You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by moshood oladapo <mo...@yahoo.com> on 2011/12/02 09:56:38 UTC

Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5

Dear Sir/Ma,

I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL. 


See below my configurations on server.xml:

  <!--APR library loader. Documentation at /docs/apr.html -->
  <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" />



    <Connector executor="tomcatThreadPool"
               port="8080" protocol="HTTP/1.1"
               connectionTimeout="20000"
               redirectPort="443" />
    -->
    <!-- Define a SSL HTTP/1.1 Connector on port 8443
         This connector uses the JSSE configuration, when using APR, the
         connector should be using the OpenSSL style configuration
         described in the APR documentation -->

    <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS"
               SSLEngine="on"
               SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
               SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
               SSLPassword="optix10$"
     />

After doing all this, I still couldn't access it "https://localhost:443/". It display error message " internet explorer cannot display the webpage". But when i try http://localhost:8080/, it works fine.

There is a clause I don't understand in the HowTo configure SSL with APR - (the
APR library must be available). How do I know if the APR is available or not?


Please assist.


Regards,

Moshood

Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5

Posted by Pid <pi...@pidster.com>.

On 02/12/2011 16:58, Christopher Schultz wrote:
> Moshood,
> 
> On 12/2/11 3:56 AM, moshood oladapo wrote:
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> SSLEngine="on"
> 
> That's the second message today from someone trying to use
> SSLEngine="on" in their <Connector>.
> 
> Is the documentation for <Connector> not clear enough?
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> 
> Search for "SSLEngine". Can't find it? Because it's not he right
> attribute to use. Please read the documentation and configure the
> <Connector> properly.

Typo in some random blog somewhere maybe?  Hmm...


p



-- 

[key:62590808]

Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5

Posted by Christopher Schultz <ch...@christopherschultz.net>.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Moshood,

On 12/2/11 3:56 AM, moshood oladapo wrote:
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true" 
> SSLEngine="on"

That's the second message today from someone trying to use
SSLEngine="on" in their <Connector>.

Is the documentation for <Connector> not clear enough?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html

Search for "SSLEngine". Can't find it? Because it's not he right
attribute to use. Please read the documentation and configure the
<Connector> properly.

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk7ZA6kACgkQ9CaO5/Lv0PCm3ACeLYBsmH8L8u2FIX/862FJ7DwU
YmUAn1+siGbB+f/H0DA0ebRVxbaA/V7/
=jmDt
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5

Posted by Daniel Mikusa <dm...@vmware.com>.

On Fri, 2011-12-02 at 00:56 -0800, moshood oladapo wrote:
> Dear Sir/Ma,
> 
> I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL. 
> 

If you want to force all traffic to go through SSL, you need to do two
things.

1.) Configure an Connector with SSL.

Example using BIO connector:

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           keystoreFile="${user.home}/.keystore" keystorePass="changeit"
           clientAuth="false" sslProtocol="TLS"/>

Example using APR connector:

<Connector 
           port="8443" maxThreads="200"
           scheme="https" secure="true" SSLEnabled="true"
           SSLCertificateFile="/usr/local/ssl/server.crt" 
           SSLCertificateKeyFile="/usr/local/ssl/server.pem"
           clientAuth="optional" SSLProtocol="TLSv1"/>

For details, see

  https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
  https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support


2.) Define user-data-constraint in web.xml to indicate that the
application's traffic must be secured.

<security-constraint>
...
    <user-data-constraint>
        <transport-guarantee>CONFIDENTIAL</transport-guarantee>
    </user-data-constraint>
</security-constraint>

See this link for details.

  http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbm


> 
> See below my configurations on server.xml:
> 
>   <!--APR library loader. Documentation at /docs/apr.html -->
>   <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" />
> 
> 
> 
>     <Connector executor="tomcatThreadPool"
>                port="8080" protocol="HTTP/1.1"
>                connectionTimeout="20000"
>                redirectPort="443" />
>     -->
>     <!-- Define a SSL HTTP/1.1 Connector on port 8443
>          This connector uses the JSSE configuration, when using APR, the
>          connector should be using the OpenSSL style configuration
>          described in the APR documentation -->
> 
>     <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS"
>                SSLEngine="on"
>                SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
>                SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
>                SSLPassword="optix10$"
>      />
> 
> After doing all this, I still couldn't access it "https://localhost:443/". It display error message " internet explorer cannot display the webpage". But when i try http://localhost:8080/, it works fine.
> 
> There is a clause I don't understand in the HowTo configure SSL with APR - (the
> APR library must be available). How do I know if the APR is available or not?

If you don't know if APR is installed, then it's likely that it is not
installed.  The APR library is a native library that you must compile
and install manually.

https://tomcat.apache.org/tomcat-6.0-doc/apr.html

Did you or another system admin compile and install it on your server?


Dan