You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Jorge Isaac Martínez Hatch <im...@quaxar.com> on 2006/05/08 15:25:55 UTC
Creating Virtual Hosts
Genius all around the world,
Goal: Intall two SSL certificates in the same server, but working for two
different IP addresses and domains.
I have:
- One server running Tomcat 5.5 over Windows.
- Two IP addresses.
- Two domains, one for each IP address.
- Two SSL certificates one for each domain.
- A keystore and alias for each certificate.
I think I need to configure two hosts (or virtual hosts, what's the
difference between these?), and setup two HTTPS connectors with IP based
scheema.
I tried using the following configuration:
<Service name="Catalina">
...
<Connector port="80" maxThreads="300" minSpareThreads="25"
maxSpareThreads="75" enableLookups="true" acceptCount="100"
redirectPort="443" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="443" name="72.3.245.1"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="tru"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key1"
keystorePass="pass1" sslProtocol = "TLS" />
<Connector port="443" name="72.32.93.2"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key2"
keystorePass="pass2" sslProtocol = "TLS" />
<Connector port="8009"
enableLookups="false" redirectPort="443" protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
...
<Host name="72.3.245.1" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="72.3.245.2" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
...
</Engine>
...
</Service>
It didn't work at all, I have the first certificate on the first IP working.
But the second certificate just don't work because it gets the first
certificate not the second, so the domains don't match.
Any help on this is welcome, thank you.
Isaac Martínez Hatch
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Creating Virtual Hosts
Posted by Jorge Isaac Martínez Hatch <im...@quaxar.com>.
Paul:
I restarted the server and the problem still there.
I don't have other servers running.
Should I assign different ports in the connector tag?
Do you have an example of a complete server.xml file?
Do you other user lists, forums, books any resource where I can find some
help?
Thank you very mucho for your time and your help.
Isaac Martínez
----- Original Message -----
From: "Paul Singleton" <pa...@jbgb.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Cc: <im...@quaxar.com>
Sent: Monday, May 08, 2006 5:31 PM
Subject: Re: Creating Virtual Hosts
> Jorge Isaac Martínez Hatch wrote:
>
>> SEVERE: Error starting endpoint
>> java.net.BindException: Cannot assign requested address: JVM_Bind:443
>
> Probably the port is already in use, perhaps by a task left
> over from your previous attempts. Can you reboot and try again?
>
> Or do you have another web server running, e.g. Apache? IIS?
>
> Paul S.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Creating Virtual Hosts
Posted by Paul Singleton <pa...@jbgb.com>.
Jorge Isaac Martínez Hatch wrote:
> SEVERE: Error starting endpoint
> java.net.BindException: Cannot assign requested address: JVM_Bind:443
Probably the port is already in use, perhaps by a task left
over from your previous attempts. Can you reboot and try again?
Or do you have another web server running, e.g. Apache? IIS?
Paul S.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Creating Virtual Hosts
Posted by Jorge Isaac Martínez Hatch <im...@quaxar.com>.
Hi, thank you Paul and Chris for your help.
I still having some problems.
I configured tomcat as Paul told me:
<Service name="Catalina">
...
<Connector port="80" maxThreads="300" minSpareThreads="25"
maxSpareThreads="75" enableLookups="true" acceptCount="100"
redirectPort="443" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="443" address="72.3.245.1"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key1"
keystorePass="pass1" sslProtocol = "TLS" />
<Connector port="443" address="72.32.93.2"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key2"
keystorePass="pass2" sslProtocol = "TLS" />
<Connector port="8009"
enableLookups="false" redirectPort="443" protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
...
<Host name="domain1.com" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="domain2.com" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
...
</Engine>
...
</Service>
But get an error:
SEVERE: Error starting endpoint
java.net.BindException: Cannot assign requested address: JVM_Bind:443
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:297)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.startEndpoint(PoolTcpEndpoint.java:312)
at org.apache.coyote.http11.Http11Protocol.start(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.start(Connector.java:992)
at org.apache.catalina.core.StandardService.start(StandardService.java:459)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:2010)
at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
May 8, 2006 5:42:22 PM org.apache.catalina.startup.Catalina start
SEVERE: Catalina.start:
LifecycleException: Protocol handler start failed: java.net.BindException:
Cannot assign requested address: JVM_Bind:443
at org.apache.catalina.connector.Connector.start(Connector.java:994)
at org.apache.catalina.core.StandardService.start(StandardService.java:459)
at org.apache.catalina.core.StandardServer.start(StandardServer.java:2010)
at org.apache.catalina.startup.Catalina.start(Catalina.java:537)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(Unknown Source)
at java.lang.reflect.Method.invoke(Unknown Source)
at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:271)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:409)
I tried some changes but still having problems.
Anybody knows what can I do? Where to lookfor information on this?
Thank you,
Isaac Martínez
----- Original Message -----
From: "Paul Singleton" <pa...@jbgb.com>
To: "Tomcat Users List" <us...@tomcat.apache.org>
Cc: <im...@quaxar.com>
Sent: Monday, May 08, 2006 10:31 AM
Subject: Re: Creating Virtual Hosts
> Jorge Isaac Martínez Hatch wrote:
>> Genius all around the world,
>>
>> Goal: Intall two SSL certificates in the same server, but working for two
>> different IP addresses and domains.
>>
>> I have:
>> - One server running Tomcat 5.5 over Windows.
>> - Two IP addresses.
>> - Two domains, one for each IP address.
>> - Two SSL certificates one for each domain.
