You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by James Boggs <jb...@rightdirectiontech.com.INVALID> on 2023/02/22 19:59:04 UTC

Any successful SSL Implementation on Tomcat 9.0.69, Java 11, and Oracle ORDS 22.2?

Has anyone been able to complete a successful SSL Implementation on Tomcat 9.0.69, Java 11, and Oracle ORDS 22.2?
We had SSL working with Tomcat 9.0.65, Java 8, and ORDS 21, on an Oracle 19c database with Oracle APEX 21 (on Windows Server 2012).
Now ORDS requires Java 11 which does not have a JRE like Java 8 had.
After upgrading the software and installing Java 11, we used Java 11 to create a new Keystore which is type PKCS#12, then created a SSL certificate request file with type RSA, sent that off, and received back a download text file we saved as a ".cer" certificate file type, it contains a BEGIN and END with a single block of text in between.
Importing that into the keystore does not seem to work and it seems there is new syntax required for the Tomcat server.xml file.
The company also had a PKCS#7 (.p7b) file and a chain file that is a .p7c file type.
Research makes it seem like both Tomcat and ORDS require PKCS#12 but the company only provides me a PKCS7, and any attempts to convert it to PKCS#12 don't work as a keyfile is not provided to us.

Thanks for any help, James.



James Boggs | Senior DBA/SA | Mobile: 571-337-0535
"Trust, Integrity, Loyalty to Our Customers, Employees and Partner"
VA Verified (SDVOSB) | SBA Certified 8(a) | SB | SDB | MBE/DBE (MD) | SWaM (VA)
ISO 9001:2015|ISO/IEC 20000-1:2018|ISO/IEC 27001:2013|
CMMI-DEV Level 3 Appraised |
GSA Schedule Holder: IT-70#:GS35F237AA
GSA 8(a) STARS III#: 47QTCB21D0030
CIO-SP3 Contract#: HHSN316201800033W(SDVOSB)
CIO-SP3 Contract#: HHSN316201800054W(HUBZone)
Seaport-NXG Contract#: N00178-19-D-8420
eFAST Contract#: DTFAWA-13-A-00074
[cid:image001.png@01D946CC.29AC9830]
[cid:image002.png@01D946CC.29AC9830]
Fax: 410-814-7539 |jboggs@rightdirectiontech.com<ma...@rightdirectiontech.com>
RightDirection Technology Solutions, LLC | 300 E. Lombard St Suite 840 | Baltimore, MD 21202 |
www.rightdirectiontech.com<http://www.rightdirectiontech.com/>

Please Go Green! Please do not print this e-mail unless necessary.

Notice of Confidentiality: This e-mail and any attachments thereto, are intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail (or the person responsible for delivering this document to the intended recipient), you are hereby notified that any dissemination, distribution, printing or copying of this e-mail, and any attachment thereto, is strictly prohibited. If you have received this e-mail in error, please respond to the individual sending the message, and permanently delete the original and any copy of any e-mail and printout thereof.

Re: Any successful SSL Implementation on Tomcat 9.0.69, Java 11, and Oracle ORDS 22.2?

Posted by Mark Thomas <ma...@apache.org>.

On 22/02/2023 19:59, James Boggs wrote:
> Has anyone been able to complete a successful SSL Implementation on 
> Tomcat 9.0.69, Java 11, and Oracle ORDS 22.2?
> 
> We had SSL working with Tomcat 9.0.65, Java 8, and ORDS 21, on an Oracle 
> 19c database with Oracle APEX 21 (on Windows Server 2012).
> 
> Now ORDS requires Java 11 which does not have a JRE like Java 8 had.
> 
> After upgrading the software and installing Java 11, we used Java 11 to 
> create a new Keystore which is type PKCS#12, then created a SSL 
> certificate request file with type RSA, sent that off, and received back 
> a download text file we saved as a “.cer” certificate file type, it 
> contains a BEGIN and END with a single block of text in between.
> 
> Importing that into the keystore does not seem to work and it seems 
> there is new syntax required for the Tomcat server.xml file.

Tomcat TLS configuration has not changed between 9.0.65 and 9.0.69.

> The company also had a PKCS#7 (.p7b) file and a chain file that is a 
> .p7c file type.
> 
> Research makes it seem like both Tomcat and ORDS require PKCS#12

I can't speak for ORDS but Tomcat has no such requirement.

> but the 
> company only provides me a PKCS7, and any attempts to convert it to 
> PKCS#12 don’t work as a keyfile is not provided to us.

TLS configuration can be tricky. Everything has to be exactly right or 
it just doesn't work and the error messages are not always clear about 
what the problem is.

It sounds like this is a case of needing to ensure that the Tomcat TLS 
configuration matches the files you have. with that in mind:

What was the command you used to generate the new key?

What was the command you used to generate the certificate signing request?

What was the working Connector configuration you used for TLS in your 
previous, working configuration?

What is the Connector configuration you are using for TLS in your 
current configuration?

We should be able to get TLS working for Tomcat. For ORDS, you'll need 
to speak to Oracle support.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org