You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by mandg <gs...@federatedinv.com> on 2012/01/19 00:09:13 UTC
Is SSL keystore with AJP connector possible?
I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been
asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3
connector is configured and not APR. Like a good newbie that I am with
Tomcat, I followed the Tomcat instructions for configuring SSL. However, the
docs seemed to step me through the steps for an APR-type connector, not AJP
since I had specified a keystore and passphrase. When I reviewed the AJP
connector documentation, I didn't find any attributes to specify for the
keystore and passphrase.
So my question is, can I use a keystore for the AJP type of connector? And
if so, are there any good tutorials out there that can walk me through it.
If not, can I simply edit out the AJP connector in my server.xml file and
edit in the APR connector? Or will that somehow break the site/application
that's running on Tomcat?
--
View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3814537.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by André Warnier <aw...@ice-sa.com>.
mandg wrote:
> Well, there is the AJP connector but I gather that shouldn't matter - here's
> the full server.xml:
>
> <?xml version='1.0' encoding='utf-8'?>
>
>
> <Server port="8005" shutdown="SHUTDOWN">
>
>
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
>
> <Listener className="org.apache.catalina.core.JasperListener" />
>
> <Listener
> className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
>
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> />
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
>
>
> <GlobalNamingResources>
>
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved"
> factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
> pathname="conf/tomcat-users.xml" />
> </GlobalNamingResources>
>
>
> <Service name="Catalina">
>
>
>
>
>
>
> <Connector port="8080" protocol="HTTP/1.1"
> connectionTimeout="20000"
> redirectPort="8443" />
>
>
>
> <Connector
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> SSLCertificateFile="$CATALINA_HOME/webapps/keystore/hpsmprod.crt"
>
> SSLCertificateKeyFile="$CATALINA_HOME/webapps/keystore/hpsmprod.pem"
> clientAuth="false" SSLProtocol="TLSv1"/>
>
>
> <Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
>
>
>
>
> <Engine name="Catalina" defaultHost="localhost">
>
>
>
>
>
>
>
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> resourceName="UserDatabase"/>
>
>
> <Host name="localhost" appBase="webapps"
> unpackWARs="true" autoDeploy="true"
> xmlValidation="false" xmlNamespaceAware="false">
>
>
>
>
>
>
>
> </Host>
> </Engine>
> </Service>
> </Server>
>
>
> --
You are right, it does not /look/ like you have two Tomcat Connector's trying to listen on
the same port 8443.
The error message is quite explicit about the error however, and it usually does not lie.
So something does not fit.
My guess at this point is that you /do/ have something else which opens port 8443, and you
just overlooked it.
I can't prove that though, since you are on your machine and I am not.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by mandg <gs...@federatedinv.com>.
Well, there is the AJP connector but I gather that shouldn't matter - here's
the full server.xml:
<?xml version='1.0' encoding='utf-8'?>
<Server port="8005" shutdown="SHUTDOWN">
<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />
<Listener className="org.apache.catalina.core.JasperListener" />
<Listener
className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener" />
<GlobalNamingResources>
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved"
factory="org.apache.catalina.users.MemoryUserDatabaseFactory"
pathname="conf/tomcat-users.xml" />
</GlobalNamingResources>
<Service name="Catalina">
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000"
redirectPort="8443" />
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="$CATALINA_HOME/webapps/keystore/hpsmprod.crt"
SSLCertificateKeyFile="$CATALINA_HOME/webapps/keystore/hpsmprod.pem"
clientAuth="false" SSLProtocol="TLSv1"/>
<Connector port="8009" protocol="AJP/1.3" redirectPort="8443" />
<Engine name="Catalina" defaultHost="localhost">
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
resourceName="UserDatabase"/>
<Host name="localhost" appBase="webapps"
unpackWARs="true" autoDeploy="true"
xmlValidation="false" xmlNamespaceAware="false">
</Host>
</Engine>
</Service>
</Server>
--
View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3881358.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by André Warnier <aw...@ice-sa.com>.
