You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Ben Iggulden <be...@codefarm.com.au> on 2007/07/06 05:28:25 UTC
https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Bit of a maddening problem this one.
I'm setting up https on Tomcat 5.5.
Following the how-to closely I've generated a keystore using keytool and
uncommented/modified the port 8443 connector in the server.xml.
But the https connector just fails to work, the logs report these errors:
1. org.apache.tomcat.util.net.SSLImplementation - Error loading SSL
Implementation org.apache.tomcat.util.net.puretls.PureTLSImplementation
java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.puretls.PureTLSImplementation
2. DEBUG main org.apache.tomcat.util.net.jsse.JSSEImplementation - Error
getting factory: org.apache.tomcat.util.net.jsse.JSSE15Factory
java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jsse.JSSE15Factory
3. ERROR main org.apache.coyote.http11.Http11BaseProtocol - Error
initializing endpoint
java.io.IOException: Keystore was tampered with, or password was
incorrect
4. ERROR main org.apache.catalina.startup.Catalina - Catalina.start
LifecycleException: Protocol handler initialization failed:
java.io.IOException: Keystore was tampered with, or password was incorrect
Now from reading I think the first is unimportant because it should be using
a JSSE and not PureTLS implementation. The second would look worrying then,
and could mean I'm running with the wrong JSSE version (I'm using the one
that shipped with Tomcat 5.5 and a Java 5 JRE). The 3rd & 4th are the same
and are the ones really messing with me. As you can see below..the keystore
password used in generation and in the server.xml are the same so that one
has got me.
Does this look like a JSSE version issue or have I missed something much
more simple ?
-------------------------------
Log of console session in which I generated the keystore:
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf>"C:\Program
Files\Java\j2re1.4.2_14\bin\keytool" -genkey -alias tomcat -keyalg RSA
-keystore .keystore
Enter keystore password: t0mcat
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Dev Env
What is the name of your organization?
[Unknown]: Codefarm
What is the name of your City or Locality?
[Unknown]: Repton
What is the name of your State or Province?
[Unknown]: NSW
What is the two-letter country code for this unit?
[Unknown]: AU
Is CN=localhost, OU=Dev Env, O=Codefarm, L=Repton, ST=NSW, C=AU correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf>
-------------------------------
The server.xml connector:
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="C:/Program Files/Apache Software
Foundation/Tomcat 5.5/conf/.keystore"
keytorePass="t0mcat" />
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by Hassan Schroeder <ha...@gmail.com>.
On 7/8/07, Ben Iggulden <be...@codefarm.com.au> wrote:
> Is this keystore password supposed to be changed as I have presumed
> (ensuring the same is used in the server.xml connector's keystorePass
> attribute as is used in generation)
Yes, using a different password works for me per the docs on
my existing 5.5.x installation...
--
Hassan Schroeder ------------------------ hassan.schroeder@gmail.com
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by Ben Iggulden <be...@codefarm.com.au>.
That's done it !
Thanks indeed for sharing your knowledge here Chuck.
Here on dev I've done the simple thing of removing the APR .dll but when I
try this on a live-like build next week I can see myself spending some
quality time with that APR section of the manual you've pointed me towards.
Now I look again at the large bold warning atop the SSL how-to I see just
what I'd managed to miss...
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 10 July 2007 13:42
To: Tomcat Users List
Subject: RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing
what it should !
> From: Ben Iggulden [mailto:ben@codefarm.com.au]
> Sent: 2007 July 09, Monday 20:12
> keystore..not doing what it should !
>
> I'm trying to verify this as the problem by closing Eclipse
> and running Tomcat directly
Try running it from a command prompt rather than as a service. There
may be some messages going to stdout that don't make it into the log.
> requests via https are getting no response at all that way.
Can't reproduce your symptoms, and your config looks o.k. - IF you're
not using the APR connector. If there's a tcnative-1.dll in Tomcat's
bin directory, you're using APR, and the SSL config is completely
different. If that's the case, either get rid of the .dll, or look here
for the APR SSL configuration:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Ben Iggulden [mailto:ben@codefarm.com.au]
> Sent: 2007 July 09, Monday 20:12
> keystore..not doing what it should !
