You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Liav Ezer <li...@gmail.com> on 2009/11/13 16:48:26 UTC
SSL Configuration Question
Hi,
I need help configuring my http connector to be a secure one via SSL.
I have the purchased certificate's (from a CA which i don't know who is)
products in 4 different files:
xxx.domainname.com.cer -> I don't know what is this file..
xxx.domainname.com.key -> I believe this is the encrypted key for the
certificate
xxx.domainname.com.csr -> I believe this is the request
xxx.domainname.com.crt -> I believe this is the actual certificate issed
by the CA
Basically my question is:
In server.xml i open the SSL connector at port 8443 as below:
1. What should i write at the keystoreFile? - Which of the 4 files i have do
i need to point to?
2. What do i write in the keystorePass attribute?
3. What should i do with the rest of those 4 files?
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
keystoreFile="<keyStoreFileLocation>"
keystorePass="changeit"
clientAuth="false" sslProtocol="TLS" />
Thanks alot!
--
View this message in context: http://old.nabble.com/SSL-Configuration-Question-tp26338693p26338693.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Configuration Question
Posted by Bill Barker <bi...@verizon.net>.
"Christopher Schultz" <ch...@christopherschultz.net> wrote in message
news:4AFDB50C.70602@christopherschultz.net...
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Liav,
>
> On 11/13/2009 10:48 AM, Liav Ezer wrote:
>> I need help configuring my http connector to be a secure one via SSL.
>
> Are you expecting to use tcnative in order to use an "APR" connector, or
> do you want to use the plain-old Java HTTP connector? If you don't know
> what I'm talking about, you want the Java one. It's important to
> differentiate because the configurations are done differently.
>
>> I have the purchased certificate's (from a CA which i don't know who is)
>> products in 4 different files:
>>
>> xxx.domainname.com.cer -> I don't know what is this file..
>
> Neither do I. Look at the date stamps to see if it's relevant.
>
>> xxx.domainname.com.key -> I believe this is the encrypted key for the
>> certificate
>
> Hopefully, you created this file yourself and haven't given it to
> anyone. It should be a /private/ RSA key.
>
>> xxx.domainname.com.csr -> I believe this is the request
>
> .csr files are typically "certificate request" files, so yet, that seems
> reasonable.
>
>> xxx.domainname.com.crt -> I believe this is the actual certificate
>> issed
>> by the CA
>
> Generally, .crt files are the actual certificates. They are usually
> encrypted with a passphrase and can be unlocked using the .key file above.
>
Urm, usually the .crt files are not encrypted (since they are sent to
anybody that asks for them by the web server). They are usually base64
encoded (since the actual data is binary).
>> 1. What should i write at the keystoreFile? - Which of the 4 files i have
>> do
>> i need to point to?
>> 2. What do i write in the keystorePass attribute?
>
> That depends on whether you are using APR or not. See above.
>
>> 3. What should i do with the rest of those 4 files?
>
> xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
> your production server.
>
> xxx.domainname.com.csr - You can probably discard this file, but it
> might be worth keeping around alongside your .key file.
>
> xxx.domainname.com.cer - It depends on what this file is. It might even
> be a certificate file that has no password (which would be useful if you
> were using Apache httpd, but you didn't mention that so I suspect it's
> not useful to have such a certificate laying around).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
> JKYAnjViDJDfcUrz4BeYnr351+v4i8us
> =BPyj
> -----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: search engine
Posted by André Warnier <aw...@ice-sa.com>.
Jill Han wrote:
> Sorry, for the non-tomcat issue, but I still hope I can get helps here.
You are right, this is totally off-topic for this list.
But even so,
> Is there any search engine you would recommend that could search public,
You mean, like Google, Yahoo etc.. ?
and non public( page needs login) pages?
>
How would it do that ? ask you each time it encounters a page with a
login ? How would it even determine that this page asks for a login ?
(Well ok, if it requires a Basic authentication, then maybe it could,
but still).
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: search engine
Posted by Konstantin Kolinko <kn...@gmail.com>.
