You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Adria Stembridge <ad...@gmail.com> on 2009/12/11 12:47:32 UTC
New to Tomcat -- SSL
I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
installed on the RHEL5 box and the sample pages load fine. I created a csr
using keytool and requested a certificate from Verisign. After this is
imported (I'm waiting on delivery from verisign), how would I configure
Tomcat to route traffic from http://domain.com:8443 to https://domain.com?
Thank you.
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
Success.
iptables -save & iptables-save weren't saving the changes. Issuing *service
itptables save* did the trick. Tomcat is now running over ports 80 & 443.
Thanks for everyone's assistance.
a
On Sat, Dec 12, 2009 at 1:36 PM, Caldarale, Charles R <
Chuck.Caldarale@unisys.com> wrote:
> > From: Adria Stembridge [mailto:adrya.stembridge@gmail.com]
> > Subject: Re: New to Tomcat -- SSL
> >
> > Tomcat works under 8080 and 8443 currently.
> >
> > Isn't there a way to forward 8443 to 443 with iptables?
>
> Yes, that's frequently done. From the Tomcat FAQ:
>
> - Another way is to use Iptables to redirect Port 80 and 443 to user ports
> (>1024)
> * /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
> * /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port
> 443 --to-ports 8443
> * /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
> * /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port
> 80 --to-ports 8080
> /sbin/iptables-save or /etc/init.d/iptables save
>
> Consult the iptables man pages for details.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you received
> this in error, please contact the sender and delete the e-mail and its
> attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: New to Tomcat -- SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Adria Stembridge [mailto:adrya.stembridge@gmail.com]
> Subject: Re: New to Tomcat -- SSL
>
> Tomcat works under 8080 and 8443 currently.
>
> Isn't there a way to forward 8443 to 443 with iptables?
Yes, that's frequently done. From the Tomcat FAQ:
- Another way is to use Iptables to redirect Port 80 and 443 to user ports (>1024)
* /sbin/iptables -A FORWARD -p tcp --destination-port 443 -j ACCEPT
* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 443 --to-ports 8443
* /sbin/iptables -A FORWARD -p tcp --destination-port 80 -j ACCEPT
* /sbin/iptables -t nat -A PREROUTING -j REDIRECT -p tcp --destination-port 80 --to-ports 8080
/sbin/iptables-save or /etc/init.d/iptables save
Consult the iptables man pages for details.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
I've been at this for two days. Learning a lot, but this is production and
needs to get back to service. Is there another way, other than
revoking/requesting a new SSL certificate and using apache mod_jk?
Tomcat works under 8080 and 8443 currently.
Isn't there a way to forward 8443 to 443 with iptables?
Re: New to Tomcat -- SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Chuck,
On 12/12/2009 1:40 PM, Caldarale, Charles R wrote:
>> From: Adria Stembridge [mailto:adrya.stembridge@gmail.com]
>> Subject: Re: New to Tomcat -- SSL
>>
>> I compiled jsvc per tomcat 5.5 documentation.
>>
>> [Linux] service tomcat5 stop
>> [Linux] ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp
>> ./bin/bootstrap.jar -outfile ./logs/catalina.out -errfile
>> ./logs/catalina.err org.apache.catalina.startup.Bootstrap
>
> Looks like you didn't start jsvc under the root userid.
I'm not sure what the recommended technique is for using jsvc, but
making javc setuid=root seems like a reasonable thing to do: this allows
a non-root user to start Tomcat, but does not give that user any further
privileges.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksmcDUACgkQ9CaO5/Lv0PCG3wCfRuKvg/gpOGunLFZTBIVNw6PU
cGQAn0azpL/NnHiL+FmJoaZIPCeQdvWt
=D/Jl
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: New to Tomcat -- SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Adria Stembridge [mailto:adrya.stembridge@gmail.com]
> Subject: Re: New to Tomcat -- SSL
>
> I compiled jsvc per tomcat 5.5 documentation.
>
> [Linux] service tomcat5 stop
> [Linux] ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp
> ./bin/bootstrap.jar -outfile ./logs/catalina.out -errfile
> ./logs/catalina.err org.apache.catalina.startup.Bootstrap
Looks like you didn't start jsvc under the root userid. Also note this from the instructions:
"jsvc has other useful parameters, such as -user which causes it to switch to another user after the daemon initialization is complete. This allows, for example, running Tomcat as a non privileged user while still being able to use privileged ports."
