Re: FW: catalina SSL

[Christopher Cain <cc...@mhsoftware.com>]

Quoting "Craig R. McClanahan" <cr...@apache.org>:

> On Thu, 16 Aug 2001, Pier P. Fumagalli wrote:
> 
> > OH SSL GURU! :) :) Do you have any clue ???? (Reply to all so it'll go
> in
> > tomcat-users too!)

Don't worry, baby. The SSL doctor is in session ;-)

> > Hi
> > I'm getting used to Tomcat but not enough to get it work.
> > Trying to install the SSL connector, but always getting a java IO
> exception,
> > "keystore tampered".
> 
> That's one I've never seen before.
> 
> Have you followed the instructions (inside server.xml) exactly?

"Keystore tampered ..." usually indictates that the keystore did not like the 
password it was given. You should have gotten a "no suitable provider" 
exception if you didn't have your java.security file set up right, so I'll 
assume you do. The exaxt steps to get SSL working are listed a little further 
down.

> > I'm a complete newbie either in tomcat or in ssl, so I
> > surely didn't do things right. Is there a good tutorial for this (I
> mean for
> > catalina and ssl) , because most of litterature is relevant only for
> Tomcat
> > previous versions, and Sun's documentation deals with java classes,
> not with
> > applications that needs to be configurated through server.xml.

I'm currently working on exactly such a document. :)

> > So, do I have to make changes to the catalina.bat, to include (in
> the
> > dostartsecure / dorunsecure) the lines:
> > -Djava.protocol.handler.pkgs=\com.sun.net.ssl.internal.www.protocol
> > 
> 
> Is there really supposed to be a backslash (\) before "com.sun...." ?
>
> You can avoid the need to modify catalina.bat by setting an
> appropriate
> value for the CATALINA_OPTS environment variable to the set of
> properties
> you want to pass.  But I've not had to do this.

There are no changes whatsoever necessary to run SSL aside from what is 
documented in server.xml. Here are the exact steps:

1. Download JSSE and put the three jar files in {JAVA_HOME}\jre\lib\ext (it's 
not necessary to put them in the CLASSPATH unless your own classes rely on them)

2. DO NOT put the three files anywhere in the internal Tomcat tree (lib, 
server/lib, or common/lib). This will hose you.

3. Add the following line to your {JAVA_HOME}\jre\lib\security\java.security 
file (in the first section of settings, you'll see it):

   security.provider.9=com.sun.net.ssl.internal.ssl.Provider

The number is simply the order in which the JVM attempts to find suitable 
security providers. Just pick one that is not already in use by any 
existing "security.provider..." lines.

4. Execute the following in a terminal command-line:

   keytool -genkey -alias tomcat -keyalg RSA

It will start asking you questions about your cert. The only really crucial 
ones are when it asks you for a password (at two different times). You must use 
the same password in both places. You can type in the Tomcat default, which 
is "changeit" (all lowercase), or you can make up your own.

5. Uncomment the secure connector in {TC_HOME}\conf\server.xml

6. If you specified a password other than "changeit" when generating the 
keystore, edit the <Factory> tag nested within the relevant <Connector> tag. 
Add an attribute called "KeystorePass" with the value of your password. Your 
<Factory> tag should now look something like this:

<Factory className="org.apache.catalina.net.SSLServerSocketFactory"
         clientAuth="false" protocol="TLS" KeystorePass="myspecialpassword" />

If you just used "changeit", you can skip this step.

That's it. When you start Catalina up, it should now be running a secure socket 
on the specified port (8443 by default). No modifications to catalina.bat or 
any additional JVM parameters are necessary.

Note: Since I am addressing your specific problem, I left out the whole issue 
of where Tomcat looks for the keystore file in the above step-by-step. Tomcat 
obviously found the keystore file where it expected it in your case, but other 
users referencing this thread should be aware that I glossed over the whole 
keystore location issue. You can read all about it in my upcoming SSL guide =)

> > Do I have to make include a specific keystore in the catalina.policy
> using
> > policytool.exe?

Nope, that shouldn't be necessary.

> > How to modify the tomcat server.xml 's ssl connector to show the
> keystore
> > and keypass?

KeystoreFile and KeystorePass attributes on the <Factory> tag are where you put 
custom values, if either the location or password are anything other than the 
defaults.

> > Thanks for any hint on this wild matter.

You are quite welcome :)

> > France, Bordeaux, xml and gay pride.

That sounds like the possible anwers to a multiple choice question ;-)

Let me know if you have any other problems. I would recommend undoing whatever 
changes you made to Catalina.bat, including any JVM parameters you may have 
added, and following the above steps from scratch.

Good luck!

- Christopher