You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "epicwinter@hotmail.com" <ep...@hotmail.com> on 2009/02/13 01:30:46 UTC
ssl problems
First off unfortunately on this install I am using tomcat on windows, i know boo hiss... But I just installed the latest tomcat 6.0.18 and am having a problem with ssl.
All I did was added these lines to the originally installed server.xml file:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
SSLEngine="on"
SSLCertificateFile="C:\Documents and Settings\Ryan\My Documents\work\project1\ssl\mycert.pem"
SSLCertificateKeyFile="C:\Documents and Settings\Ryan\My Documents\work\project1\ssl\mykey.pem"
SSLPassword="mypass"
/>
And I get this weird error telling me it can't find this .keystore file i never even reference in my config. I even tried without adding this and get the same error:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
maxThreads="150" scheme="https" secure="true"
clientAuth="false" sslProtocol="TLS"
/>
Here is the full text of the error:
Feb 12, 2009 4:27:19 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory getStore
SEVERE: Failed to load keystore type JKS with path C:\Documents and Settings\Ryan/.keystore due to C:\Documents and Settings\Ryan\.keystore (The system cannot find the file specified)
java.io.FileNotFoundException: C:\Documents and Settings\Ryan\.keystore (The system cannot find the file specified)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:337)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:259)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:444)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:409)
at org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
at org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
at org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
at org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:585)
at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
Feb 12, 2009 4:27:19 PM org.apache.coyote.http11.Http11Protocol init
Any thoughts?
_________________________________________________________________
Windows Live™: Keep your life in sync.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009
Re: ssl connector
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Ryan,
On 2/13/2009 12:09 AM, epicwinter@hotmail.com wrote:
> The application I
> am developing uses tomcat on the back end and a swing client on the
> front with the Spring HttpInvoker.
>
> So first I got it working without apr. After I set up the connector
> I changed it so when i ran my java client using this vm parameter
> -Djavax.net.ssl.trustStore="keystore.jks"
If you are using a self-signed certificate, I suspect you will need to
set the trustStore no matter what server-side configuration you have.
> Tomcat starts and acknowledges that apr is working without a problem.
> I thought that with apr I could just run the client without the
> trustStore parameter set.
Why?
> But i get this error: Caused by:
> javax.net.ssl.SSLHandshakeException:
> sun.security.validator.ValidatorException: PKIX path building failed:
> sun.security.provider.certpath.SunCertPathBuilderException: unable to
> find valid certification path to requested target
>
> So how do I tell the client about the cert? I tried the
> trustStore="pathtocert" but that didn't work.
What about trustStore="keystore.jks" like you did above? Are you
possibly confusing what files are on the client versus which are on the
server?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkmZ2S8ACgkQ9CaO5/Lv0PCwhACgiZNhJ4o5XwVa7xlGhko8ciWs
7F4AniQM6x4KItjPJN1RNme6Nrb0Gg4s
=A4xI
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: ssl connector
Posted by "epicwinter@hotmail.com" <ep...@hotmail.com>.
Thanks it makes sense now, i have made lots of progress. But of course, like usual, there are some complications. The application I am developing uses tomcat on the back end and a swing client on the front with the Spring HttpInvoker.
So first I got it working without apr. After I set up the connector I changed it so when i ran my java client using this vm parameter
-Djavax.net.ssl.trustStore="keystore.jks"
Everything worked. So next, I moved on to APR. I got apr properly compiled/installed. Then I set up the connector like so:
<Connector protocol="org.apache.coyote.http11.Http11AprProtocol"
port="8443" minSpareThreads="5" maxSpareThreads="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" maxThreads="200"
scheme="https" secure="true" SSLEnabled="true"
SSLCertificateFile="certfile"
SSLCertificateKeyFile="key"
SSLPassword="password"
clientAuth="false" sslProtocol="TLS"/
Tomcat starts and acknowledges that apr is working without a problem. I thought that with apr I could just run the client without the trustStore parameter set. But i get this error:
Caused by: javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
So how do I tell the client about the cert? I tried the trustStore="pathtocert" but that didn't work.
thanks
-ryan
> From: Chuck.Caldarale@unisys.com
> To: users@tomcat.apache.org
> Date: Thu, 12 Feb 2009 21:47:45 -0600
> Subject: RE: ssl connector
>
> > From: epicwinter@hotmail.com [mailto:epicwinter@hotmail.com]
> > Subject: RE: ssl connector
> >
> > So I don't understand the docs where they suggest
> > defining connectors with apr and without.
