You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
Cisco)" <jb...@cisco.com> on 2015/04/10 23:04:42 UTC
SSLCertificateKeyFile directive question
Hello,
I need to configure SSL in Tomcat 7.0.39, but am staled at the SSLCertificateKeyFile directive.
I have been given by our info security team two trusted CA certificates, root and intermediate, with our large company being the CA, to
use for ldap over ssl with APR in order to use OpenSSL. In the Tomcat docs is the directive SSLCertificateKeyFile stating it must point to
the private key. We are using keystore, and when I try to export the private key the end result is that it cannot export the key due
to it being a trusted certificate "KeyStoreException: TrustedCertEntry not supported". How to obtain the key? Is there another method,
or does the CA need to supply it to me?
Thanks
-John
Re: SSLCertificateKeyFile directive question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/14/15 7:05 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:
> Yes, I'm only needed to configure LDAP over SSL.
Okay.
> I have not been able to find any information on certificate
> directives for JNDI realm similar to httpd server.xml
> "LDAPTrustedGlobalCert CA_BASE64 /.pem" and "LDAPTrustedMode SSL".
Right: it appears no such options exist. They probably ought to exist.
> Where are similar directives configured?
- From my previous message:
> you'll need to set the javax.net.ssl.trustStore system property to
> point to your own trust store which contains the lowest
> certificate you are willing to completely trust. You may choose to
> trust the whole CA or maybe just the leaf certificate for the LDAP
> server (which might be slightly more appropriate/safe for your
> purpoases).
Note that this will set the trustStore for everything in the JVM
(except for Tomcat, which allows you to specify your own trustStore on
a per-Connector basis), so you'd better be careful that you aren't
affecting other components that use the JVM's global trustStore.
Oracle's documentation for that system property says:
"
javax.net.ssl.trustStore
This property is used to specify the location of the trust store. A
trust store is a key store that is used when making decisions about
which clients and servers can be trusted. The property takes a String
value that specifies a valid trust store location. The default value
is jssecacerts, if available, or cacerts.
"
So, basically, you create a trustStore (using keytool) that contains
all of the certificates that you trust, and then you just make SSL
connections and those servers which have been signed by the certs in
the trustStore will be trusted.
So, throw your PEM file(s) into a trustStore and point
javax.net.ssl.trustStore at it and you should be good.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVLerHAAoJEBzwKT+lPKRYXRYQALqF3AQH+yxx3y5DVj3yKRUA
WmLAOd+n+Bpip9VdHsiH0KJjrWkI3vlUVBDTaQF6E0JjE1XNfEPOsNidH3hs4PlA
iq1ZcUDhqzAN1dXlU5LKJUd7hBS+gA3ETMQp2KzCJ0S/hk4yVrJwJTLXJ5/E2huV
lLxg4jckhvxaM4DvrNVZUQvj6a4rxCUTaHu8+YL7vik6voHhtriKv8aO/6hCpUNz
cCegj2e/g7RD8eLPGfJ6MBUtyBAzeK/i535wk/wFMZ+puC3MIBR1pH/iMpUkGqMM
RHSPoVvVkow1PA1qziBNnD3bgW658oyMFNY+jkxZOwDm2Mo4fpXh5hll6fMlPALF
ZxvxQqsqsN0DaXNJcBadfFi1zw94w1kEYVY/ncHGhsta4qPcpdNYvSphA9uGlgGz
FyXgFBAEJGPS738kB2qOwfkPJMwVyOQ+Y0n8ROuL4u57EcdVaki6FFFJRCPajSaX
RCoRnXjmWJbnr2HnCN00PPwpGLt78a8qiArEazjbCDaLTqSlD2xp0X0H9Nf9MPhP
r5FIRCjZrsVpULgs/HDFjpSc+Q4duahUTA7O1Q+Wo61KX5hIGU+vfBnid/ayn0my
5V4jko1m1SHYxPFy2THsbrm1zhx9rwbOYt9CwXMDFsrsr+Ry0jY5fe+s08WCHb7D
xDVhjmxM+6ssZKnKzu/o
=Hed1
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSLCertificateKeyFile directive question
Posted by "John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
Cisco)" <jb...@cisco.com>.
Yes, I'm only needed to configure LDAP over SSL.