mandg wrote:
> Thanks guys- that was all good info. So I gather now that I'll leave the AJP
> connector configuration alone and instead focus on getting the APR piece to
> work for SSL - I do in fact have the tcnative-1.dll file present in my /bin
> directory so I'm pretty confident now that my server is invoking the APR
> connector and not the JSEE. Thus, my keystore attributes I was originally
> using were not relevent. Here is my current connector config from the
> server.xml:
>
>
> <Connector
> port="8443" maxThreads="200"
> scheme="https" secure="true" SSLEnabled="true"
> SSLCertificateFile="$CATALINA_HOME/webapps/keystore/hpsmprod.crt"
>
> SSLCertificateKeyFile="$CATALINA_HOME/webapps/keystore/hpsmprod.pem"
> clientAuth="false" SSLProtocol="TLSv1"/>
>
>
> However, when I startup Tomcat (installed as a service), I see the 2 errors
> below in my tomcat6-stedd log file:
>
> SEVERE: Failed to start connector [Connector[HTTP/1.1-8443]]
> LifecycleException: service.getName(): "Catalina"; Protocol
> handler start failed: java.lang.Exception: Socket bind failed: [730048] Only
> one usage of each socket address (protocol/network address/port) is normally
> permitted.
>
> I have verified that there's nothing else listening on 8443 using netstat
> and tcpview prior to starting Tomcat. Is it possible that the xml is trying
> to start up a duplicate instance on 8443?
>
Well, apart from the one you show above, do you have any other non-commented-out
<Connector> sections in your server.xml file ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by Bilal S <bi...@gmail.com>.
If you are running windows, have you tried to connect to IIS via HTTPS and
then via AJP to tomcat?
I find that this is much easier solution then trying to configure HTTPS on
tomcat or apache httpd.
Re: Is SSL keystore with AJP connector possible?
Posted by mandg <gs...@federatedinv.com>.
Hi Ryan- in my case, it turned that the SSL settings were configured in
another part of the application - HP Service Center in this case. The
server.xml file is still using the AJP connector. I know that doesn't help
you much here though unless you're using the same app.
--
View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p4687935.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by mandg <gs...@federatedinv.com>.
Good questions about the application - I really don't know so I've passed
this on to the consultants doing the install. I think there is something
related to the application because when I specified https port 8444 in place
of 8443 withing the connector I got the same error message on startup.
Thanks and I'll keep this updated as I learn more.
--
View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3882571.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by Pid <pi...@pidster.com>.
On 19/01/2012 05:29, mandg wrote:
> handler start failed: java.lang.Exception: Socket bind failed: [730048] Only
> one usage of each socket address (protocol/network address/port) is normally
> permitted.
Is there an existing version of the application already running?
Does the application bind to a socket too?
p
--
[key:62590808]
Re: Is SSL keystore with AJP connector possible?
Posted by mandg <gs...@federatedinv.com>.
Thanks guys- that was all good info. So I gather now that I'll leave the AJP
connector configuration alone and instead focus on getting the APR piece to
work for SSL - I do in fact have the tcnative-1.dll file present in my /bin
directory so I'm pretty confident now that my server is invoking the APR
connector and not the JSEE. Thus, my keystore attributes I was originally
using were not relevent. Here is my current connector config from the
server.xml:
<Connector
port="8443" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="$CATALINA_HOME/webapps/keystore/hpsmprod.crt"
SSLCertificateKeyFile="$CATALINA_HOME/webapps/keystore/hpsmprod.pem"
clientAuth="false" SSLProtocol="TLSv1"/>
However, when I startup Tomcat (installed as a service), I see the 2 errors
below in my tomcat6-stedd log file:
SEVERE: Failed to start connector [Connector[HTTP/1.1-8443]]
LifecycleException: service.getName(): "Catalina"; Protocol
handler start failed: java.lang.Exception: Socket bind failed: [730048] Only
one usage of each socket address (protocol/network address/port) is normally
permitted.
I have verified that there's nothing else listening on 8443 using netstat
and tcpview prior to starting Tomcat. Is it possible that the xml is trying
to start up a duplicate instance on 8443?