>
> APR is an additional, non-Java Tomcat component that utilizes code from httpd for increased SSL performance. It uses OpenSSL, not Java, for the SSL negotiation and encryption, so there's no keystore file, and the <Connector> configuration is very different from that for the standard or NIO options. The drawback of APR is that you typically have to compile it from source for the specific platform you're running on (some binary downloads are available), so it's not something for the casual or first-time Tomcat administrator.
>
> The table at the bottom of this page:
> http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
> gives you a comparison of the three forms of connector; pick just one for your usage.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009
RE: ssl connector
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: epicwinter@hotmail.com [mailto:epicwinter@hotmail.com]
> Subject: RE: ssl connector
>
> So I don't understand the docs where they suggest
> defining connectors with apr and without.
APR is an additional, non-Java Tomcat component that utilizes code from httpd for increased SSL performance. It uses OpenSSL, not Java, for the SSL negotiation and encryption, so there's no keystore file, and the <Connector> configuration is very different from that for the standard or NIO options. The drawback of APR is that you typically have to compile it from source for the specific platform you're running on (some binary downloads are available), so it's not something for the casual or first-time Tomcat administrator.
The table at the bottom of this page:
http://tomcat.apache.org/tomcat-6.0-doc/config/http.html
gives you a comparison of the three forms of connector; pick just one for your usage.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: ssl connector
Posted by "epicwinter@hotmail.com" <ep...@hotmail.com>.
Thanks. So I don't understand the docs where they suggest defining connectors with apr and without. They show examples of 3 different connectors: org.apache.coyote.http11.Http11Protocol,org.apache.coyote.http11.Http11NioProtocol and org.apache.coyote.http11.Http11AprProtocol.
Do I need to define all three? Is there a performance difference?
And the APR one doesn't seem to define the keystore, is it not necessary for that?
thanks
> Date: Fri, 13 Feb 2009 00:38:02 +0000
> Subject: Re: ssl problems
> From: anuragkapur@gmail.com
> To: users@tomcat.apache.org
>
> You also need a .keystore file (if you are on default settings, then in the
> users home directory).
> Read more on it here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
>
> Anurag
> ------------------------------------------------------------------
> Anurag Kapur
> Associate - Technology,
> Sapient Corporation India.
> ------------------------------------------------------------------
>
>
> On Fri, Feb 13, 2009 at 12:30 AM, epicwinter@hotmail.com <
> epicwinter@hotmail.com> wrote:
>
> >
> > First off unfortunately on this install I am using tomcat on windows, i
> > know boo hiss... But I just installed the latest tomcat 6.0.18 and am
> > having a problem with ssl.
> >
> > All I did was added these lines to the originally installed server.xml
> > file:
> > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > maxThreads="150" scheme="https" secure="true"
> > clientAuth="false" sslProtocol="TLS"
> > SSLEngine="on"
> > SSLCertificateFile="C:\Documents and Settings\Ryan\My
> > Documents\work\project1\ssl\mycert.pem"
> > SSLCertificateKeyFile="C:\Documents and Settings\Ryan\My
> > Documents\work\project1\ssl\mykey.pem"
> > SSLPassword="mypass"
> > />
> >
> > And I get this weird error telling me it can't find this .keystore file i
> > never even reference in my config. I even tried without adding this and get
> > the same error:
> >
> > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> >
> > maxThreads="150" scheme="https" secure="true"
> >
> > clientAuth="false" sslProtocol="TLS"
> >
> > />
> >
> >
> > Here is the full text of the error:
> >
> > Feb 12, 2009 4:27:19 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory
> > getStore
> > SEVERE: Failed to load keystore type JKS with path C:\Documents and
> > Settings\Ryan/.keystore due to C:\Documents and Settings\Ryan\.keystore (The
> > system cannot find the file specified)
> > java.io.FileNotFoundException: C:\Documents and Settings\Ryan\.keystore
> > (The system cannot find the file specified)
> > at java.io.FileInputStream.open(Native Method)
> > at java.io.FileInputStream.<init>(FileInputStream.java:106)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:337)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:259)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:444)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:409)
> > at
> > org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
> > at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
> > at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
> > at
> > org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
> > at
> > org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
> > at
> > org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
> > at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
> > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> > at
> > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> > at
> > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> > at java.lang.reflect.Method.invoke(Method.java:585)
> > at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> > at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> > Feb 12, 2009 4:27:19 PM org.apache.coyote.http11.Http11Protocol init
> >
> > Any thoughts?