>
> I'm trying to verify this as the problem by closing Eclipse
> and running Tomcat directly
Try running it from a command prompt rather than as a service. There
may be some messages going to stdout that don't make it into the log.
> requests via https are getting no response at all that way.
Can't reproduce your symptoms, and your config looks o.k. - IF you're
not using the APR connector. If there's a tcnative-1.dll in Tomcat's
bin directory, you're using APR, and the SSL config is completely
different. If that's the case, either get rid of the .dll, or look here
for the APR SSL configuration:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by Ben Iggulden <be...@codefarm.com.au>.
Thanks for your responses Chuck & Hassan.
I did have a good look into my use of the keystoreFile attribute and made
sure there was no .keystore sitting in the default location in my home dir
that might be confusing things. I was thinking .keystore on the default
path with "changeit" as the password might have been overriding things
perhaps.
But that wasn't it. I believe my use of Tomcat through Eclipse 3.2 & the
Web Standard Tools (WST) plugin might be the source of my issues. That
method is definitely failing with anything other than a "changeit" password.
Doesn't matter if I hit return to use the same key password for <tomcat> as
the keystore one I first enter (or if I type same).
I'm trying to verify this as the problem by closing Eclipse and running
Tomcat directly, but in doing that I'm hitting a different problem: requests
via https are getting no response at all that way. The same requests over
http work fine. The https requests don't even generate an access log entry
! Hitting https://localhost:8443/ fails to get a response. Hitting
http://localhost:8080/ works fine. Hitting http://localhost:8443/ causes
the Tomcat5.exe process to consume vast quantities of CPU, though the root
index.jsp file is served quickly - and the CPU continues to be consumed.
The server.xml is:
<Server port="8005" shutdown="SHUTDOWN">
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
redirectPort="8443"
acceptCount="100"
connectionTimeout="30000"
disableUploadTimeout="true" />
<!-- Define a SSL HTTP/1.1 Connector on port 8443 -->
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
connectionTimeout="0"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystorePass="changeit" />
<!-- Define an AJP 1.3 Connector on port 8009 -->
<Connector port="8009"
enableLookups="false"
redirectPort="8443"
protocol="AJP/1.3" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost"
appBase="webapps"
unpackWARs="true"
autoDeploy="true"
xmlValidation="false"
xmlNamespaceAware="false">
<Valve
className="org.apache.catalina.valves.FastCommonAccessLogValve"
directory="logs"
prefix="localhost_access_log."
suffix=".txt"
pattern="common"
resolveHosts="false"/>
</Host>
</Engine>
</Service>
</Server>
-----Original Message-----
From: Caldarale, Charles R [mailto:Chuck.Caldarale@unisys.com]
Sent: 10 July 2007 00:04
To: Tomcat Users List
Subject: RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing
what it should !
> From: Ben Iggulden [mailto:ben@codefarm.com.au]
> Subject: RE: https in Tomcat 5.5 via basic JKS keytool
> keystore..not doing what it should !
>
> Is this keystore password supposed to be changed as I have presumed
> (ensuring the same is used in the server.xml connector's keystorePass
> attribute as is used in generation) or is using anything other than
> "changeit" not typically done ?
Did you note the following from the doc?
"Finally, you will be prompted for the key password, which is the
password specifically for this Certificate (as opposed to any other
Certificates stored in the same keystore file). You MUST use the same
password here as was used for the keystore password itself. (Currently,
the keytool prompt will tell you that pressing the ENTER key does this
for you automatically.)"
Using a password other than "changeit" works properly in both 5.5 and
6.0.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Ben Iggulden [mailto:ben@codefarm.com.au]
> Subject: RE: https in Tomcat 5.5 via basic JKS keytool
> keystore..not doing what it should !
>
> Is this keystore password supposed to be changed as I have presumed
> (ensuring the same is used in the server.xml connector's keystorePass
> attribute as is used in generation) or is using anything other than
> "changeit" not typically done ?
Did you note the following from the doc?