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
> Linux/UNIX systems do not allow unprivileged userids to access ports <
> 1024. Although you can run Tomcat under the root userid, this is not
> recommended for security reasons. Instead, start Tomcat with jsvc:
> http://tomcat.apache.org/tomcat-6.0-doc/setup.html#Unix%20daemon
>
> - Chuck
>
I compiled jsvc per tomcat 5.5 documentation.
[Linux] service tomcat5 stop
[Linux] ./bin/jsvc -Djava.endorsed.dirs=./common/endorsed -cp
./bin/bootstrap.jar -outfile ./logs/catalina.out -errfile
./logs/catalina.err org.apache.catalina.startup.Bootstrap
No errors at the prompt. Checking catalina.out logfile:
Dec 12, 2009 1:25:50 PM org.apache.coyote.http11.Http11BaseProtocol start
SEVERE: Error starting endpoint
java.net.BindException: Permission denied:80
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:298)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:313)
at
org.apache.coyote.http11.Http11BaseProtocol.start(Http11BaseProtocol.java:151)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:76)
at org.apache.catalina.connector.Connector.start(Connector.java:1090)
at
org.apache.catalina.core.StandardService.start(StandardService.java:457)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
Dec 12, 2009 1:25:50 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start
failed: java.net.BindException: Per
mission denied:80
at org.apache.catalina.connector.Connector.start(Connector.java:1097)
at
org.apache.catalina.core.StandardService.start(StandardService.java:457)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at
org.apache.commons.daemon.support.DaemonLoader.start(DaemonLoader.java:177)
Dec 12, 2009 1:25:50 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 641 ms
RE: New to Tomcat -- SSL
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Adria Stembridge [mailto:adrya.stembridge@gmail.com]
> Subject: Re: New to Tomcat -- SSL
>
> SEVERE: Catalina.start:
> LifecycleException: service.getName(): "Catalina"; Protocol handler
> start
> failed: java.net.BindException: *Permission denied:80*
> at
> org.apache.catalina.connector.Connector.start(Connector.java:1097)
Linux/UNIX systems do not allow unprivileged userids to access ports < 1024. Although you can run Tomcat under the root userid, this is not recommended for security reasons. Instead, start Tomcat with jsvc:
http://tomcat.apache.org/tomcat-6.0-doc/setup.html#Unix%20daemon
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
>
> Don't the Tomcat logs say anything helpful ?
Actually, yes...
SEVERE: Catalina.start:
LifecycleException: service.getName(): "Catalina"; Protocol handler start
failed: java.net.BindException: *Permission denied:80*
at org.apache.catalina.connector.Connector.start(Connector.java:1097)
at
org.apache.catalina.core.StandardService.start(StandardService.java:457)
at
org.apache.catalina.core.StandardServer.start(StandardServer.java:700)
at org.apache.catalina.startup.Catalina.start(Catalina.java:552)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:295)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:433)
Dec 11, 2009 5:21:20 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 643 ms
I'm approaching my wits end with this project.