> >
> >
> >
> >
> > _________________________________________________________________
> > Windows Live™: Keep your life in sync.
> > http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/online/hotmail?ocid=TXT_TAGLM_WL_HM_AE_Faster_022009
Re: ssl problems
Posted by Anurag Kapur <an...@gmail.com>.
You also need a .keystore file (if you are on default settings, then in the
users home directory).
Read more on it here: http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
Anurag
------------------------------------------------------------------
Anurag Kapur
Associate - Technology,
Sapient Corporation India.
------------------------------------------------------------------
On Fri, Feb 13, 2009 at 12:30 AM, epicwinter@hotmail.com <
epicwinter@hotmail.com> wrote:
>
> First off unfortunately on this install I am using tomcat on windows, i
> know boo hiss... But I just installed the latest tomcat 6.0.18 and am
> having a problem with ssl.
>
> All I did was added these lines to the originally installed server.xml
> file:
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> maxThreads="150" scheme="https" secure="true"
> clientAuth="false" sslProtocol="TLS"
> SSLEngine="on"
> SSLCertificateFile="C:\Documents and Settings\Ryan\My
> Documents\work\project1\ssl\mycert.pem"
> SSLCertificateKeyFile="C:\Documents and Settings\Ryan\My
> Documents\work\project1\ssl\mykey.pem"
> SSLPassword="mypass"
> />
>
> And I get this weird error telling me it can't find this .keystore file i
> never even reference in my config. I even tried without adding this and get
> the same error:
>
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>
> maxThreads="150" scheme="https" secure="true"
>
> clientAuth="false" sslProtocol="TLS"
>
> />
>
>
> Here is the full text of the error:
>
> Feb 12, 2009 4:27:19 PM org.apache.tomcat.util.net.jsse.JSSESocketFactory
> getStore
> SEVERE: Failed to load keystore type JKS with path C:\Documents and
> Settings\Ryan/.keystore due to C:\Documents and Settings\Ryan\.keystore (The
> system cannot find the file specified)
> java.io.FileNotFoundException: C:\Documents and Settings\Ryan\.keystore
> (The system cannot find the file specified)
> at java.io.FileInputStream.open(Native Method)
> at java.io.FileInputStream.<init>(FileInputStream.java:106)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:337)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:259)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeyManagers(JSSESocketFactory.java:444)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.init(JSSESocketFactory.java:409)
> at
> org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:125)
> at org.apache.tomcat.util.net.JIoEndpoint.init(JIoEndpoint.java:496)
> at org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:176)
> at
> org.apache.catalina.connector.Connector.initialize(Connector.java:1058)
> at
> org.apache.catalina.core.StandardService.initialize(StandardService.java:677)
> at
> org.apache.catalina.core.StandardServer.initialize(StandardServer.java:795)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:530)
> at org.apache.catalina.startup.Catalina.load(Catalina.java:550)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
> at java.lang.reflect.Method.invoke(Method.java:585)
> at org.apache.catalina.startup.Bootstrap.load(Bootstrap.java:260)
> at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:412)
> Feb 12, 2009 4:27:19 PM org.apache.coyote.http11.Http11Protocol init
>
> Any thoughts?
>
>
>
>
> _________________________________________________________________
> Windows Live™: Keep your life in sync.
> http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t1_allup_explore_022009