You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Julie McCabe <ju...@qub.ac.uk> on 2006/03/08 13:17:51 UTC
HTTPS setup
Hi,
Ive configure SSL support as per documentation - I created the keystore and a
self - signed certificate with the default password, uncommented the 8443
connector for https in the conf/server.xml file.
The problem is that I cannot connect to https://localhost:8443 via the
browser, in the log file there are no errors and it appears as the 8443 port
is open as:
INFO: Starting Coyote HTTP/1.1 on http-8443
Nothing is logged to the log file when access to 8443 is attempted, the
browser processes and eventually times out with the following alert:
The connection to localhost:8443 has terminated unexpectedly. Some data may
have been transferred.
Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP
Regards,
Julie.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS setup
Posted by Stephan van Loendersloot <wh...@worldonline.nl>.
Hi Julie,
>Hi,
>
>I have a ca signed p12 file from which I can extract both a certificate and
>key in pem format - I found some info (http://www.junlu.com/msg/85393.html)
>which states that you can use a p12 file as a keystore in tomcat by adding
>the following into the conf/server.xml file:
>
> <Connector port="8443" maxHttpHeaderSize="8192"
> maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
> enableLookups="false" disableUploadTimeout="true"
> acceptCount="100" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
> keystoreFile="file.p12" keystorePass="somePass" />
>
>
>When I tried this it failed with the error message:
>
>
>
If you use Linux and you have OpenSLL installed, you might want to try
the following commands to export your PKCS12 file to a CRT and a KEY
file and configure Tomcat to use these files in 3 steps....
1. CRT export (if your PKCS12 file is password-protected (as it should
be), you will be asked for the password before the export):
openssl pkcs12 -clcerts -nokeys -in file.p12 -out file.crt
2. KEY (export) (again, when the PCKS12 file is password-protected, you
will be asked for it. Right after you entered this password, you have to
think of a new password for the KEY file, which will be asked for twice):
openssl pkcs12 -nocerts -in file.p12 -out file.key
3. Copy the 2 generated files to a suitable, protected location. Change
'server.xml' to the following and insert your new password at the
attribute 'SSLPassword':
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
SSLEngine="on"
SSLCertificateFile="/mydirectory/file.crt"
SSLCertificateKeyFile="/mydirectory/file.key"
SSLPassword="YOURNEWPASSWORD" />
Hope this helps,
--Stephan.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS setup
Posted by Julie McCabe <ju...@qub.ac.uk>.
Hi,
I have a ca signed p12 file from which I can extract both a certificate and
key in pem format - I found some info (http://www.junlu.com/msg/85393.html)
which states that you can use a p12 file as a keystore in tomcat by adding
the following into the conf/server.xml file:
<Connector port="8443" maxHttpHeaderSize="8192"
maxThreads="150" minSpareThreads="25" maxSpareThreads="75"
enableLookups="false" disableUploadTimeout="true"
acceptCount="100" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS" keystoreType="PKCS12"
keystoreFile="file.p12" keystorePass="somePass" />
When I tried this it failed with the error message:
Mar 15, 2006 11:06:50 AM
org.apache.tomcat.util.net.puretls.PureTLSSocketFactory init
INFO: Error initializing SocketFactory
java.io.IOException: Couldn't find private key in this file
at
COM.claymoresystems.ptls.SSLContext.loadEAYKeyFile(SSLContext.java:242)
at
COM.claymoresystems.ptls.SSLContext.loadEAYKeyFile(SSLContext.java:201)
at
org.apache.tomcat.util.net.puretls.PureTLSSocketFactory.init(PureTLSSocketFactory.java:134)
at
org.apache.tomcat.util.net.puretls.PureTLSSocketFactory.createSocket(PureTLSSocketFactory.java:69)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:292)
at
org.apache.coyote.http11.Http11BaseProtocol.init(Http11BaseProtocol.java:137)
at
org.apache.catalina.connector.Connector.initialize(Connector.java:1016)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:580)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:762)
at org.apache.catalina.startup.Catalina.load(Catalina.java:488)
at org.apache.catalina.startup.Catalina.load(Catalina.java:508)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:247)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Mar 15, 2006 11:06:50 AM org.apache.coyote.http11.Http11BaseProtocol init
SEVERE: Error initializing endpoint
Im not sure what to do - I would apprecipate some help.
Env: Tomcat 5.5.12. Java 1.5.0_06, Fedora 4.
Thanks,
Julie.
On Wednesday 08 March 2006 20:01, Dhaval Patel wrote:
> Hi,
>
> As I have told you before, those instructions are not working as expected
> against authority signed (not self-signed) certifcates.
>
> You might have to go through mail-archive of tomcat users list to find
> more ways to solve this. I am sure there is a solution for this.
>
> Tomcat gurus, please help !!!
>
> Regards,
> D
>
> --- Julie McCabe <ju...@qub.ac.uk> wrote:
> > Hello,
> >
> > Thanks for the advice, I had installed the APR as tomcat was failing to
> > shutting down in Windows without it.
> >
> > Since my overall objective is to use an existing X509 certificate signed
> > by an academic CA (not Versign or Thwate) I decided to try the openssl.