*server.xml*:
<?xml version="1.0" encoding="UTF-8"?>
<Server>
<Listener className="org.apache.catalina.core.AprLifecycleListener"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"/>
<Listener
className="org.apache.catalina.storeconfig.StoreConfigLifecycleListener"/>
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"/>
<GlobalNamingResources>
<Environment
name="simpleValue"
type="java.lang.Integer"
value="30"/>
<Resource
auth="Container"
description="User database that can be updated and saved"
name="UserDatabase"
type="org.apache.catalina.UserDatabase"
pathname="conf/tomcat-users.xml"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"/>
</GlobalNamingResources>
<Service
name="Catalina">
<Connector
port="80"
redirectPort="443"
minSpareThreads="25"
connectionTimeout="20000"
maxSpareThreads="75"
maxThreads="150">
</Connector>
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="/my/keystore"
keystorePass="mysecretpassword"
SSLEnabled="true"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
clientAuth="false">
</Connector>
<Engine
defaultHost="localhost"
name="Catalina">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"/>
<Host
appBase="webapps"
name="localhost">
</Host>
</Engine>
</Service>
</Server>
*Scanning ports from a different system:*
[Linux]:~$ nmap -p80,443,8080,8443 my.domain.org
Starting Nmap 4.62 ( http://nmap.org ) at 2009-12-12 12:15 EST
Interesting ports on my.domain.org (1.1.1.1):
PORT STATE SERVICE
80/tcp open http
443/tcp open https
8080/tcp closed http-proxy
8443/tcp closed https-alt
Nmap done: 1 IP address (1 host up) scanned in 0.071 seconds
*Iptables -L*
Chain INPUT (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain FORWARD (policy ACCEPT)
target prot opt source destination
RH-Firewall-1-INPUT all -- anywhere anywhere
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
Chain RH-Firewall-1-INPUT (2 references)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT icmp -- anywhere anywhere icmp any
ACCEPT esp -- anywhere anywhere
ACCEPT ah -- anywhere anywhere
ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
ACCEPT udp -- anywhere anywhere udp dpt:ipp
ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
ACCEPT all -- anywhere anywhere state
RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ssh
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:http
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:webcache
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:pcsync-https
ACCEPT tcp -- anywhere anywhere state NEW tcp
dpt:ddi-tcp-1
REJECT all -- anywhere anywhere reject-with
icmp-host-prohibited
*netstat -tln
*
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address
State
tcp 0 0 0.0.0.0:3306 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:6011 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:892 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:7006 0.0.0.0:*
LISTEN
tcp 0 0 ::ffff:127.0.0.1:8005 :::*
LISTEN
tcp 0 0 :::80 :::*
LISTEN
tcp 0 0 :::22 :::*
LISTEN
tcp 0 0 ::1:6011 :::*
LISTEN
tcp 0 0 :::443 :::*
LISTEN
tcp 0 0 :::7006 :::*
LISTEN
*iptables*
[Linux]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8080 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 8888 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
If I shut down apache httpd service, ports 80 and 443 are not open, despite
the server.xml file saying otherwise.
I'm at my wits end with this. Any pointers or links to documentation to
help figure this out is greatly appreciated.
Re: New to Tomcat -- SSL
Posted by André Warnier <aw...@ice-sa.com>.
Adria Stembridge wrote:
> Well, I appear to have something wrong. Pages are not served over 80 or
> 443 after updating server.xml and iptables.
>
> [linux]# netstat -an | grep LISTEN
try netstat -pan, which will also give you the PID of the process owning
the listening socket.
...
> tcp 0 0 ::ffff:127.0.0.1:8005 :::*
> LISTEN
...
> [linux]#
>
> Not listening on 80 or 443.
Nor on 8009 either, which it should according to your <Connector> tags
shown.
But it does seem to be listening on 8005, which is the Tomcat shutdown
port usually (the one mentioned in the <Server ..> tag).
For netstat, the firewall/iptables configuration should be irrelevant,
no ? It only (possibly) blocks external attempts to connect to these ports.
...
>
> I may be missing something obvious - but what?
>
Are you sure there are not just <!-- comment --> signs around your
<Connector> tags ?
Don't the Tomcat logs say anything helpful ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
Well, I appear to have something wrong. Pages are not served over 80 or
443 after updating server.xml and iptables.
[linux]# netstat -an | grep LISTEN
tcp 0 0 0.0.0.0:897 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:111 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:631 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:25 0.0.0.0:*
LISTEN
tcp 0 0 127.0.0.1:6010 0.0.0.0:*
LISTEN
tcp 0 0 0.0.0.0:7003 0.0.0.0:*
LISTEN
tcp 0 0 ::ffff:127.0.0.1:8005 :::*
LISTEN
tcp 0 0 :::22 :::*
LISTEN
tcp 0 0 ::1:6010 :::*
LISTEN
tcp 0 0 :::7003 :::*
LISTEN
[linux]#
Not listening on 80 or 443.
[linux]# more /etc/sysconfig/iptables
# Firewall configuration written by system-config-securitylevel
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT
[linux]#
But firewall rules should open these two ports.
Connectors:
<Connector
port="80"
redirectPort="8443"
minSpareThreads="25"
connectionTimeout="20000"
maxSpareThreads="75"
maxThreads="150">
</Connector>
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="/my/secret/keystore"
keystorePass="mysecretpassword"
SSLEnabled="true"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
clientAuth="false">
</Connector>
<Connector
port="8009"
redirectPort="8443"
secure="true"
connectionTimeout="0"
threadPriority="5"
connectionUploadTimeout="0"
connectionLinger="0"
maxSpareThreads="50"
maxThreads="200"
maxKeepAliveRequests="100"
disableUploadTimeout="false"
I may be missing something obvious - but what?