>> - A keystore and alias for each certificate.
>
> You can keep both/all certificates in the same keystore (e.g.
> the default one) and specify them with the (still undocumented)
> Connector attribute
>
> keyAlias="mycert1"
>
> (I reckon one keystore is slightly easier to manage than two)
>
>> I think I need to configure two hosts (or virtual hosts, what's the
>> difference between these?)
>
> A "physical" host is a hardware server, which may support many
> virtual hosts, either name-based (several at one IP address,
> Tomcat steers requests to corresponding web apps) or address-based
> (each app needs its own IP address).
>
> Since certificates are checked *before* Tomcat gets to attempt
> name-based virtual hosting, you need a dedicated IP address for
> each SSL-enabled app, natch. Unless things have changed since
> 5.5.9
>
>> <Connector port="443" name="72.3.245.1"
>
> No this should be
>
> <Connector port="443" address="72.3.245.1"
>
> (there is no Connector "name" attribute that I can find)
>
>> <Host name="72.3.245.1" appBase="webapps"
>
> Hmm, I'd expect name="mysecuresite.com" or similar, not an
> IP address.
>
>> It didn't work at all, I have the first certificate on the first IP
>> working. But the second certificate just don't work because it gets the
>> first certificate not the second, so the domains don't match.
>
> If it gets the first cert, then it must be using the first Connector,
> which I guess is because, without "address" attributes, both are using
> all addresses?
>
> Paul Singleton
>>
>> Any help on this is welcome, thank you.
>>
>> Isaac Martínez Hatch
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Creating Virtual Hosts
Posted by Paul Singleton <pa...@jbgb.com>.
Jorge Isaac Martínez Hatch wrote:
> Genius all around the world,
>
> Goal: Intall two SSL certificates in the same server, but working for two
> different IP addresses and domains.
>
> I have:
> - One server running Tomcat 5.5 over Windows.
> - Two IP addresses.
> - Two domains, one for each IP address.
> - Two SSL certificates one for each domain.
> - A keystore and alias for each certificate.
You can keep both/all certificates in the same keystore (e.g.
the default one) and specify them with the (still undocumented)
Connector attribute
keyAlias="mycert1"
(I reckon one keystore is slightly easier to manage than two)
> I think I need to configure two hosts (or virtual hosts, what's the
> difference between these?)
A "physical" host is a hardware server, which may support many
virtual hosts, either name-based (several at one IP address,
Tomcat steers requests to corresponding web apps) or address-based
(each app needs its own IP address).
Since certificates are checked *before* Tomcat gets to attempt
name-based virtual hosting, you need a dedicated IP address for
each SSL-enabled app, natch. Unless things have changed since
5.5.9
> <Connector port="443" name="72.3.245.1"
No this should be
<Connector port="443" address="72.3.245.1"
(there is no Connector "name" attribute that I can find)
> <Host name="72.3.245.1" appBase="webapps"
Hmm, I'd expect name="mysecuresite.com" or similar, not an
IP address.
> It didn't work at all, I have the first certificate on the first IP
> working. But the second certificate just don't work because it gets the
> first certificate not the second, so the domains don't match.
If it gets the first cert, then it must be using the first Connector,
which I guess is because, without "address" attributes, both are using
all addresses?
Paul Singleton
>
> Any help on this is welcome, thank you.
>
> Isaac Martínez Hatch
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Creating Virtual Hosts
Posted by Chris Berthold <cb...@styleline.com>.
If you copy and pasted your config file then your first useIPVHosts is not
"true" its "tru". I'd be willing to bet that might be your problem.
Chris Berthold
IT Systems Analyst
Commercial Refrigerator Door Company
941 . 371 . 8110 x 205
-----Original Message-----
From: Jorge Isaac Martínez Hatch [mailto:imartinez@quaxar.com]
Sent: Monday, May 08, 2006 9:26 AM
To: Tomcat Users List
Subject: Creating Virtual Hosts
Genius all around the world,
Goal: Intall two SSL certificates in the same server, but working for two
different IP addresses and domains.
I have:
- One server running Tomcat 5.5 over Windows.
- Two IP addresses.
- Two domains, one for each IP address.
- Two SSL certificates one for each domain.
- A keystore and alias for each certificate.
I think I need to configure two hosts (or virtual hosts, what's the
difference between these?), and setup two HTTPS connectors with IP based
scheema.
I tried using the following configuration:
<Service name="Catalina">
...
<Connector port="80" maxThreads="300" minSpareThreads="25"
maxSpareThreads="75" enableLookups="true" acceptCount="100"
redirectPort="443" connectionTimeout="20000"
disableUploadTimeout="true" />
<Connector port="443" name="72.3.245.1"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="tru"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key1"
keystorePass="pass1" sslProtocol = "TLS" />
<Connector port="443" name="72.32.93.2"
maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
emptySessionPath="true" useIPVHosts="true"
scheme="https" secure="true" clientAuth="false"
keystoreFile="D:/jdk1.5.0_02/bin/key2"
keystorePass="pass2" sslProtocol = "TLS" />
<Connector port="8009"
enableLookups="false" redirectPort="443" protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
...
<Host name="72.3.245.1" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
<Host name="72.3.245.2" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
...
</Engine>
...
</Service>
It didn't work at all, I have the first certificate on the first IP working.
But the second certificate just don't work because it gets the first
certificate not the second, so the domains don't match.
Any help on this is welcome, thank you.
Isaac Martínez Hatch
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org