You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Michael Casale <mc...@knoa.com> on 2006/11/07 23:11:19 UTC
SSL not working on Tomcat
Howdy all,
I'm struggling through setting up Tomcat with SSL on a Windows 2003
server, and even when I get the server running, with no errors in the
logs when restarting the tomcat service, all I get is a "Page Not Found"
error when I point to the ssl port on the server. Pointing to the
default connector on port 8080 works fine.
Here's a little background:
1. Using keytool, I created a certificate request, sent it off to
Geotrust, and purchased a cert to import. It was emailed to me.
2. Following the recommendations of geotrust
(http://www.geocerts.com/support/install/install_tomcat.php ) , I
downloaded their root cert, imported it, converted their cert to DER
format (on a separate Linux box), and imported it into the keystore.
3. I restarted the Tomcat service with no errors, see the connector
started on port 8443:
Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 812 ms
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.12
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31 config=null
Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1203 ms
Now, opening any page on the server at http://servername:8080
<http://servername:8080/> works fine, but https://servername:8443
<https://servername:8443/> doesn't work. All ports are opened through
the firewall, etc. Same for https://localhost:8443
<https://localhost:8443/> .
Here is the server.xml file entry for the connector:
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="20"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
sslProtocol="TLS"
keystoreFile="c:\files\tomcat"
keystorePass="THEPASS"/>
According to the Tomcat SSL documentation, I need to have the root cert
and the purchased cert in the keystore file, and I need to use the
keyAlias to tell Tomcat which one to use. But whenever I add in the
keyAlias entry it gives me the "Alias name tomcat does not identify a
key entry" error in the logs.
If I could find out how to enable better logging I may be able to
troubleshoot this further.
Thanks for any help!
Michael Casale
Systems Administrator / IT Manager
Knoa Software
mcasale@knoa.com <ma...@knoa.com>
Ph. (212) 807-9608 ext. 6000
Fax (212) 675-6121
Re: SSL not working on Tomcat
Posted by Martin Gainty <mg...@hotmail.com>.
Michael comments prefixed with Re>
Howdy all,
I'm struggling through setting up Tomcat with SSL on a Windows 2003
server, and even when I get the server running, with no errors in the
logs when restarting the tomcat service, all I get is a "Page Not Found"
error when I point to the ssl port on the server. Pointing to the
default connector on port 8080 works fine.
Here's a little background:
1. Using keytool, I created a certificate request, sent it off to
Geotrust, and purchased a cert to import. It was emailed to me.
2. Following the recommendations of geotrust
(http://www.geocerts.com/support/install/install_tomcat.php ) , I
downloaded their root cert, imported it, converted their cert to DER
format (on a separate Linux box), and imported it into the keystore.
3. I restarted the Tomcat service with no errors, see the connector
started on port 8443:
Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8080
Nov 7, 2006 4:55:35 PM org.apache.coyote.http11.Http11BaseProtocol init
INFO: Initializing Coyote HTTP/1.1 on http-8443
Nov 7, 2006 4:55:35 PM org.apache.catalina.startup.Catalina load
INFO: Initialization processed in 812 ms
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardService start
INFO: Starting service Catalina
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardEngine start
INFO: Starting Servlet Engine: Apache Tomcat/5.5.12
Nov 7, 2006 4:55:35 PM org.apache.catalina.core.StandardHost start
INFO: XML validation disabled
Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8080
Nov 7, 2006 4:55:36 PM org.apache.coyote.http11.Http11BaseProtocol start
INFO: Starting Coyote HTTP/1.1 on http-8443
Nov 7, 2006 4:55:37 PM org.apache.jk.common.ChannelSocket init
INFO: JK: ajp13 listening on /0.0.0.0:8009
Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain start
INFO: Jk running ID=0 time=0/31 config=null
Nov 7, 2006 4:55:37 PM org.apache.catalina.storeconfig.StoreLoader load
INFO: Find registry server-registry.xml at classpath resource
Nov 7, 2006 4:55:37 PM org.apache.catalina.startup.Catalina start
INFO: Server startup in 1203 ms
Now, opening any page on the server at http://servername:8080
<http://servername:8080/> works fine, but https://servername:8443
<https://servername:8443/> doesn't work. All ports are opened through
the firewall, etc. Same for https://localhost:8443
<https://localhost:8443/> .
Here is the server.xml file entry for the connector:
<Connector className="org.apache.coyote.tomcat5.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="20"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true"
sslProtocol="TLS"
keystoreFile="c:\files\tomcat"
keystorePass="THEPASS"/>
MG>could you check to see if the keystoreFile is called tomcat and is located in in C:\files ?
MG>out of curiosity which JVM are you using Sun or IBM..this changes the values assigned to sslProtocol and algorithm?
MG>http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
MG>M-
Michael Casale
Systems Administrator / IT Manager
Knoa Software
mcasale@knoa.com <ma...@knoa.com>
Ph. (212) 807-9608 ext. 6000
Fax (212) 675-6121
Re: SSL not working on Tomcat
Posted by Dhiraj Ramakrishnan <st...@gmail.com>.
Hi,
According to you, one of the steps that you did was ,
" I downloaded their root cert, imported it, converted their cert to
DER
format (on a separate Linux box), and imported it into the keystore. "
You seem to be running your application on a windows box.
Can that be the reason why your key is not working properly ?
Thanks
Dhiraj Ramakrishnan
On 11/8/06, Caldarale, Charles R <Ch...@unisys.com> wrote:
>
> > From: Michael Casale [mailto:mcasale@knoa.com]
> > Subject: SSL not working on Tomcat
> >
> > I'm struggling through setting up Tomcat with SSL on a Windows 2003
> > server, and even when I get the server running, with no errors in the
> > logs when restarting the tomcat service, all I get is a "Page
> > Not Found" error when I point to the ssl port on the server.