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
> Any reason you are using Apache httpd, here, at all?
>
None - I'd prefer not using it at all if possible.
> If Apache httpd is not needed, shut it down and disable it. In fact,
> uninstall it if you don't need it.
Perfect.
> > Ports 80, 8080, 443 and 8443 are allowed through the firewall.
>
> You shouldn't need 8080 and 8443 at all: if you just want Tomcat to
> serve both ports 80 and 443, then you need to:
>
> 1. Disable / uninstall Apache httpd
> 2. Change the above Tomcat configuration for your HTTP connector to use
> port="80" instead of port="8080"
>
Should the connectors for port 8009 be left alone? What about the port
redirects, should these all point to 443 instead of 8443?
Re: New to Tomcat -- SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adria,
On 12/11/2009 2:48 PM, Adria Stembridge wrote:
> I've updated the connector as follows:
>
> <Connector
> port="8080"
> redirectPort="8443"
> minSpareThreads="25"
> connectionTimeout="20000"
> maxSpareThreads="75"
> maxThreads="150">
> </Connector>
If you're moving to :443, why not also move to :80?
> <Connector
> port="443"
> scheme="https"
> secure="true"
> keystoreFile="/my/secret/keystore"
> keystorePass="mysecretpassword"
> SSLEnabled="true"
> sslProtocol="TLS"
> maxSpareThreads="75"
> maxThreads="150"
> minSpareThreads="25"
> clientAuth="false">
> </Connector>
That looks good.
> And restarted Tomcat5. (I am running Tomcat 5.5 btw). Requesting the url
> https://mydomain.org returns the apache www page, not the tomcat default
> page.
If you get the Apache httpd welcome page, then Apache httpd is listening
on port 443, so your Tomcat configuration isn't going to work. You need
to tell Apache httpd /not/ to listen to port 443 (usually by simply
telling httpd not to serve https).
Any reason you are using Apache httpd, here, at all?
> If I access with https://mydomain.org:8443, I get the tomcat page.
This behavior does not match your Tomcat configuration above. Did you
post all of your <Connector> elements? If so, Tomcat isn't using the
configuration file you think it is.
If Apache httpd is really listening to port 443, then Tomcat should not
have been able to startup in the above configuration because of a port
conflict.
> No pages will be served with apache www, so I want the tomcat pages to
> appear over port 80 and 443.
If Apache httpd is not needed, shut it down and disable it. In fact,
uninstall it if you don't need it.
> Ports 80, 8080, 443 and 8443 are allowed through the firewall.
You shouldn't need 8080 and 8443 at all: if you just want Tomcat to
serve both ports 80 and 443, then you need to:
1. Disable / uninstall Apache httpd
2. Change the above Tomcat configuration for your HTTP connector to use
port="80" instead of port="8080"
> What else am I missing?
That should be about it.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksiqiEACgkQ9CaO5/Lv0PA3ZACfSxHJMarjNW1Uy3APtmTICKJt
sUgAoJJs6Mp85aFl+VZkjitCQtWJh6/K
=+Jkp
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
I've updated the connector as follows:
<Connector
port="8080"
redirectPort="8443"
minSpareThreads="25"
connectionTimeout="20000"
maxSpareThreads="75"
maxThreads="150">
</Connector>
<Connector
port="443"
scheme="https"
secure="true"
keystoreFile="/my/secret/keystore"
keystorePass="mysecretpassword"
SSLEnabled="true"
sslProtocol="TLS"
maxSpareThreads="75"
maxThreads="150"
minSpareThreads="25"
clientAuth="false">
</Connector>
And restarted Tomcat5. (I am running Tomcat 5.5 btw). Requesting the url
https://mydomain.org returns the apache www page, not the tomcat default
page. If I access with https://mydomain.org:8443, I get the tomcat page.
No pages will be served with apache www, so I want the tomcat pages to
appear over port 80 and 443.
Ports 80, 8080, 443 and 8443 are allowed through the firewall.
