You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Samuli Seppänen <sa...@tietoteema.fi> on 2008/02/01 14:28:07 UTC
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
>> From: Samuli Seppänen [mailto:samuli.seppanen@tietoteema.fi]
>> Subject: Re: Tomcat 5.5 and SSL connector: keystore was
>> tampered with [SOLVED]
>>
>> Tomcat SSL <Connector> entries accept the following parameters:
>> - keystorePass (password for the JKS (Java keystore)
>> - keypass (password for the key inside the JKS
>> - keystoreFile (keystore location in filesystem)
>
> The problem with your analysis is that the kepass attribute is not in the Tomcat doc, and you've misinterpreted the code. As currently implemented, the keypass attribute is simply an internal alias for keystorePass, nothing else.
Yes, you're probably right, I didn't have time to really dig into the code.
> Note the following from the SSL how-to:
>
> "Finally, you will be prompted for the key password, which is the password specifically for this Certificate (as opposed to any other Certificates stored in the same keystore file). You MUST use the same password here as was used for the keystore password itself."
>
> "Note: your private key password and keystore password should be the same."
>
> If you want things to work differently, submit an enhancement request (preferably with a patch).
I've been aware of that, and I do understand the difference. My only
problem has been the requirement to use the default password "changeit".
As a sysadmin I'm against using a widely known default password for
anything, especially if it has anything to do with the Internet.
I have nothing against using the same password for the JKS _and_ for the
certificate, as long as the password is not "changeit". Anyways, please
tell me if my conserns are unfounded from a security perspective.
>> At least on 5.5.20 the "keystoreFile" parameters has
>> to be inserted straight into <Connector>, contrary to
>> what the Howto says.
> Where else does the doc say the keystoreFile attribute can be specified? I can't find anything other than a comment about its default location, which seems to work fine.
Take a look at "Troubleshooting" section in
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
---
# When Tomcat starts up, I get an exception like
"java.io.FileNotFoundException: {some-directory}/{some-file} not found".
A likely explanation is that Tomcat cannot find the keystore file where
it is looking. By default, Tomcat expects the keystore file to be named
.keystore in the user home directory under which Tomcat is running
(which may or may not be the same as yours :-). If the keystore file is
anywhere else, you will need to add a keystoreFile attribute to the
<Factory> element in the Tomcat configuration file.
---
I'll verify this thing one more time to be sure and then file a
bugreport and attach a patch.
Best regards,
Samuli
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Posted by Samuli Seppänen <sa...@tietoteema.fi>.
Just for future reference to others, the problem was this line in
Funambol data synchronization server's start.sh script:
JAVA_OPTS="$JAVA_OPTS
-Djavax.net.ssl.trustStore=$FUNAMBOL_HOME/lib/security/cacerts"
Commenting this out fixed the problem. I still fail to see how this
should affect the keystorePass parameter handling in Tomcat in any way.
So why does "changeit" work but some other password doesn't?
Well, go figure.
Samuli
>>> From: Samuli Seppänen [mailto:samuli.seppanen@tietoteema.fi] Subject:
>>> Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
>>>
>>> I suppose this Tomcat home does not apply if I use absolute
>>> pathnames, like /root/newkeystore?
>>
>> There's always a home directory for the process, usually based on the
>> userid the process is running under. If you've put the keystore file
>> in any location other than the userid's home directory, you must
>> specify the location with the keystoreFile attribute.
>
> Just for reference, the problem was not Tomcat after all... it is
> somehow related to Funambol sync server.
>
> Until this point I had started Tomcat only via the Funambol startup
> scripts. Then I tested Tomcat 5.5.25 standalone on my laptop and on the
> Funambol server (e.g. with startup.sh and shutdown.sh) and everything
> worked perfectly with JRE 1.5 and 1.6. I could select whatever password
> I want and the SSL listener would come up just fine. I have to dig into
> Funambol to see what is going on here, it's pretty weird.
>
> Anyway, thanks for the tips!
>
> Samuli
>
>
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Posted by Samuli Seppänen <sa...@tietoteema.fi>.
>> From: Samuli Seppänen [mailto:samuli.seppanen@tietoteema.fi]
>> Subject: Re: Tomcat 5.5 and SSL connector: keystore was
>> tampered with [SOLVED]
>>
>> I suppose this Tomcat home does not apply if I use absolute
>> pathnames, like /root/newkeystore?
>
> There's always a home directory for the process, usually based on the userid the process is running under. If you've put the keystore file in any location other than the userid's home directory, you must specify the location with the keystoreFile attribute.
Just for reference, the problem was not Tomcat after all... it is
somehow related to Funambol sync server.
Until this point I had started Tomcat only via the Funambol startup
scripts. Then I tested Tomcat 5.5.25 standalone on my laptop and on the
Funambol server (e.g. with startup.sh and shutdown.sh) and everything
worked perfectly with JRE 1.5 and 1.6. I could select whatever password
I want and the SSL listener would come up just fine. I have to dig into
Funambol to see what is going on here, it's pretty weird.
Anyway, thanks for the tips!
Samuli
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Samuli Seppänen [mailto:samuli.seppanen@tietoteema.fi]
> Subject: Re: Tomcat 5.5 and SSL connector: keystore was
> tampered with [SOLVED]
>
> I suppose this Tomcat home does not apply if I use absolute
> pathnames, like /root/newkeystore?
There's always a home directory for the process, usually based on the userid the process is running under. If you've put the keystore file in any location other than the userid's home directory, you must specify the location with the keystoreFile attribute.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Posted by Samuli Seppänen <sa...@tietoteema.fi>.
> I had no problems running with a password other than "changeit" on any of 5.5.23, 5.5.25, and various 6.0.x levels. As long as the keystore is built with both passwords the same, everything functions as documented.
>> Take a look at "Troubleshooting" section in
>> http://tomcat.apache.org/tomcat-5.5-du oc/ssl-howto.html
>
> I don't see any problems with that portion of the doc. Remember that Tomcat's home directory may not be what you think it is. Use JConsole or Lambda Probe to check the value of the user.home system property in a running Tomcat to find out what the default location is.
I suppose this Tomcat home does not apply if I use absolute pathnames,
like /root/newkeystore?
Anyways thanks for the tip, I'll check JConsole and Lambda Probe out.
Samuli
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 5.5 and SSL connector: keystore was tampered with [SOLVED]
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Samuli Seppänen [mailto:samuli.seppanen@tietoteema.fi]
> Subject: Re: Tomcat 5.5 and SSL connector: keystore was
> tampered with [SOLVED]
>
> My only problem has been the requirement to use the
> default password "changeit".
I had no problems running with a password other than "changeit" on any of 5.5.23, 5.5.25, and various 6.0.x levels. As long as the keystore is built with both passwords the same, everything functions as documented.
> Take a look at "Troubleshooting" section in
> http://tomcat.apache.org/tomcat-5.5-du oc/ssl-howto.html
I don't see any problems with that portion of the doc. Remember that Tomcat's home directory may not be what you think it is. Use JConsole or Lambda Probe to check the value of the user.home system property in a running Tomcat to find out what the default location is.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org