> > I followed the steps outlined in the
> > http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
> >
> > I have an existing p12 file which is split into a key and a certificate,
> > I only performed the
> > openssl rsa -in userkey.pem -out server.key
> > command to replace the passphrase from the private key.
> >
> > I edited the conf/server.xml file as directed and pointed the
> > SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile
> > to the generated server.key file.
> >
> > I started tomcat - no errors in the logs and when I try to connect on
> > https://localhost:8443
> > I receive the following alert:
> >
> > "Could not establish an encrypted connection because the certificate
> > presented by localhost is invalid or corrupted. Error Code: -8101"
> >
> > The CA root certificate whom has signed my certificate is loaded into the
> > browser (along with my certificate).
> >
> > It seems like its a problem with my certificates?
> >
> > Thanks,
> > Julie.
> >
> > On Wednesday 08 March 2006 13:31, Dhaval Patel wrote:
> > > Hi,
> > >
> > > Based upon your description, I think you are trying to use JSSE way to
> > > enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL.
> > >
> > > If you are trying with JSSE, please remove tcnative-1.dll from your
> > > TOMCAT_HOME\bin directory. It should work fine.
> > >
> > > If you want to know how to do with OpenSSL, please go to:
> > > http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
> > >
> > > Steps described in above URL are 100% working when you don't have
> > > Versign/Thwate signed certificate. It is not case here I believe. :)
> > >
> > > Let us know how it goes.
> > >
> > > Regards,
> > > D
> > >
> > > --- Julie McCabe <ju...@qub.ac.uk> wrote:
> > > > Hi,
> > > >
> > > > Ive configure SSL support as per documentation - I created the
> > > > keystore and a self - signed certificate with the default password,
> > > > uncommented the 8443 connector for https in the conf/server.xml file.
> > > >
> > > > The problem is that I cannot connect to https://localhost:8443 via
> > > > the browser, in the log file there are no errors and it appears as
> > > > the 8443 port is open as:
> > > > INFO: Starting Coyote HTTP/1.1 on http-8443
> > > >
> > > > Nothing is logged to the log file when access to 8443 is attempted,
> > > > the browser processes and eventually times out with the following
> > > > alert:
> > > >
> > > > The connection to localhost:8443 has terminated unexpectedly. Some
> > > > data may have been transferred.
> > > >
> > > > Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP
> > > >
> > > > Regards,
> > > > Julie.
> > > >
> > > >
> > > > ---------------------------------------------------------------------
> > > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > > For additional commands, e-mail: users-help@tomcat.apache.org
> > >
> > > __________________________________________________
> > > Do You Yahoo!?
> > > Tired of spam? Yahoo! Mail has the best spam protection around
> > > http://mail.yahoo.com
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS setup
Posted by Dhaval Patel <dh...@yahoo.com>.
Hi,
As I have told you before, those instructions are not working as expected against authority
signed (not self-signed) certifcates.
You might have to go through mail-archive of tomcat users list to find more ways to solve this.
I am sure there is a solution for this.
Tomcat gurus, please help !!!
Regards,
D
--- Julie McCabe <ju...@qub.ac.uk> wrote:
> Hello,
>
> Thanks for the advice, I had installed the APR as tomcat was failing to
> shutting down in Windows without it.
>
> Since my overall objective is to use an existing X509 certificate signed by
> an academic CA (not Versign or Thwate) I decided to try the openssl. I
> followed the steps outlined in the
> http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
>
> I have an existing p12 file which is split into a key and a certificate, I
> only performed the
> openssl rsa -in userkey.pem -out server.key
> command to replace the passphrase from the private key.
>
> I edited the conf/server.xml file as directed and pointed the
> SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile to
> the generated server.key file.
>
> I started tomcat - no errors in the logs and when I try to connect on
> https://localhost:8443
> I receive the following alert:
>
> "Could not establish an encrypted connection because the certificate presented
> by localhost is invalid or corrupted. Error Code: -8101"
>
> The CA root certificate whom has signed my certificate is loaded into the
> browser (along with my certificate).
>
> It seems like its a problem with my certificates?
>
> Thanks,
> Julie.
>
>
> On Wednesday 08 March 2006 13:31, Dhaval Patel wrote:
> > Hi,
> >
> > Based upon your description, I think you are trying to use JSSE way to
> > enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL.
> >
> > If you are trying with JSSE, please remove tcnative-1.dll from your
> > TOMCAT_HOME\bin directory. It should work fine.
> >
> > If you want to know how to do with OpenSSL, please go to:
> > http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
> >
> > Steps described in above URL are 100% working when you don't have
> > Versign/Thwate signed certificate. It is not case here I believe. :)
> >
> > Let us know how it goes.
> >
> > Regards,
> > D
> >
> > --- Julie McCabe <ju...@qub.ac.uk> wrote:
> > > Hi,
> > >
> > > Ive configure SSL support as per documentation - I created the keystore
> > > and a self - signed certificate with the default password, uncommented
> > > the 8443 connector for https in the conf/server.xml file.