Thanks again for you time.
--
View this message in context: http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3874653.html
Sent from the Tomcat - User mailing list archive at Nabble.com.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by Rainer Jung <ra...@kippdata.de>.
On 19.01.2012 00:09, mandg wrote:
> I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been
> asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3
> connector is configured and not APR. Like a good newbie that I am with
> Tomcat, I followed the Tomcat instructions for configuring SSL. However, the
> docs seemed to step me through the steps for an APR-type connector, not AJP
> since I had specified a keystore and passphrase. When I reviewed the AJP
> connector documentation, I didn't find any attributes to specify for the
> keystore and passphrase.
>
> So my question is, can I use a keystore for the AJP type of connector? And
> if so, are there any good tutorials out there that can walk me through it.
>
> If not, can I simply edit out the AJP connector in my server.xml file and
> edit in the APR connector? Or will that somehow break the site/application
> that's running on Tomcat?
Note that AJP is a protocol and APR is an implementation type. Tomcat
supports HTTP, HTTPS and AJP as protocols, and BIO, NIO and APR as the
implementation. Tomcat 7 supports all combinations, Tomcat 6 all
combination except for AJP/NIO.
AJP is an unencrypted protocol. So configuring SSL, keystore etc. for an
AJP connector does not make sense. This is true for any AJP
implementation, be it BIO, NIO or APR.
HTH!
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Is SSL keystore with AJP connector possible?
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: mandg [mailto:gscanga@federatedinv.com]
> Subject: Is SSL keystore with AJP connector possible?
> I see that the AJP/1.3 connector is configured and not APR.
APR will be used automatically for HTTP <Connector>s if the tcnative-1.dll file is found in Tomcat's bin directory and the APR listener is present in server.xml (which it is by default).
> I followed the Tomcat instructions for configuring SSL.
There are two sets of instructions for configuring SSL; one for APR, another for the pure Java ones. The two configurations are completely different.
> can I use a keystore for the AJP type of connector?
SSL cannot be configured for AJP, since the expectation is that anything talking to Tomcat via AJP is doing so over a private, secure network. If you are using a front end (e.g., httpd, IIS) communicating via AJP with Tomcat, the SSL termination point would normally be in the front end, not within Tomcat.
Read the <Connector> documentation first, then the SSL doc.
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
http://tomcat.apache.org/tomcat-6.0-doc/apr.html#HTTPS
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Is SSL keystore with AJP connector possible?
Posted by Igor Cicimov <ic...@gmail.com>.
On Thu, Jan 19, 2012 at 10:09 AM, mandg <gs...@federatedinv.com> wrote:
> I'm working on Apache Tomcat/6.0.33 running in Windows 2003 and have been
> asked to setup SSL. Looking at the server.xml file, I see that the AJP/1.3
> connector is configured and not APR. Like a good newbie that I am with
> Tomcat, I followed the Tomcat instructions for configuring SSL. However,
> the
> docs seemed to step me through the steps for an APR-type connector, not AJP
> since I had specified a keystore and passphrase. When I reviewed the AJP
> connector documentation, I didn't find any attributes to specify for the
> keystore and passphrase.
>
> So my question is, can I use a keystore for the AJP type of connector? And
> if so, are there any good tutorials out there that can walk me through it.
>
> If not, can I simply edit out the AJP connector in my server.xml file and
> edit in the APR connector? Or will that somehow break the site/application
> that's running on Tomcat?
>
> --
> View this message in context:
> http://tomcat.10.n6.nabble.com/Is-SSL-keystore-with-AJP-connector-possible-tp3814537p3814537.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Maybe this will help:
http://www.mulesoft.com/tomcat-ssl
read PART II - Configuring Tomcat to use SSL
basically it says
Notice that if you are using APR, the "SSLCertificateFile" and
> "SSLCertificateKey"-type attributes are used in place of the keystoreFile
> attribute. For more information on the differences between using APR in
> place of JSSE, consult Apache's Tomcat APR Documentation<http://tomcat.apache.org/tomcat-6.0-doc/apr.html>
> .
Igor