The
"keystoreFile="/root/newkeystore" in the <Connector> statement works
as it should (I straced Tomcat startup). The "keystorePass", however,
does not work whether it's inside <Connector> or inside <Factory>
(which is inside the <Connector>. The "keyAlias" entry did not help
either.
I can open my Java keystore just fine with keytool an with the defined
password, so it seems that Tomcat is just not using the password
that's defined in server.xml and therefore reverts to default.
Does anyone have a functional Tomcat 5.5 SSL/https connector
definition which I could use? Or does someone have an idea what's
happening here? I'd be really happy if this thing gets sorted out!
Best regards to all,
Samuli
---
Btw. The Tomcat 5.5 SSL-Howto seems to have an error in it:
"If the keystore file is anywhere else, you will need to add a
keystoreFile attribute to the <Factory> element in the Tomcat
configuration file."
I straced Tomcat startup and if the keystoreFile was defined in
<Connector> element, strace showed that Tomcat was trying to open
keystorefile from that location. Adding it to <Factory> did not work.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]