> > >
> > > The problem is that I cannot connect to https://localhost:8443 via the
> > > browser, in the log file there are no errors and it appears as the 8443
> > > port is open as:
> > > INFO: Starting Coyote HTTP/1.1 on http-8443
> > >
> > > Nothing is logged to the log file when access to 8443 is attempted, the
> > > browser processes and eventually times out with the following alert:
> > >
> > > The connection to localhost:8443 has terminated unexpectedly. Some data
> > > may have been transferred.
> > >
> > > Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP
> > >
> > > Regards,
> > > Julie.
> > >
> > >
> > > ---------------------------------------------------------------------
> > > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > > For additional commands, e-mail: users-help@tomcat.apache.org
> >
> > __________________________________________________
> > Do You Yahoo!?
> > Tired of spam? Yahoo! Mail has the best spam protection around
> > http://mail.yahoo.com
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS setup
Posted by Julie McCabe <ju...@qub.ac.uk>.
Hello,
Thanks for the advice, I had installed the APR as tomcat was failing to
shutting down in Windows without it.
Since my overall objective is to use an existing X509 certificate signed by
an academic CA (not Versign or Thwate) I decided to try the openssl. I
followed the steps outlined in the
http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
I have an existing p12 file which is split into a key and a certificate, I
only performed the
openssl rsa -in userkey.pem -out server.key
command to replace the passphrase from the private key.
I edited the conf/server.xml file as directed and pointed the
SSLCertificateFile to the usercert.pem file and the SSLCertificateKeyFile to
the generated server.key file.
I started tomcat - no errors in the logs and when I try to connect on
https://localhost:8443
I receive the following alert:
"Could not establish an encrypted connection because the certificate presented
by localhost is invalid or corrupted. Error Code: -8101"
The CA root certificate whom has signed my certificate is loaded into the
browser (along with my certificate).
It seems like its a problem with my certificates?
Thanks,
Julie.
On Wednesday 08 March 2006 13:31, Dhaval Patel wrote:
> Hi,
>
> Based upon your description, I think you are trying to use JSSE way to
> enable SSL. Tomcat 5.5 has two ways to enable SSL: 1) JSSE 2) OpenSSL.
>
> If you are trying with JSSE, please remove tcnative-1.dll from your
> TOMCAT_HOME\bin directory. It should work fine.
>
> If you want to know how to do with OpenSSL, please go to:
> http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
>
> Steps described in above URL are 100% working when you don't have
> Versign/Thwate signed certificate. It is not case here I believe. :)
>
> Let us know how it goes.
>
> Regards,
> D
>
> --- Julie McCabe <ju...@qub.ac.uk> wrote:
> > Hi,
> >
> > Ive configure SSL support as per documentation - I created the keystore
> > and a self - signed certificate with the default password, uncommented
> > the 8443 connector for https in the conf/server.xml file.
> >
> > The problem is that I cannot connect to https://localhost:8443 via the
> > browser, in the log file there are no errors and it appears as the 8443
> > port is open as:
> > INFO: Starting Coyote HTTP/1.1 on http-8443
> >
> > Nothing is logged to the log file when access to 8443 is attempted, the
> > browser processes and eventually times out with the following alert:
> >
> > The connection to localhost:8443 has terminated unexpectedly. Some data
> > may have been transferred.
> >
> > Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP
> >
> > Regards,
> > Julie.
> >
> >
> > ---------------------------------------------------------------------
> > To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> > For additional commands, e-mail: users-help@tomcat.apache.org
>
> __________________________________________________
> Do You Yahoo!?
> Tired of spam? Yahoo! Mail has the best spam protection around
> http://mail.yahoo.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: HTTPS setup
Posted by Dhaval Patel <dh...@yahoo.com>.
Hi,
Based upon your description, I think you are trying to use JSSE way to enable SSL. Tomcat 5.5 has
two ways to enable SSL: 1) JSSE 2) OpenSSL.
If you are trying with JSSE, please remove tcnative-1.dll from your TOMCAT_HOME\bin directory. It
should work fine.
If you want to know how to do with OpenSSL, please go to:
http://www.mail-archive.com/users%40tomcat.apache.org/msg02500.html
Steps described in above URL are 100% working when you don't have Versign/Thwate signed
certificate. It is not case here I believe. :)
Let us know how it goes.
Regards,
D
--- Julie McCabe <ju...@qub.ac.uk> wrote:
> Hi,
>
> Ive configure SSL support as per documentation - I created the keystore and a
> self - signed certificate with the default password, uncommented the 8443
> connector for https in the conf/server.xml file.
>
> The problem is that I cannot connect to https://localhost:8443 via the
> browser, in the log file there are no errors and it appears as the 8443 port
> is open as:
> INFO: Starting Coyote HTTP/1.1 on http-8443
>
> Nothing is logged to the log file when access to 8443 is attempted, the
> browser processes and eventually times out with the following alert:
>
> The connection to localhost:8443 has terminated unexpectedly. Some data may
> have been transferred.
>
> Environment: Java 1.5.0_04, Tomcat 5.5.12, Windows XP
>
> Regards,
> Julie.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org