I have not been able to find any information on certificate directives for JNDI realm similar to httpd server.xml "LDAPTrustedGlobalCert CA_BASE64 /.pem"
and "LDAPTrustedMode SSL". Where are similar directives configured?
Thanks
-John
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Monday, April 13, 2015 3:53 PM
To: Tomcat Users List
Subject: Re: SSLCertificateKeyFile directive question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/13/15 3:15 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
> Christopher, thank you for the information.
>
> Yes, I'm trying to configure LDAPS for connection to Active Directory.
> Does the SSL connector need to be configured for LDAPS, or just create
> the JNDI realm?
The SSL connector is completely irrelevant, here. If you want to configure for incoming TLS connections from web users, then look to the <Connector> configuration.
For authentication against JNDI, you only need JNDIRealm.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVLEjIAAoJEBzwKT+lPKRYSuUQAKQUupUfYcJfZbyc/bl3t+NV
fnBOxmLgc019J9BvmYUU87RQfd+bJJdMbAGjJ3x+r9PamygsgPZ+WhfWVFamu8fM
of0fcmMH/981+B9vjw5FMNeiQbvFkILnr9ypcuP0a/Gi/ImGWL6byB25vH380OzR
yjJo5IGzwv4RatVErExxOPtFt/vpclAe6Vre8sXw5Hd3B8kz9SqZWvflLScsFj60
dKxK3uwlrO1VK8wRmpULJMGiz5OdMNBGDSffLeDoHtoUq2wUMPjGVby03G8zCskg
J3lH/HbEDIMlCVanPhzntP8hD00jzoyFj28PQ+v5LrpgjgOfEHAMehjDZxKSBhDr
848zL9yvRPF2n/9f2aJ96l6Kjpt4tCbvuFYutdNBFNgwFutDzIuC8FdpLJS8T77N
fZSVj/B0apYgcCJwSfsUvQbmre0Q+LQeTznAzekUK+SDDO180zkZ4LwgI3n7soW+
yFaT0HXp29p3TJOE76TfNx7TEbmXKCdlGRJ3ZhjXpF/W8YkJx8LVxRqqZUtEedx4
2G8NYdu427yqajp9VqIH22GZxWgyzJCJzNMbiHeoOX0aGYmaOpDi/dQNuDfVWROK
Kc7qfMGgAO+DAnYQaFTQwtUBfcn8fkAOX4qaYOShWC9WIt1HuCsqvz3EC+vcLtsN
QZSX2yOgM/KBUxBgmerw
=Ansq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLCertificateKeyFile directive question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/13/15 3:15 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:
> Christopher, thank you for the information.
>
> Yes, I'm trying to configure LDAPS for connection to Active
> Directory. Does the SSL connector need to be configured for LDAPS,
> or just create the JNDI realm?
The SSL connector is completely irrelevant, here. If you want to
configure for incoming TLS connections from web users, then look to
the <Connector> configuration.
For authentication against JNDI, you only need JNDIRealm.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVLEjIAAoJEBzwKT+lPKRYSuUQAKQUupUfYcJfZbyc/bl3t+NV
fnBOxmLgc019J9BvmYUU87RQfd+bJJdMbAGjJ3x+r9PamygsgPZ+WhfWVFamu8fM
of0fcmMH/981+B9vjw5FMNeiQbvFkILnr9ypcuP0a/Gi/ImGWL6byB25vH380OzR
yjJo5IGzwv4RatVErExxOPtFt/vpclAe6Vre8sXw5Hd3B8kz9SqZWvflLScsFj60
dKxK3uwlrO1VK8wRmpULJMGiz5OdMNBGDSffLeDoHtoUq2wUMPjGVby03G8zCskg
J3lH/HbEDIMlCVanPhzntP8hD00jzoyFj28PQ+v5LrpgjgOfEHAMehjDZxKSBhDr
848zL9yvRPF2n/9f2aJ96l6Kjpt4tCbvuFYutdNBFNgwFutDzIuC8FdpLJS8T77N
fZSVj/B0apYgcCJwSfsUvQbmre0Q+LQeTznAzekUK+SDDO180zkZ4LwgI3n7soW+
yFaT0HXp29p3TJOE76TfNx7TEbmXKCdlGRJ3ZhjXpF/W8YkJx8LVxRqqZUtEedx4
2G8NYdu427yqajp9VqIH22GZxWgyzJCJzNMbiHeoOX0aGYmaOpDi/dQNuDfVWROK
Kc7qfMGgAO+DAnYQaFTQwtUBfcn8fkAOX4qaYOShWC9WIt1HuCsqvz3EC+vcLtsN
QZSX2yOgM/KBUxBgmerw
=Ansq
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSLCertificateKeyFile directive question
Posted by "John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at
Cisco)" <jb...@cisco.com>.