What else am I missing?
a
On Fri, Dec 11, 2009 at 2:42 PM, Adria Stembridge <
adrya.stembridge@gmail.com> wrote:
> Should the port redirects for Connector 8080 and 8009 also be changed to
> 443?
>
> a
>
> On Fri, Dec 11, 2009 at 6:59 AM, Pid <pi...@pidster.com> wrote:
>
>> On 11/12/2009 11:47, Adria Stembridge wrote:
>>
>>> I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
>>> installed on the RHEL5 box and the sample pages load fine. I created a
>>> csr
>>> using keytool and requested a certificate from Verisign. After this is
>>> imported (I'm waiting on delivery from verisign), how would I configure
>>> Tomcat to route traffic from http://domain.com:8443 to
>>> https://domain.com?
>>> Thank you.
>>>
>>>
>> Tomcat 5.5 or Tomcat 5.0? The latter is no longer supported.
>>
>> Change the port of the Connector from 8443 to 443, assuming you have root
>> rights (required to configure a port below 1024).
>>
>>
>>
>> p
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
Re: New to Tomcat -- SSL
Posted by Adria Stembridge <ad...@gmail.com>.
Should the port redirects for Connector 8080 and 8009 also be changed to
443?
a
On Fri, Dec 11, 2009 at 6:59 AM, Pid <pi...@pidster.com> wrote:
> On 11/12/2009 11:47, Adria Stembridge wrote:
>
>> I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
>> installed on the RHEL5 box and the sample pages load fine. I created a
>> csr
>> using keytool and requested a certificate from Verisign. After this is
>> imported (I'm waiting on delivery from verisign), how would I configure
>> Tomcat to route traffic from http://domain.com:8443 to https://domain.com
>> ?
>> Thank you.
>>
>>
> Tomcat 5.5 or Tomcat 5.0? The latter is no longer supported.
>
> Change the port of the Connector from 8443 to 443, assuming you have root
> rights (required to configure a port below 1024).
>
>
>
> p
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: New to Tomcat -- SSL
Posted by Pid <pi...@pidster.com>.
On 11/12/2009 11:47, Adria Stembridge wrote:
> I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
> installed on the RHEL5 box and the sample pages load fine. I created a csr
> using keytool and requested a certificate from Verisign. After this is
> imported (I'm waiting on delivery from verisign), how would I configure
> Tomcat to route traffic from http://domain.com:8443 to https://domain.com?
> Thank you.
>
Tomcat 5.5 or Tomcat 5.0? The latter is no longer supported.
Change the port of the Connector from 8443 to 443, assuming you have
root rights (required to configure a port below 1024).
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Mark Thomas <ma...@apache.org>.
Adria Stembridge wrote:
> I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
> installed on the RHEL5 box and the sample pages load fine. I created a csr
> using keytool and requested a certificate from Verisign. After this is
> imported (I'm waiting on delivery from verisign), how would I configure
> Tomcat to route traffic from http://domain.com:8443 to https://domain.com?
> Thank you.
Set the port attribute on the SSL connector to 443.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: New to Tomcat -- SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Adria,
On 12/11/2009 6:47 AM, Adria Stembridge wrote:
> I'm setting up a standalone instance of Tomcat with SSL. Tomcat5 is
> installed on the RHEL5 box and the sample pages load fine. I created a csr
> using keytool and requested a certificate from Verisign. After this is
> imported (I'm waiting on delivery from verisign), how would I configure
> Tomcat to route traffic from http://domain.com:8443 to https://domain.com?
Just making sure you didn't mistype: did you mean route traffic from
https://domain.com:8443 to https://domain.com?
If you really meant http://domain.com:8443 -> https://domain.com then
it's easy to set up a redirect by simply doing:
response.sendRedirect("https://domain.com" + request.getRequestURI());
I suspect you meant that you wanted to use the default port of 443 for
HTTPS traffic once you have a legit, signed certificate from a CA. See
Mark's and Pid's responses for how to do that. The best resource is
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
If you are on a *NIX platform, I highly recommend using 'jsvc' (it
allows non-root use of ports lower than 1025) which is available as
source code in your Tomcat distribution as bin/jsvc.tar.gz.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksiaZ4ACgkQ9CaO5/Lv0PBa+wCgkguavPSHwN9Ff5SeJ8v5vJcU
VV8AnRMWf19EOr/mJC6viF35hqf+XhOe
=LRh+
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org