You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by ro...@comcast.net on 2006/05/31 16:43:57 UTC
SSL Setup
Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting is that it can't locate my keystore file. I have using the keystorefile attribute but its still not working. Can anyone help?
Ro
Re: SSL Setup
Posted by Roch <ro...@comcast.net>.
Thanks for the info. Finally figured out the problem.....the certs were
wrong in the keystore. Thanks for all your help though!
--
View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4791758
Sent from the Tomcat - User forum at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Jack <ja...@gmail.com>.
You can download the strong encryption mechanisms here:
http://java.sun.com/j2se/1.4.2/download.html
(Right at the bottom of the page) Java Cryptography Extension (JCE)
Unlimited Strength Jurisdiction Policy Files 1.4.2
On 06/06/06, Roch <ro...@comcast.net> wrote:
>
> How do I check to see if I have the strong encrytion algorithms in the JDK?
> --
> View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4733795
> Sent from the Tomcat - User forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Cheers
Jack...
The claim "natural" is not synonymous with safe.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Roch <ro...@comcast.net>.
How do I check to see if I have the strong encrytion algorithms in the JDK?
--
View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4733795
Sent from the Tomcat - User forum at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Jack <ja...@gmail.com>.
Do you have the strong encryption algorithms installed in the JDK you are using?
On 02/06/06, Roch <ro...@comcast.net> wrote:
>
> I'm getting the error that says "cannot communicate securely because they
> have no common encryption algorithms.
> --
> View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4680316
> Sent from the Tomcat - User forum at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Cheers
Jack...
The claim "natural" is not synonymous with safe.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Roch <ro...@comcast.net>.
I'm getting the error that says "cannot communicate securely because they
have no common encryption algorithms.
--
View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4680316
Sent from the Tomcat - User forum at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Roch <ro...@comcast.net>.
I finally got it to recognize the keystore and its able to get in. I still
have clientauth="false". I had to add in ciphers also. I'm not getting any
errors. But when I go to view the page, it won't come up. Is there
anything else that I missed? Thanks.
--
View this message in context: http://www.nabble.com/SSL-Setup-t1710991.html#a4678581
Sent from the Tomcat - User forum at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Gaël Lams <la...@gmail.com>.
Hi,
> Thank you the information. Does the keystore have to be located in a
> specific location? I have done everything listed but the keystore location
> is different.
No specific location, /etc/tomcat was not existing and I created it
because I like to have all the files related to configuration in /etc.
Did you verified that your keystore contained the certificates? Are
you really sure that the path indicated in your tomcat's configuration
is right?
Unfortunately, if you really follow the same steps, I don't know what
could be the problem (I would need your bash_history, your
configuration files, ... :-)
Wat I could suggest is to quickly set-up a testing machine (I tested
my setup on a vmware guest) and perform all the steps again, maybe you
did something wrong.
Regards,
Gaël
Re: SSL Setup
Posted by Roch <ro...@comcast.net>.
Thank you the information. Does the keystore have to be located in a
specific location? I have done everything listed but the keystore location
is different.
Ro
--
View this message in context: http://www.nabble.com/SSL+Setup-t1710991.html#a4646730
Sent from the Tomcat - User forum at Nabble.com.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Setup
Posted by Gaël Lams <la...@gmail.com>.
Hi,
> Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting is that it can't locate my keystore file. I have using the keystorefile attribute but its still not working. Can anyone help?
>
A more detailed email explaining what you tried would be needed to be
able to help you. Are you using apache as a front-end? Because apache
could be use to handle the ssl stuff.
Anyway you will find below a working "four-steps" process explaining
how to implement non only ssl encryption but also client
authentication using self-signed certificates. I don't have so much
time, so I just copy-paste from my documentation, so change the
various names according to your server
As I said, adding support for SSL or TLS in Tomcat can be divided in
four general steps:
1 – Setting up the CA
- Create /home/lams/openssl to hold the CA keys, server keys and (as
we want to use SSL client authentication) the client keys.