2009/11/16 Jill Han <ji...@alverno.edu>:
> Sorry, for the non-tomcat issue, but I still hope I can get helps here.
> Is there any search engine you would recommend that could search public, and non public( page needs login) pages?
>
> Thanks as always,
>
> Jill
>
Maybe you should look at
http://lucene.apache.org/
I have not used it yet, but at least they have more knowledge.
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: search engine
Posted by Jill Han <ji...@alverno.edu>.
There are .html, .php, .jsp, .pdf pages on the apache server.
Thanks,
Jill
-----Original Message-----
From: Neil Aggarwal [mailto:neil@JAMMConsulting.com]
Sent: Monday, November 16, 2009 9:15 AM
To: 'Tomcat Users List'
Subject: RE: search engine
X-HOSTLOC: alverno.edu/10.0.60.10
Jill:
> Is there any search engine you would recommend that could
> search public, and non public( page needs login) pages?
If your pages are HTML, you can use something like
HtDig:
http://www.htdig.org/
If your pages are part of a web app, I have done
this in the past:
1. Write some code to pull the text content from
each page and store them in a MySQL table
with a full text index.
2. When your users perform a search, you run
a full text search query and return
the result.
I hope this helps,
Neil
--
Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net
Host your tomcat app on a CentOS VPS for only $25/month!
Unmetered bandwidth, 7 day no risk trial, Google Checkout
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: search engine
Posted by Neil Aggarwal <ne...@JAMMConsulting.com>.
Jill:
> Is there any search engine you would recommend that could
> search public, and non public( page needs login) pages?
If your pages are HTML, you can use something like
HtDig:
http://www.htdig.org/
If your pages are part of a web app, I have done
this in the past:
1. Write some code to pull the text content from
each page and store them in a MySQL table
with a full text index.
2. When your users perform a search, you run
a full text search query and return
the result.
I hope this helps,
Neil
--
Neil Aggarwal, (281)846-8957, http://UnmeteredVPS.net
Host your tomcat app on a CentOS VPS for only $25/month!
Unmetered bandwidth, 7 day no risk trial, Google Checkout
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: search engine
Posted by Pid <pi...@pidster.com>.
On 16/11/2009 14:34, Jill Han wrote:
> Sorry, for the non-tomcat issue, but I still hope I can get helps here.
> Is there any search engine you would recommend that could search public, and non public( page needs login) pages?
>
> Thanks as always,
>
> Jill
>
If you have a question we recommend you start by starting a new email to
the list, rather than by replying to an existing email, which is called
'thread hijacking'.
p
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
search engine
Posted by Jill Han <ji...@alverno.edu>.
Sorry, for the non-tomcat issue, but I still hope I can get helps here.
Is there any search engine you would recommend that could search public, and non public( page needs login) pages?
Thanks as always,
Jill
Re: SSL Configuration Question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Liav,
On 11/14/2009 4:32 AM, Liav Ezer wrote:
> The section about importing a certificate issued by a CA begins with:
>
> Download a Chain Certificate from the Certificate Authority you obtained the
> Certificate from.
[snip]
> What is a Chain Certificate? What do i do with it? What product does it
> produce (which file type)?
A "chain certificate" is a certificate that goes into a chain of
certificates that all trust each other. If "a -> b" means "a trusts b",
then you have something like this (VeriSign is only used as an example):
Tomcat -> VeriSign master cert
VeriSign master cert -> VeriSign signing certs
VeriSign signing cert -> VeriSign's XYZ signing cert
VeriSign's XYZ cert -> your cert
Often, Tomcat only trusts the "master cert" of any given certificate
authority (CA), and so you have to provide the entire "chain of trust"
by importing not only /your/ certificate, but also the two certs (in my
example) that are in the chain of trust between yours and the master cert.
> Also, I might need to skip this stage since i already have a certificate at
> hand (.cer) as Christofer implied in the previouse thread.
Your earlier message didn't say that you had anyone else's certificates.
