You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Jeffery Cann <jc...@yahoo.com> on 2004/03/12 16:33:26 UTC

Import SSL keys into Tomcat 5.0.18 --> SSL handshake error

Greetings,

I am trying to import an openssl key from a third
party certificate authority, Geotrust (Equifax).  I
have used these keys successfully in an apache
installation.

So, I followed the key import process described for
Tomcat on the Geotrust web site -

http://www.geotrust.com/resources/install/jakarta_tomcat.htm

However, tomcat 5.0.18 throws an exeception when I
start up the HTTP/SSL listener:

SSL handshake error - javax.net.ssl.SSLException: No
available certificate corresponds to the SSL cipher
suites which are enabled.

Environment:
1) JDK 1.4.1_02 on Linux 2.4 kernel
2) Tomcat 5.0.18
3) OpenSSL 0.9.7a

What I did:
1) Convert CAs cert and our server root cert (i.e.,
our domain public key) to binary (DED) format.

2) Import converted binary keys into a new java
keystore (using keytool).

3) Add path to keystore.kdb file in tomcat server.xml,
restart tomcat.

Below are the specific commands (and output) I used to
import keys and configure Tomcat.

I have been using the PEM version of these keys in
apache 2.x with no problems.

I have contacted Geotrust and they do not seem to have
an answer.  Other posts to this list mostly show folks
trying to set up SSL using their own CA certs.  

What have I missed?  I appreciate any suggestions.

Thanks
Jeff

------------------- details ---------------------
1)  Convert pem keys to binary format:

   $ openssl x509 -in geotrustca.pem -inform PEM
-outform DED -out geotrustca.crt

   $ openssl x509 -in mydomain.com.pem -inform PEM
-outform DED -out mydomain.crt

2) Import binary keys into a new Java key store.  I
used Tomcat's default keystore password setting
'changeit'.  Here's the commands and output:

2a) Geotrust root certificate:
$ keytool -import -alias geotrustca -keystore
/etc/cert/mydomain.kdb -file /etc/cert/geotrustca.crt
Enter keystore password:  changeit
Owner: OU=Equifax Secure Certificate Authority,
O=Equifax, C=US
Issuer: OU=Equifax Secure Certificate Authority,
O=Equifax, C=US
Serial number: 35def4cf
Valid from: Sat Aug 22 10:41:51 MDT 1998 until: Wed
Aug 22 10:41:51 MDT 2018
Certificate fingerprints:
         MD5: 
67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
         SHA1:
D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
Trust this certificate? [no]:  yes
Certificate was added to keystore

2b) Server root key (our public key):

$ keytool -import -alias tomcat -keystore
/etc/cert/mydomain.kdb -file
/etc/cert/mydomain.crt
Enter keystore password:  changeit
Certificate was added to keystore

2c)  Here's the list of my keystore.

$ keytool -list -keystore /etc/cert/mydomain.kdb
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 2 entries

tomcat, Mar 9, 2004, trustedCertEntry,
Certificate fingerprint (MD5):
1B:AE:BF:96:6C:3C:0A:C3:AE:3E:5A:46:94:CF:AF:0B
geotrustca, Mar 9, 2004, trustedCertEntry,
Certificate fingerprint (MD5):
67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4

3)  Update server.xml.  Note we are using Tomcat 5, so
the directive for the SSL connector syntax is
different from that shown on the Geotrust web site
instructions.

Compared to the default connector parameters, I added
the keystoreFile parameter to point to my kdb file
created in step 2.

<Connector port="8443"
  maxThreads="150" minSpareThreads="25"
  maxSpareThreads="75" enableLookups="false"
  disableUploadTimeout="true" acceptCount="100" 
  debug="0" scheme="https" secure="true"
  clientAuth="false" sslProtocol="TLS"
  keystoreFile="/etc/cert/mydomain.kdb"  
/>


When I enable the SSL connector in my server.conf file
and restart tomcat, logs show this exception:

Mar 9, 2004 5:59:55 AM
org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket
SEVERE: Endpoint [SSL:
ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]]
ignored exception: java.net.SocketException: SSL
handshake errorjavax.net.ssl.SSLException: No
available certificate corresponds to the SSL cipher
suites which are enabled. java.net.SocketException:
SSL handshake errorjavax.net.ssl.SSLException: No
available certificate corresponds to the SSL cipher
suites which are enabled.
  at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFactory.java:154)
  at
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java:387)
  at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557)
  at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.java:683)
  at java.lang.Thread.run(Thread.java:536)
Mar 9, 2004 5:59:55 AM
org.apache.tomcat.util.net.PoolTcpEndpoint
acceptSocket WARNING: Reinitializing ServerSocket

__________________________________
Do you Yahoo!?
Yahoo! SiteBuilder - Free web site building tool. Try it!
http://webhosting.yahoo.com/ps/sb/

---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org

Re: Import SSL keys into Tomcat 5.0.18 --> SSL handshake error

Posted by Bill Barker <wb...@wilshire.com>.

You need to import the CA for your client-certs into your truststore file.
Then you add the 'truststoreFile="/path/to/truststore"' to your Connector
element in server.xml.  After that, your browser should prompt you for any
cert that you have that is signed by that CA.

