You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Andrea Freire <so...@hotmail.com> on 2010/08/26 20:07:47 UTC
A little trouble with SSL
I install tomcat 6 and all works without problem, but I had to install ssl then the problems started.
I tried to configure using the module that connect tomcat6 with apache mod_jk, but
send me the
request was apparently not the apache server just redirects me what is
going to port 80, when I put on port 443 I get that not on the server
once I came out about the certificate but I redirected I
get forgiven, then try to implement it directly in tomcat using a
certificate using openssl, then use the keytool tool to generate the
first time you use it if I generate a certificate but I put it in jks
but It put me in another that beginning with g, the second time I
said that already exists error code or a malformed key, keytool error:
java.security.KeyStoreException: Alias [tomcat] already exists and DOES
NOT IDENTIFY a Key Entry, I try with the jdk keytool to install but followed
me out the same mistakes in some cases moved the keys to rebuilding the
certificates and keys in the folder that I assign $ path $ / keys but I
got the error malformed key.
Re: A little trouble with SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrea,
On 9/20/12 12:53 PM, Andrea Freire wrote:
> Christopher Schultz <chris <at> christopherschultz.net> writes:
>>
>> Andrea,
>>
>> On 8/29/2010 10:39 PM, Andrea Freire wrote:
>>> There are the configuration files.
>>
>> Your attachments were stripped by the list. Please paste them
>> inline and try again.
>>
>> -chris
>>
> I know that is too late the answer but I want to post that I did.
> the problem was that I wasnt installed the tomcat native library, I
> just follow the step in the next link to install the library:
> http://tomcat.apache.org/native-doc/ You have to install this if
> you want to configure ssl direct in tomcat. :D
tcnative is not required in order to configure SSL in Tomcat. It is
only required if you want to use OpenSSL with the APR connector to
configure SSL in Tomcat.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBdNqMACgkQ9CaO5/Lv0PCdWACeNEe1/vgwhwyVIe4PBUB13HPT
s8UAn1DCdWLb3es8QvPynf+MQtOfcd67
=oBsk
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: A little trouble with SSL
Posted by Andrea Freire <so...@hotmail.com>.
Christopher Schultz <chris <at> christopherschultz.net> writes:
>
>
> Andrea,
>
> On 8/29/2010 10:39 PM, Andrea Freire wrote:
> > There are the configuration files.
>
> Your attachments were stripped by the list. Please paste them inline and
> try again.
>
> -chris
>
I know that is too late the answer but I want to post that I did.
the problem was that I wasnt installed the tomcat native library, I just follow
the step in the next link to install the library:
http://tomcat.apache.org/native-doc/
You have to install this if you want to configure ssl direct in tomcat. :D
Andrea
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: A little trouble with SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrea,
On 8/29/2010 10:39 PM, Andrea Freire wrote:
> There are the configuration files.
Your attachments were stripped by the list. Please paste them inline and
try again.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx/wxMACgkQ9CaO5/Lv0PBP8ACgh2V46cdChpwJ6lLRVkUYTLOi
y/QAn0M3y56LfbygPkO4By3cMX7kQXC7
=8RNS
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: A little trouble with SSL
Posted by Andrea Freire <so...@hotmail.com>.
There are the configuration files.
I can see the .jsp files throw the apache but only in port :80, when I put in port :443 only show that there are in apache only, not the .jsp or any servlet or application files. The .crt files for ssl works using this form-tomcat with mod_jk with apache- to redirect but after the authentication appears a message that the ubication is forbiden.
I Try to impliment ssl just for tomcat but I have problems with the keytool. I have 2 location that manage this command, with both of them I create the cert but later their show me errors when I try to delete or remake the cert's,the first time that I implement this form the browser show me this message ssl_error_rx_record_too_long, someone told me that It could be the proxy -squid- but I put the port in the firewall to allow to pass and stop the proxy service and the netstat -tln command show me that the port of tomcat with ssl was open.
