You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by moshood oladapo <mo...@yahoo.com> on 2011/12/02 09:56:38 UTC
Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Dear Sir/Ma,
I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL.
See below my configurations on server.xml:
<!--APR library loader. Documentation at /docs/apr.html -->
<Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" />
<Connector executor="tomcatThreadPool"
port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="443" />
-->
<!-- Define a SSL HTTP/1.1 Connector on port 8443
This connector uses the JSSE configuration, when using APR, the
connector should be using the OpenSSL style configuration
described in the APR documentation -->
<Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLEngine="on"
SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
SSLPassword="optix10$"
/>
After doing all this, I still couldn't access it "https://localhost:443/". It display error message " internet explorer cannot display the webpage". But when i try http://localhost:8080/, it works fine.
There is a clause I don't understand in the HowTo configure SSL with APR - (the
APR library must be available). How do I know if the APR is available or not?
Please assist.
Regards,
Moshood
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Posted by Pid <pi...@pidster.com>.
On 02/12/2011 16:58, Christopher Schultz wrote:
> Moshood,
>
> On 12/2/11 3:56 AM, moshood oladapo wrote:
>> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
>> SSLEngine="on"
>
> That's the second message today from someone trying to use
> SSLEngine="on" in their <Connector>.
>
> Is the documentation for <Connector> not clear enough?
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
>
> Search for "SSLEngine". Can't find it? Because it's not he right
> attribute to use. Please read the documentation and configure the
> <Connector> properly.
Typo in some random blog somewhere maybe? Hmm...
p
--
[key:62590808]
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Moshood,
On 12/2/11 3:56 AM, moshood oladapo wrote:
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> SSLEngine="on"
That's the second message today from someone trying to use
SSLEngine="on" in their <Connector>.
Is the documentation for <Connector> not clear enough?
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
Search for "SSLEngine". Can't find it? Because it's not he right
attribute to use. Please read the documentation and configure the
<Connector> properly.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk7ZA6kACgkQ9CaO5/Lv0PCm3ACeLYBsmH8L8u2FIX/862FJ7DwU
YmUAn1+siGbB+f/H0DA0ebRVxbaA/V7/
=jmDt
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Configuring SSL on TOMCAT6 Using APR connector - Oracle EL 5
Posted by Daniel Mikusa <dm...@vmware.com>.
On Fri, 2011-12-02 at 00:56 -0800, moshood oladapo wrote:
> Dear Sir/Ma,
>
> I have already deployed an application running perfectly on tomcat 6.0.20 on port 8080 on my Oracle EL 5 server. But now I want all request to go through SSL.
>
If you want to force all traffic to go through SSL, you need to do two
things.
1.) Configure an Connector with SSL.
Example using BIO connector:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
keystoreFile="${user.home}/.keystore" keystorePass="changeit"
clientAuth="false" sslProtocol="TLS"/>
Example using APR connector:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="/usr/local/ssl/server.crt"
SSLCertificateKeyFile="/usr/local/ssl/server.pem"
clientAuth="optional" SSLProtocol="TLSv1"/>
For details, see
https://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
https://tomcat.apache.org/tomcat-6.0-doc/config/http.html#SSL_Support
2.) Define user-data-constraint in web.xml to indicate that the
application's traffic must be secured.
<security-constraint>
...
<user-data-constraint>
<transport-guarantee>CONFIDENTIAL</transport-guarantee>
</user-data-constraint>
</security-constraint>
See this link for details.
http://docs.oracle.com/javaee/5/tutorial/doc/bncbe.html#bncbm
>
> See below my configurations on server.xml:
>
> <!--APR library loader. Documentation at /docs/apr.html -->
> <Listener className="org.apache.catalina.core.AprLifecycleListener" SSLEngine="on" SSLRandomSeed="builtin" />
>
>
>
> <Connector executor="tomcatThreadPool"
> port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="443" />
> -->
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
>
> <Connector port="443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLEngine="on"
> SSLCerticateFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.crt"
> SSLCertificateKeyFile="/home/oracle/apache-tomcat-6.0.20/conf/ssl/optixserver.p12"
> SSLPassword="optix10$"
> />
>
> After doing all this, I still couldn't access it "https://localhost:443/". It display error message " internet explorer cannot display the webpage". But when i try http://localhost:8080/, it works fine.
>
> There is a clause I don't understand in the HowTo configure SSL with APR - (the
> APR library must be available). How do I know if the APR is available or not?
If you don't know if APR is installed, then it's likely that it is not
installed. The APR library is a native library that you must compile
and install manually.
https://tomcat.apache.org/tomcat-6.0-doc/apr.html
Did you or another system admin compile and install it on your server?
Dan