- Create a private key and certificate request for our CA:
openssl req -new -newkey rsa:1024 -nodes -out ca.csr –keyout ca.key
- Create a CA's self-signed certificate:
openssl x509 -trustout -signkey ca.key -days 365 -req –in ca.csr -out ca.pem
- Import the CA certificate into the JDK certificate authorities
keystore:
$JAVA_HOME/bin/keytool -import -keystore
£JAVA_JOME/lib/security/cacerts –file ca.pem -alias itcilo_ca
- Create a file to hold the CA's serial numbers. This file starts
with the number "2":
echo "02" > ca.srl
2 – Setting the web server
- Create /etc/tomcat to contain both the keystore and the truststore
files (Truststore is a keystore in which reside all the certificates
with which a user can authenticate hisself on the server).
- Create a keystore for the tomcat server.
$JAVA_HOME/bin/keytool -genkey -alias map-test -keyalg RSA -keysize
1024 –keystore /etc/tomcat/server-keystore2.jks -storetype JKS
- Create a certificate request for the web server.
$JAVA_HOME/bin/keytool -certreq -keyalg RSA -alias map-test –file
map-test.csr -keystore /etc/tomcat/server-keystore2.jks
You need to edit the certificate request file slightly. Open it up in
a text editor and amend the text which reads "NEW CERTIFICATE REQUEST"
to "CERTIFICATE REQUEST"
- Have your CA sign your certificate request:
openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in
map-test.csr –out map-test.crt -days 365
- Import your CA certificate into your server keystore:
This step is necessary because we want to use SSL client authentication.
$JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file ca.pem
- Import the signed server certificate into the server keystore:
$JAVA_HOME/bin/keytool -import -alias map-test –keystore
/etc/tomcat/server-keystore2.jks -trustcacerts -file map-test.crt
You should see a message "Certificate reply was installed in keystore".
3 - Setting up the ssl client
- Create a client certificate request:
openssl req -new -newkey rsa:512 -nodes -out santiago.req –keyout santiago.key
- Have the CA sign the client certificate.
openssl x509 -CA ca.pem -CAkey ca.key –CAserial ca.srl -req -in
santiago.req –out santiago.pem -days 365
- Import the CA certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias itcilo_ca –keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file ca.pem
- Import the client certificate into the truststore:
$JAVA_HOME/bin/keytool -import -alias santiago –keystore
/etc/tomcat/truststore-itcilo2.jks -trustcacerts -file santiago.pem
- Generate a PKCS12 file containing the client key and certificate:
openssl pkcs12 -export -clcerts -in santigao.pem –inkey santiago.key
-out santiago.p12 –name "virgilio_certificate"
- Import the PKCS12 file into the web browser to use as the client
certificate and key (tools – internet options – contents –
certificates, verify by clicking in "advanced" that "client
authentication" is checked)
4 – Configure tomcat for ssl
The following lines must be added to server.xml. The clientAuth
parameter must be set to true as we want Tomcat to require all SSL
clients to present a client Certificate in order to use this socket.
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="true" sslProtocol="TLS"
keystoreFile="/etc/tomcat/sever-keystore.jks"
keystorePass="password"
truststoreFile="/etc/tomcat/truststore-itcilo.jks"
truststorePass="password" />
Regards,
Gaël
Re: SSL Setup
Posted by Jack <ja...@gmail.com>.
You can have a look here and see if you find any useful tips - this
explains how I got SSL to work on Tomcat:
http://jack.godau.googlepages.com/jbosscertificatesandopenssl
Cheers
Jack...
On 31/05/06, rosykes@comcast.net <ro...@comcast.net> wrote:
> Hello. I'm setting up SSL. I have Tomcat 5.5.16. The error that I'm getting is that it can't locate my keystore file. I have using the keystorefile attribute but its still not working. Can anyone help?
>
> Ro
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org