The process is easy:
1. Import your own certificate into the keystore file you want to use
2. Import any other chain certs into the keystore file you want to use
3. Point Tomcat at that keystore file
> AnyWay - i'm stuck with 4 different files which appearantly look like a
> finalized & ready to launch certificate but i don't know how to configure
> the connector attributes in order to support it.
Once you have the keystore file ready with all your stuff, just set
keystoreFile="/path/to/your/keystore/file" and
keystorePass="password-to-keystore-file" and you should be good to go.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAksAGLcACgkQ9CaO5/Lv0PBSCgCdErMyiEYsRoNk6hN6QvgYX4i8
/sAAnjV6JTXRuepN7ssZVENzGNMK7h6W
=OLaF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL Configuration Question
Posted by Liav Ezer <li...@gmail.com>.
Hi Charles,
The reason i'm looking in the forum is beacause the toturial wasn't clear to
me.
The section about importing a certificate issued by a CA begins with:
Download a Chain Certificate from the Certificate Authority you obtained the
Certificate from.
For Verisign.com commercial certificates go to:
http://www.verisign.com/support/install/intermediate.html
For Verisign.com trial certificates go to:
http://www.verisign.com/support/verisign-intermediate-ca/Trial_Secure_Server_Root/index.html
For Trustcenter.de go to:
http://www.trustcenter.de/certservices/cacerts/en/en.htm#server
For Thawte.com go to: http://www.thawte.com/certs/trustmap.html
Import the Chain Certificate into your keystore
Waht is a Chain Certificate? What do i do with it? What product does it
produce (which file type)?
Also, I might need to skip this stage since i already have a certificate at
hand (.cer) as Christofer implied in the previouse thread.
AnyWay - i'm stuck with 4 different files which appearantly look like a
finalized & ready to launch certificate but i don't know how to configure
the connector attributes in order to support it.
Thanks.
Caldarale, Charles R wrote:
>
>> From: Liav Ezer [mailto:liav.ezer@gmail.com]
>> Subject: Re: SSL Configuration Question
>>
>> So my only wish is to know what to write in those two attributes:
>> keystoreFile - Which of the 4 files i have do i need to point to (my
>> guess is the xxx.domainname.com.key )?
>> keystorePass - What do i write in this attribute? When i issue my own
>> certificate (using keytool) it was the password i used creating the
>> certificate itself.
>
> Have you read the Tomcat doc, in particular the "Configuration" and
> "Installing a Certificate from a Certificate Authority" sections?
>
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-Configuration-Question-tp26338693p26348488.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: SSL Configuration Question
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Liav Ezer [mailto:liav.ezer@gmail.com]
> Subject: Re: SSL Configuration Question
>
> So my only wish is to know what to write in those two attributes:
> keystoreFile - Which of the 4 files i have do i need to point to (my
> guess is the xxx.domainname.com.key )?
> keystorePass - What do i write in this attribute? When i issue my own
> certificate (using keytool) it was the password i used creating the
> certificate itself.
Have you read the Tomcat doc, in particular the "Configuration" and "Installing a Certificate from a Certificate Authority" sections?
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Configuration Question
Posted by Liav Ezer <li...@gmail.com>.
Hi Christopher,
Thanks for your elaborated reply.
Regarding your first question:
No, i don't use the APR connector (port #443 i assume) & the tomcat-native
jar. I do use the plain old HTTP connector in server.xml.
So my only wish is to know what to write in those two attributes:
keystoreFile - Which of the 4 files i have do i need to point to (my guess
is the xxx.domainname.com.key )?
keystorePass - What do i write in this attribute? When i issue my own
certificate (using keytool) it was the password i used creating the
certificate itself.
I googled this & came across many sites. All explained the steps to initiate
a request & import the certificate, BUT i think that i'm over those steps
due to the fact that i have the .cer file at hand & all that is rest to do
is to configure the connector.
Thanks.
Christopher Schultz-2 wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Liav,
>
> On 11/13/2009 10:48 AM, Liav Ezer wrote:
>> I need help configuring my http connector to be a secure one via SSL.