Christopher, thank you for the information.
Yes, I'm trying to configure LDAPS for connection to Active Directory. Does the SSL connector need to be configured for LDAPS, or just create the JNDI realm?
-John
-----Original Message-----
From: Christopher Schultz [mailto:chris@christopherschultz.net]
Sent: Sunday, April 12, 2015 9:06 AM
To: Tomcat Users List
Subject: Re: SSLCertificateKeyFile directive question
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/10/15 5:04 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK INFORMATION INC at Cisco) wrote:
> I need to configure SSL in Tomcat 7.0.39, but am staled at the
> SSLCertificateKeyFile directive.
You should upgrade Tomcat if at all possible. There are known, advertised security problems with a version that old.
http://tomcat.apache.org/security-7.html
> I have been given by our info security team two trusted CA
> certificates, root and intermediate, with our large company being the
> CA, to use for ldap over ssl with APR in order to use OpenSSL.
Are you trying to configure TLS for the Tomcat server to accept requests, or so that you can connect to your LDAP server securely? If the former, you want to configure your <Connector> appropriately and make sure to use the APR-based connector. If the latter, I don't think you can choose an OpenSSL-based client to use for making outgoing LDAP connections.
> In the Tomcat docs is the directive SSLCertificateKeyFile stating it
> must point to the private key. We are using keystore, and when I try
> to export the private key the end result is that it cannot export the
> key due to it being a trusted certificate
> "KeyStoreException: TrustedCertEntry not supported". How to obtain the
> key? Is there another method, or does the CA need to supply it to me?
It sounds like you are trying to connect to a secure LDAP server and you just want to configure the trust store.
You're getting confused between the two above cases I asked about. The documentation you are looking for is here:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
Unfortunately, the docs look a little thin for the JNDIRealm, and I think it doesn't tell you what to do about ldaps:// connections.
Checking the Javadoc for that class, there don't appear to be any settings you can put on the connector to handle the trust store, so I suspect JNDIRealm will use the JVM's default trust store which is I think just the one that ships with the JVM. So if you need to trust some other CA (i.e. not a public one), then you'll need to set the javax.net.ssl.trustStore system property to point to your own trust store which contains the lowest certificate you are willing to completely trust. You may choose to trust the whole CA or maybe just the leaf certificate for the LDAP server (which might be slightly more appropriate/safe for your purpoases).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVKpftAAoJEBzwKT+lPKRYGB4P/RyabJxRypA7etPsVWXm5OD1
R9NS+DadHTj/2K43zik4tT9ZE5dUU8N3f/6EXbhjMQcnKT5fg8Kx1jzqtee0gGAG
+zaZCiLm8UeoyVyST+aQovatgIzwwUyxIUlgH54W8MRXTFPb2cKydSlwsD9/q+i4
zpZluHTL1lMCQezQhB0/4VR7TBim7yMIxhnZGlwmQKDwJYNFkUIMf9qF9jvn/HP0
ZzCAW1FB5TbgppfOSXvLI7blDYCb+DqYecFAtzJmkQHY8ioUF3Q0bdGfYQV9jELi
m9KndsZeBGrpEBROQOOQJTXl+8LSc6SicHaHFTKNH6ZiIp2hVTqfJHGxvI9E67u6
VJdtxBUwhWzxCYu40fmBonlUBBsvJKZMkYisVF5hhXnxc5H8bCxOPcghqXlnXLMM
9KQiNxRhJwqocpBgwPf/mcyAmFSraLRMAqt7XTTPtc+6RgfN0r1FBcHQjyOuFYZS
cQ5N+GqwA8TVZ0+eB8z0iK87629KrDgFPih7LhOIHsLSX7MBRgnpq7T5BKByNane
UOC9i7aK9ekbAVusDHjhXgR/3SoSr3tz0fjY1Y3iTrEhhYLiix9pxv2wpWlvvQtG
HQK2jAKJrljMMyd5iVFGhWmfxujVFDnlENLY1IaNgRYQ218g1L2NJVMuEX7PPvA9
WM3V0X7Zw9LdINC9XbdS
=C/fB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSLCertificateKeyFile directive question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
John,
On 4/10/15 5:04 PM, John Beaulaurier -X (jbeaulau - ADVANCED NETWORK
INFORMATION INC at Cisco) wrote:
> I need to configure SSL in Tomcat 7.0.39, but am staled at the
> SSLCertificateKeyFile directive.
