You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2006/12/07 04:56:21 UTC
svn commit: r483339 - in /tomcat/container/tc5.5.x/webapps/docs:
changelog.xml config/http.xml ssl-howto.xml
Author: markt
Date: Wed Dec 6 19:56:20 2006
New Revision: 483339
URL: http://svn.apache.org/viewvc?view=rev&rev=483339
Log:
Fix bug 41051 by adding info on case sensitivity to SSL HOW-TO
Update SSL configuration documentation to agree with HOW-TO.
Modified:
tomcat/container/tc5.5.x/webapps/docs/changelog.xml
tomcat/container/tc5.5.x/webapps/docs/config/http.xml
tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml
Modified: tomcat/container/tc5.5.x/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/changelog.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/changelog.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/changelog.xml Wed Dec 6 19:56:20 2006
@@ -223,6 +223,10 @@
<bug>40999</bug>: Add trust store configuration for SSL connectors to
the admin webapp. (markt)
</fix>
+ <fix>
+ <bug>41051</bug>: Add information on keystore aliases and case
+ sensitivity to SSL HOW-TO. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Cluster">
Modified: tomcat/container/tc5.5.x/webapps/docs/config/http.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/config/http.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/config/http.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/config/http.xml Wed Dec 6 19:56:20 2006
@@ -409,23 +409,20 @@
<attributes>
<attribute name="algorithm" required="false">
- <p>The certificate encoding algorithm to be used. If not
- specified, the default value is <code>SunX509</code>.</p>
+ <p>The certificate encoding algorithm to be used. This defaults to the Sun
+ implementation (<code>SunX509</code>). For IBM JVMs you should use the
+ value <code>IbmX509</code>. For other vendors, consult the JVM
+ documentation for the correct value.</p>
</attribute>
<attribute name="clientAuth" required="false">
<p>Set to <code>true</code> if you want the SSL stack to require a
- valid certificate chain from the client before
- accepting a connection.
- Set to <code>want</code> if you
- want the SSL stack to request a client
- Certificate, but
- not fail if one isn't presented. A <code>false</code>
+ valid certificate chain from the client before accepting a connection.
+ Set to <code>want</code> if you want the SSL stack to request a client
+ Certificate, but not fail if one isn't presented. A <code>false</code>
value (which is the default) will not require a certificate chain
- unless
- the client requests a resource protected by a security
- constraint
- that uses <code>CLIENT-CERT</code> authentication. See the
+ unless the client requests a resource protected by a security
+ constraint that uses <code>CLIENT-CERT</code> authentication. See the
<a href="../ssl-howto.html">SSL HowTo</a> for an example.</p>
</attribute>
@@ -455,6 +452,25 @@
<attribute name="ciphers" required="false">
<p>A comma seperated list of the encryption ciphers that may be used.
If not specified, then any available cipher may be used.</p>
+ </attribute>
+
+ <attribute name="keyAlias" required="false">
+ <p>The alias used to for the server certificate in the keystore. If not
+ specified the first key read in the keystore will be used.</p>
+ </attribute>
+
+ <attribute name="truststoreFile" required="false">
+ <p>The TrustStore file to use to validate client certificates.</p>
+ </attribute>
+
+ <attribute name="truststorePass" required="false">
+ <p>The password to access the TrustStore. This defaults to the value
+ of <code>keystorePass</code>.</p>
+ </attribute>
+
+ <attribute name="truststoreType" required="false">
+ <p>Add this element if your are using a different format for the
+ TrustStore then you are using for the KeyStore.</p>
</attribute>
</attributes>
Modified: tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml?view=diff&rev=483339&r1=483338&r2=483339
==============================================================================
--- tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml (original)
+++ tomcat/container/tc5.5.x/webapps/docs/ssl-howto.xml Wed Dec 6 19:56:20 2006
@@ -211,6 +211,14 @@
via (among other things) OpenSSL and Microsoft's Key-Manager.
</p>
+<p>Each entry in a keystore is identified by an alias string. Whilst many
+keystore implmentations treat alaises in a case insensitive manner, case
+sensitive implementations are available. The <code>PKCS11</code> specification,
+for example, requires that aliases are case sensitive. To avoid issues related
+to the case sensitivity of aliaises, it is not recommended to use aliases that
+differ only in case.
+</p>
+
<p>To import an existing certificate into a JKS keystore, please read the
documentation (in your JDK documentation package) about <code>keytool</code>.
Note that openssl often adds a readable comments before the key, <code>keytool</code>does not support that, so remove the openssl comments if they exist before importing the key using <code>keytool</code>.
@@ -360,8 +368,8 @@
</tr>
<tr>
<td><code>keystoreType</code></td>
- <td>Add this element if using a PKCS12 keystore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ <td>Add this element if using a keystore type other than
+ <code>JKS</code>.</td>
</tr>
<tr>
<td><code>sslProtocol</code></td>
@@ -396,8 +404,7 @@
<tr>
<td><code>truststoreType</code></td>
<td>Add this element if your are using a different format for the
- TrustStore then you are using for the KeyStore. The valid values are
- <code>JKS</code> and <code>PKCS12</code>.</td>
+ TrustStore then you are using for the KeyStore.</td>
</tr>
<tr>
<td><code>keyAlias</code></td>
@@ -517,6 +524,19 @@
file</a>. <strong>REMINDER</strong> - Passwords are case sensitive!</p>
</blockquote></li>
+<li>When Tomcat starts up, I get an exception like
+ "java.net.SocketException: SSL handshake errorjavax.net.ssl.SSLException: No
+ available certificate or key corresponds to the SSL cipher suites which are
+ enabled."
+ <blockquote>
+ <p>A likely explanation is that Tomcat cannot find the alias for the server
+ key withinthe specified keystore. Check that the correct
+ <code>keystoreFile</code> and <code>keyAlias</code> are specified in the
+ <code><Connector></code> element in the
+ <a href="#Edit the Tomcat Configuration File">Tomcat configuration file</a>.
+ <strong>REMINDER</strong> - <code>keyAlias</code> values may be case
+ sensitive!</p>
+ </blockquote></li>
</ul>
<p>If you are still having problems, a good source of information is the
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org