"Finally, you will be prompted for the key password, which is the
password specifically for this Certificate (as opposed to any other
Certificates stored in the same keystore file). You MUST use the same
password here as was used for the keystore password itself. (Currently,
the keytool prompt will tell you that pressing the ENTER key does this
for you automatically.)"
Using a password other than "changeit" works properly in both 5.5 and
6.0.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what it should !
Posted by Ben Iggulden <be...@codefarm.com.au>.
I've worked around the "java.io.IOException: Keystore was tampered with, or
password was incorrect" problem now and that was the cause of it all.
I can clear the problem by using the password "changeit" as I generate my
key, and by not using the keystorePass attribute on the connector in the
server.xml.
On Tomcat 4 I could override that password (I could "change it") in that way
and the documentation on 5.5 says I can do it the same way, but I'm not
seeing it work on Tomcat 5.5.
Is this keystore password supposed to be changed as I have presumed
(ensuring the same is used in the server.xml connector's keystorePass
attribute as is used in generation) or is using anything other than
"changeit" not typically done ?
-----Original Message-----
From: Ben Iggulden [mailto:ben@codefarm.com.au]
Sent: 06 July 2007 13:28
To: users@tomcat.apache.org
Subject: https in Tomcat 5.5 via basic JKS keytool keystore..not doing what
it should !
Bit of a maddening problem this one.
I'm setting up https on Tomcat 5.5.
Following the how-to closely I've generated a keystore using keytool and
uncommented/modified the port 8443 connector in the server.xml.
But the https connector just fails to work, the logs report these errors:
1. org.apache.tomcat.util.net.SSLImplementation - Error loading SSL
Implementation org.apache.tomcat.util.net.puretls.PureTLSImplementation
java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.puretls.PureTLSImplementation
2. DEBUG main org.apache.tomcat.util.net.jsse.JSSEImplementation - Error
getting factory: org.apache.tomcat.util.net.jsse.JSSE15Factory
java.lang.ClassNotFoundException:
org.apache.tomcat.util.net.jsse.JSSE15Factory
3. ERROR main org.apache.coyote.http11.Http11BaseProtocol - Error
initializing endpoint
java.io.IOException: Keystore was tampered with, or password was
incorrect
4. ERROR main org.apache.catalina.startup.Catalina - Catalina.start
LifecycleException: Protocol handler initialization failed:
java.io.IOException: Keystore was tampered with, or password was incorrect
Now from reading I think the first is unimportant because it should be using
a JSSE and not PureTLS implementation. The second would look worrying then,
and could mean I'm running with the wrong JSSE version (I'm using the one
that shipped with Tomcat 5.5 and a Java 5 JRE). The 3rd & 4th are the same
and are the ones really messing with me. As you can see below..the keystore
password used in generation and in the server.xml are the same so that one
has got me.
Does this look like a JSSE version issue or have I missed something much
more simple ?
-------------------------------
Log of console session in which I generated the keystore:
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf>"C:\Program
Files\Java\j2re1.4.2_14\bin\keytool" -genkey -alias tomcat -keyalg RSA
-keystore .keystore
Enter keystore password: t0mcat
What is your first and last name?
[Unknown]: localhost
What is the name of your organizational unit?
[Unknown]: Dev Env
What is the name of your organization?
[Unknown]: Codefarm
What is the name of your City or Locality?
[Unknown]: Repton
What is the name of your State or Province?
[Unknown]: NSW
What is the two-letter country code for this unit?
[Unknown]: AU
Is CN=localhost, OU=Dev Env, O=Codefarm, L=Repton, ST=NSW, C=AU correct?
[no]: y
Enter key password for <tomcat>
(RETURN if same as keystore password):
C:\Program Files\Apache Software Foundation\Tomcat 5.5\conf>
-------------------------------
The server.xml connector:
<Connector port="8443"
maxHttpHeaderSize="8192"
maxThreads="150"
minSpareThreads="25"
maxSpareThreads="75"
enableLookups="false"
disableUploadTimeout="true"
acceptCount="100"
scheme="https"
secure="true"
clientAuth="false"
sslProtocol="TLS"
keystoreFile="C:/Program Files/Apache Software
Foundation/Tomcat 5.5/conf/.keystore"
keytorePass="t0mcat" />
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org