Andrea
> Date: Thu, 26 Aug 2010 14:35:44 -0400
> From: chris@christopherschultz.net
> To: users@tomcat.apache.org
> Subject: Re: A little trouble with SSL
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Andrea,
>
> On 8/26/2010 2:07 PM, Andrea Freire wrote:
> > I install tomcat 6 and all works without problem, but I had to
> > install ssl then the problems started.
>
> Looking below, you are using Apache httpd along with Tomcat. Would you
> like httpd to terminate the SSL connection, or do you want to make SSL
> connections directly to Tomcat?
>
> > I tried to configure using the module that connect tomcat6 with
> > apache mod_jk, but send me the request was apparently not the apache
> > server just redirects me what is going to port 80, when I put on
> > port 443 I get that not on the server
>
> I'm having a little trouble understanding. Please post your mod_jk
> configuration and the <Connectors> from Tomcat's server.xml.
>
> Let's just start there and see how far we can get.
>
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkx2tAAACgkQ9CaO5/Lv0PBmSACePcBAiwsGMfyzyHWgA0DYPUxg
> qFIAoIdFnzrXENi+37ARSnB8fk1BAaCa
> =DbEQ
> -----END PGP SIGNATURE-----
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
Re: A little trouble with SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrea,
Please keep discussions on the mailing list.
On 8/26/2010 5:19 PM, Andrea Freire wrote:
> I pass you my configuration, go ahead
It looks like you have not configured Apache httpd for SSL. Did you want
to have SSL terminate at Apache httpd or at Tomcat?
> <Connector className="org.apache.tomcat.service.PoolTcpConnector">
> <Parameter name="handler" value="org.apache.tomcat.service.http.HttpConnectionHandler"/>
> <Parameter name="port" value="6443"/>
> <Parameter name="socketFactory" value="org.apache.tomcat.net.SSLSocketFactory"/>
> <Parameter name="keystore" value="/root/.keystore" />
> <Parameter name="keypass" value="my_key_forsecurityreasonsInotputit"/>
> <Parameter name="clientAuth" value="false"/>
> </Connector>
That's a weird <Connector> configuration. Where did you get this example?
I note you're trying to use a keystore in /root/.keystore... it's
generally not a good idea to run Tomcat as root, and it's generally not
a good idea to allow /root to be world-readable. From the above
configuration, I suspect you are running Tomcat as root: seriously
consider running Tomcat as a non-privileged user.
There's a perfectly good SSL connector configuration listed already in
server.xml (though it's commented-out):
> <!-- Define a SSL HTTP/1.1 Connector on port 8443
> This connector uses the JSSE configuration, when using APR, the
> connector should be using the OpenSSL style configuration
> described in the APR documentation -->
> <!--
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS" />
> -->
You just need to uncomment this and add the following attributes:
keystoreFile (note that your attribute was "keystore",
not "keystorefile")
keystorePass
Please see http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html for
reference.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx36y0ACgkQ9CaO5/Lv0PBsOACfeKqk+2V7sKVtGytEboZG9ESx
+hkAoJWJwwfElvvst+FCwZj3w3crWYN+
=94gF
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: A little trouble with SSL
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Andrea,
On 8/26/2010 2:07 PM, Andrea Freire wrote:
> I install tomcat 6 and all works without problem, but I had to
> install ssl then the problems started.
Looking below, you are using Apache httpd along with Tomcat. Would you
like httpd to terminate the SSL connection, or do you want to make SSL
connections directly to Tomcat?
> I tried to configure using the module that connect tomcat6 with
> apache mod_jk, but send me the request was apparently not the apache
> server just redirects me what is going to port 80, when I put on
> port 443 I get that not on the server
I'm having a little trouble understanding. Please post your mod_jk
configuration and the <Connectors> from Tomcat's server.xml.
Let's just start there and see how far we can get.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkx2tAAACgkQ9CaO5/Lv0PBmSACePcBAiwsGMfyzyHWgA0DYPUxg
qFIAoIdFnzrXENi+37ARSnB8fk1BAaCa
=DbEQ
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org