>
> Are you expecting to use tcnative in order to use an "APR" connector, or
> do you want to use the plain-old Java HTTP connector? If you don't know
> what I'm talking about, you want the Java one. It's important to
> differentiate because the configurations are done differently.
>
>> I have the purchased certificate's (from a CA which i don't know who is)
>> products in 4 different files:
>>
>> xxx.domainname.com.cer -> I don't know what is this file..
>
> Neither do I. Look at the date stamps to see if it's relevant.
>
>> xxx.domainname.com.key -> I believe this is the encrypted key for the
>> certificate
>
> Hopefully, you created this file yourself and haven't given it to
> anyone. It should be a /private/ RSA key.
>
>> xxx.domainname.com.csr -> I believe this is the request
>
> .csr files are typically "certificate request" files, so yet, that seems
> reasonable.
>
>> xxx.domainname.com.crt -> I believe this is the actual certificate
>> issed
>> by the CA
>
> Generally, .crt files are the actual certificates. They are usually
> encrypted with a passphrase and can be unlocked using the .key file above.
>
>> 1. What should i write at the keystoreFile? - Which of the 4 files i have
>> do
>> i need to point to?
>> 2. What do i write in the keystorePass attribute?
>
> That depends on whether you are using APR or not. See above.
>
>> 3. What should i do with the rest of those 4 files?
>
> xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
> your production server.
>
> xxx.domainname.com.csr - You can probably discard this file, but it
> might be worth keeping around alongside your .key file.
>
> xxx.domainname.com.cer - It depends on what this file is. It might even
> be a certificate file that has no password (which would be useful if you
> were using Apache httpd, but you didn't mention that so I suspect it's
> not useful to have such a certificate laying around).
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
> JKYAnjViDJDfcUrz4BeYnr351+v4i8us
> =BPyj
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
--
View this message in context: http://old.nabble.com/SSL-Configuration-Question-tp26338693p26343682.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL Configuration Question
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Liav,
On 11/13/2009 10:48 AM, Liav Ezer wrote:
> I need help configuring my http connector to be a secure one via SSL.
Are you expecting to use tcnative in order to use an "APR" connector, or
do you want to use the plain-old Java HTTP connector? If you don't know
what I'm talking about, you want the Java one. It's important to
differentiate because the configurations are done differently.
> I have the purchased certificate's (from a CA which i don't know who is)
> products in 4 different files:
>
> xxx.domainname.com.cer -> I don't know what is this file..
Neither do I. Look at the date stamps to see if it's relevant.
> xxx.domainname.com.key -> I believe this is the encrypted key for the
> certificate
Hopefully, you created this file yourself and haven't given it to
anyone. It should be a /private/ RSA key.
> xxx.domainname.com.csr -> I believe this is the request
.csr files are typically "certificate request" files, so yet, that seems
reasonable.
> xxx.domainname.com.crt -> I believe this is the actual certificate issed
> by the CA
Generally, .crt files are the actual certificates. They are usually
encrypted with a passphrase and can be unlocked using the .key file above.
> 1. What should i write at the keystoreFile? - Which of the 4 files i have do
> i need to point to?
> 2. What do i write in the keystorePass attribute?
That depends on whether you are using APR or not. See above.
> 3. What should i do with the rest of those 4 files?
xxx.domainname.com.key - keep this in a safe place, preferably /not/ on
your production server.
xxx.domainname.com.csr - You can probably discard this file, but it
might be worth keeping around alongside your .key file.
xxx.domainname.com.cer - It depends on what this file is. It might even
be a certificate file that has no password (which would be useful if you
were using Apache httpd, but you didn't mention that so I suspect it's
not useful to have such a certificate laying around).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkr9tQwACgkQ9CaO5/Lv0PBsYwCguvk35Bo0kLXB1UYrYr2iIAX7
JKYAnjViDJDfcUrz4BeYnr351+v4i8us
=BPyj
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org