>
> Depending on how you installed Tomcat, you may have also gotten the
> native connector, aka APR. Its SSL configuration is different from the
> traditional Tomcat connector. Look here for details:
> http://tomcat.apache.org/tomcat-5.5-doc/apr.html
>
> Regardless, you probably want to move up to a more recent level.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
RE: SSL not working on Tomcat
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Michael Casale [mailto:mcasale@knoa.com]
> Subject: SSL not working on Tomcat
>
> I'm struggling through setting up Tomcat with SSL on a Windows 2003
> server, and even when I get the server running, with no errors in the
> logs when restarting the tomcat service, all I get is a "Page
> Not Found" error when I point to the ssl port on the server.
Depending on how you installed Tomcat, you may have also gotten the
native connector, aka APR. Its SSL configuration is different from the
traditional Tomcat connector. Look here for details:
http://tomcat.apache.org/tomcat-5.5-doc/apr.html
Regardless, you probably want to move up to a more recent level.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: SSL not working on Tomcat
Posted by Mark Eggers <it...@yahoo.com>.
Did you try this with Firefox? IE has some problems
with no-cache in the header or as a pragma. Later
versions of Tomcat 5.5 set this.
There is a mailing list thread concerning this:
http://marc.theaimsgroup.com/?t=111806756600008&r=1&w=2
along with some solutions.
Hope this helps.
/mde/
just my two cents . . . .
--- Michael Casale <mc...@knoa.com> wrote:
> Howdy all,
>
> I'm struggling through setting up Tomcat with SSL on
> a Windows 2003
> server, and even when I get the server running, with
> no errors in the
> logs when restarting the tomcat service, all I get
> is a "Page Not Found"
> error when I point to the ssl port on the server.
> Pointing to the
> default connector on port 8080 works fine.
>
> Here's a little background:
>
> 1. Using keytool, I created a certificate request,
> sent it off to
> Geotrust, and purchased a cert to import. It was
> emailed to me.
> 2. Following the recommendations of geotrust
>
(http://www.geocerts.com/support/install/install_tomcat.php
> ) , I
> downloaded their root cert, imported it, converted
> their cert to DER
> format (on a separate Linux box), and imported it
> into the keystore.
> 3. I restarted the Tomcat service with no errors,
> see the connector
> started on port 8443:
>
> Nov 7, 2006 4:55:35 PM
> org.apache.coyote.http11.Http11BaseProtocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-8080
>
> Nov 7, 2006 4:55:35 PM
> org.apache.coyote.http11.Http11BaseProtocol init
>
> INFO: Initializing Coyote HTTP/1.1 on http-8443
>
> Nov 7, 2006 4:55:35 PM
> org.apache.catalina.startup.Catalina load
>
> INFO: Initialization processed in 812 ms
>
> Nov 7, 2006 4:55:35 PM
> org.apache.catalina.core.StandardService start
>
> INFO: Starting service Catalina
>
> Nov 7, 2006 4:55:35 PM
> org.apache.catalina.core.StandardEngine start
>
> INFO: Starting Servlet Engine: Apache Tomcat/5.5.12
>
> Nov 7, 2006 4:55:35 PM
> org.apache.catalina.core.StandardHost start
>
> INFO: XML validation disabled
>
> Nov 7, 2006 4:55:36 PM
> org.apache.coyote.http11.Http11BaseProtocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-8080
>
> Nov 7, 2006 4:55:36 PM
> org.apache.coyote.http11.Http11BaseProtocol start
>
> INFO: Starting Coyote HTTP/1.1 on http-8443
>
> Nov 7, 2006 4:55:37 PM
> org.apache.jk.common.ChannelSocket init
>
> INFO: JK: ajp13 listening on /0.0.0.0:8009
>
> Nov 7, 2006 4:55:37 PM org.apache.jk.server.JkMain
> start
>
> INFO: Jk running ID=0 time=0/31 config=null
>
> Nov 7, 2006 4:55:37 PM
> org.apache.catalina.storeconfig.StoreLoader load
>
> INFO: Find registry server-registry.xml at classpath
> resource
>
> Nov 7, 2006 4:55:37 PM
> org.apache.catalina.startup.Catalina start
>
> INFO: Server startup in 1203 ms
>
> Now, opening any page on the server at
> http://servername:8080
> <http://servername:8080/> works fine, but
> https://servername:8443
> <https://servername:8443/> doesn't work. All ports
> are opened through
> the firewall, etc. Same for https://localhost:8443
> <https://localhost:8443/> .
>
> Here is the server.xml file entry for the connector:
>
> <Connector
>
className="org.apache.coyote.tomcat5.CoyoteConnector"
>
> port="8443" minProcessors="5" maxProcessors="20"
>
> enableLookups="true" disableUploadTimeout="true"
>
> acceptCount="100" debug="0" scheme="https"
> secure="true"
>
> sslProtocol="TLS"
>
> keystoreFile="c:\files\tomcat"
>
> keystorePass="THEPASS"/>
>
>
>
> According to the Tomcat SSL documentation, I need to
> have the root cert
> and the purchased cert in the keystore file, and I
> need to use the
> keyAlias to tell Tomcat which one to use. But
> whenever I add in the
> keyAlias entry it gives me the "Alias name tomcat
> does not identify a
> key entry" error in the logs.
>
> If I could find out how to enable better logging I
> may be able to
> troubleshoot this further.
____________________________________________________________________________________
Want to start your own business?
Learn how on Yahoo! Small Business.
http://smallbusiness.yahoo.com/r-index
---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org