You should upgrade Tomcat if at all possible. There are known,
advertised security problems with a version that old.
http://tomcat.apache.org/security-7.html
> I have been given by our info security team two trusted CA
> certificates, root and intermediate, with our large company being
> the CA, to use for ldap over ssl with APR in order to use OpenSSL.
Are you trying to configure TLS for the Tomcat server to accept
requests, or so that you can connect to your LDAP server securely? If
the former, you want to configure your <Connector> appropriately and
make sure to use the APR-based connector. If the latter, I don't think
you can choose an OpenSSL-based client to use for making outgoing LDAP
connections.
> In the Tomcat docs is the directive SSLCertificateKeyFile stating
> it must point to the private key. We are using keystore, and when I
> try to export the private key the end result is that it cannot
> export the key due to it being a trusted certificate
> "KeyStoreException: TrustedCertEntry not supported". How to obtain
> the key? Is there another method, or does the CA need to supply it
> to me?
It sounds like you are trying to connect to a secure LDAP server and
you just want to configure the trust store.
You're getting confused between the two above cases I asked about. The
documentation you are looking for is here:
http://tomcat.apache.org/tomcat-7.0-doc/realm-howto.html#JNDIRealm
Unfortunately, the docs look a little thin for the JNDIRealm, and I
think it doesn't tell you what to do about ldaps:// connections.
Checking the Javadoc for that class, there don't appear to be any
settings you can put on the connector to handle the trust store, so I
suspect JNDIRealm will use the JVM's default trust store which is I
think just the one that ships with the JVM. So if you need to trust
some other CA (i.e. not a public one), then you'll need to set the
javax.net.ssl.trustStore system property to point to your own trust
store which contains the lowest certificate you are willing to
completely trust. You may choose to trust the whole CA or maybe just
the leaf certificate for the LDAP server (which might be slightly more
appropriate/safe for your purpoases).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
Comment: GPGTools - http://gpgtools.org
iQIcBAEBCAAGBQJVKpftAAoJEBzwKT+lPKRYGB4P/RyabJxRypA7etPsVWXm5OD1
R9NS+DadHTj/2K43zik4tT9ZE5dUU8N3f/6EXbhjMQcnKT5fg8Kx1jzqtee0gGAG
+zaZCiLm8UeoyVyST+aQovatgIzwwUyxIUlgH54W8MRXTFPb2cKydSlwsD9/q+i4
zpZluHTL1lMCQezQhB0/4VR7TBim7yMIxhnZGlwmQKDwJYNFkUIMf9qF9jvn/HP0
ZzCAW1FB5TbgppfOSXvLI7blDYCb+DqYecFAtzJmkQHY8ioUF3Q0bdGfYQV9jELi
m9KndsZeBGrpEBROQOOQJTXl+8LSc6SicHaHFTKNH6ZiIp2hVTqfJHGxvI9E67u6
VJdtxBUwhWzxCYu40fmBonlUBBsvJKZMkYisVF5hhXnxc5H8bCxOPcghqXlnXLMM
9KQiNxRhJwqocpBgwPf/mcyAmFSraLRMAqt7XTTPtc+6RgfN0r1FBcHQjyOuFYZS
cQ5N+GqwA8TVZ0+eB8z0iK87629KrDgFPih7LhOIHsLSX7MBRgnpq7T5BKByNane
UOC9i7aK9ekbAVusDHjhXgR/3SoSr3tz0fjY1Y3iTrEhhYLiix9pxv2wpWlvvQtG
HQK2jAKJrljMMyd5iVFGhWmfxujVFDnlENLY1IaNgRYQ218g1L2NJVMuEX7PPvA9
WM3V0X7Zw9LdINC9XbdS
=C/fB
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org