"Jeffery Cann" <jc...@yahoo.com> wrote in message
news:20040312153326.44726.qmail@web20004.mail.yahoo.com...
> Greetings,
>
> I am trying to import an openssl key from a third
> party certificate authority, Geotrust (Equifax).  I
> have used these keys successfully in an apache
> installation.
>
> So, I followed the key import process described for
> Tomcat on the Geotrust web site -
>
> http://www.geotrust.com/resources/install/jakarta_tomcat.htm
>
> However, tomcat 5.0.18 throws an exeception when I
> start up the HTTP/SSL listener:
>
> SSL handshake error - javax.net.ssl.SSLException: No
> available certificate corresponds to the SSL cipher
> suites which are enabled.
>
> Environment:
> 1) JDK 1.4.1_02 on Linux 2.4 kernel
> 2) Tomcat 5.0.18
> 3) OpenSSL 0.9.7a
>
> What I did:
> 1) Convert CAs cert and our server root cert (i.e.,
> our domain public key) to binary (DED) format.
>
> 2) Import converted binary keys into a new java
> keystore (using keytool).
>
> 3) Add path to keystore.kdb file in tomcat server.xml,
> restart tomcat.
>
> Below are the specific commands (and output) I used to
> import keys and configure Tomcat.
>
> I have been using the PEM version of these keys in
> apache 2.x with no problems.
>
> I have contacted Geotrust and they do not seem to have
> an answer.  Other posts to this list mostly show folks
> trying to set up SSL using their own CA certs.
>
> What have I missed?  I appreciate any suggestions.
>
> Thanks
> Jeff
>
> ------------------- details ---------------------
> 1)  Convert pem keys to binary format:
>
>    $ openssl x509 -in geotrustca.pem -inform PEM
> -outform DED -out geotrustca.crt
>
>    $ openssl x509 -in mydomain.com.pem -inform PEM
> -outform DED -out mydomain.crt
>
> 2) Import binary keys into a new Java key store.  I
> used Tomcat's default keystore password setting
> 'changeit'.  Here's the commands and output:
>
> 2a) Geotrust root certificate:
> $ keytool -import -alias geotrustca -keystore
> /etc/cert/mydomain.kdb -file /etc/cert/geotrustca.crt
> Enter keystore password:  changeit
> Owner: OU=Equifax Secure Certificate Authority,
> O=Equifax, C=US
> Issuer: OU=Equifax Secure Certificate Authority,
> O=Equifax, C=US
> Serial number: 35def4cf
> Valid from: Sat Aug 22 10:41:51 MDT 1998 until: Wed
> Aug 22 10:41:51 MDT 2018
> Certificate fingerprints:
>          MD5:
> 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
>          SHA1:
> D2:32:09:AD:23:D3:14:23:21:74:E4:0D:7F:9D:62:13:97:86:63:3A
> Trust this certificate? [no]:  yes
> Certificate was added to keystore
>
> 2b) Server root key (our public key):
>
> $ keytool -import -alias tomcat -keystore
> /etc/cert/mydomain.kdb -file
> /etc/cert/mydomain.crt
> Enter keystore password:  changeit
> Certificate was added to keystore
>
> 2c)  Here's the list of my keystore.
>
> $ keytool -list -keystore /etc/cert/mydomain.kdb
> Enter keystore password:  changeit
>
> Keystore type: jks
> Keystore provider: SUN
>
> Your keystore contains 2 entries
>
> tomcat, Mar 9, 2004, trustedCertEntry,
> Certificate fingerprint (MD5):
> 1B:AE:BF:96:6C:3C:0A:C3:AE:3E:5A:46:94:CF:AF:0B
> geotrustca, Mar 9, 2004, trustedCertEntry,
> Certificate fingerprint (MD5):
> 67:CB:9D:C0:13:24:8A:82:9B:B2:17:1E:D1:1B:EC:D4
>
> 3)  Update server.xml.  Note we are using Tomcat 5, so
> the directive for the SSL connector syntax is
> different from that shown on the Geotrust web site
> instructions.
>
> Compared to the default connector parameters, I added
> the keystoreFile parameter to point to my kdb file
> created in step 2.
>
> <Connector port="8443"
>   maxThreads="150" minSpareThreads="25"
>   maxSpareThreads="75" enableLookups="false"
>   disableUploadTimeout="true" acceptCount="100"
>   debug="0" scheme="https" secure="true"
>   clientAuth="false" sslProtocol="TLS"
>   keystoreFile="/etc/cert/mydomain.kdb"
> />
>
>
> When I enable the SSL connector in my server.conf file
> and restart tomcat, logs show this exception:
>
> Mar 9, 2004 5:59:55 AM
> org.apache.tomcat.util.net.PoolTcpEndpoint
> acceptSocket
> SEVERE: Endpoint [SSL:
> ServerSocket[addr=0.0.0.0/0.0.0.0,port=0,localport=8443]]
> ignored exception: java.net.SocketException: SSL
> handshake errorjavax.net.ssl.SSLException: No
> available certificate corresponds to the SSL cipher
> suites which are enabled. java.net.SocketException:
> SSL handshake errorjavax.net.ssl.SSLException: No
> available certificate corresponds to the SSL cipher
> suites which are enabled.
>   at
>
org.apache.tomcat.util.net.jsse.JSSESocketFactory.acceptSocket(JSSESocketFac
tory.java:154)
>   at
>
org.apache.tomcat.util.net.PoolTcpEndpoint.acceptSocket(PoolTcpEndpoint.java
:387)
>   at
> org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:557)
>   at
>
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool.jav
a:683)
>   at java.lang.Thread.run(Thread.java:536)
> Mar 9, 2004 5:59:55 AM
> org.apache.tomcat.util.net.PoolTcpEndpoint
> acceptSocket WARNING: Reinitializing ServerSocket
>
> __________________________________
> Do you Yahoo!?
> Yahoo! SiteBuilder - Free web site building tool. Try it!
> http://webhosting.yahoo.com/ps/sb/




---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org