You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Jerome A. Wendell" <ja...@suddenlink.net> on 2014/06/27 17:48:59 UTC
Using SSL with Tomcat
I am new to Tomcat, and just recently installed it as a container to run
GeoServer. Everything is running fine, but now I have been asked to setup
GeoServer to run using SSL. An EV Certificate is already installed on the
server. Based on the documentation the default port for running Tomcat
using SSL is 8443. I have configured the firewall to use port 8443, and
edited the server.xml by removing the commenting from the following section:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS" />
I restarted Tomcat, but it is still not listening on port 8443. Is there
something else that I need to do to get Tomcat working on port 8443?
I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
Any suggestions are appreciated.
Thanks,
Jerome Wendell
RE: Using SSL with Tomcat
Posted by "Jerome A. Wendell" <ja...@suddenlink.net>.
-----Original Message-----
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Monday, June 30, 2014 8:37 AM
To: Tomcat Users List
Subject: Re: Using SSL with Tomcat
On Fri, Jun 27, 2014 at 4:52 PM, Jerome A. Wendell <jawendell@suddenlink.net
> wrote:
> From: Jerome A. Wendell [mailto:jawendell@suddenlink.net]
> Sent: Friday, June 27, 2014 4:48 PM
> To: 'Tomcat Users List'
> Subject: RE: Using SSL with Tomcat
>
>
>
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
> Sent: Friday, June 27, 2014 2:49 PM
> To: Tomcat Users List; jawendell@suddenlink.net
> Subject: Re: Using SSL with Tomcat
>
>
>
> On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell < <mailto:
> jawendell@suddenlink.net> jawendell@suddenlink.net> wrote:
>
>
>
> > I am new to Tomcat, and just recently installed it as a container to
>
> > run GeoServer. Everything is running fine, but now I have been
> > asked
>
> > to setup GeoServer to run using SSL. An EV Certificate is already
>
> > installed on the server.
>
>
>
>
>
> Where does this exist? What format is it in? Keep in mind that when
> using Tomcat and the BIO (default) or NIO connectors, you'll need a
> keystore in either Java Keystore or PKCS12 format.
>
>
>
>
>
> <
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Cer
> tificate_Keystore>
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Cer
> tificate_Keystore
>
>
>
> Based on the documentation the default port for running Tomcat
>
> > using SSL is 8443. I have configured the firewall to use port 8443,
>
> > and edited the server.xml by removing the commenting from the
>
> > following
>
> > section:
>
> >
>
> >
>
> >
>
> > <Connector port="8443"
>
> > protocol="org.apache.coyote.http11.Http11Protocol"
>
> >
>
> > maxThreads="150" SSLEnabled="true" scheme="https"
>
> > secure="true"
>
> >
>
> > clientAuth="false" sslProtocol="TLS" />
>
> >
>
> >
>
> >
>
> > I restarted Tomcat, but it is still not listening on port 8443. Is
>
> > there something else that I need to do to get Tomcat working on port
> 8443?
>
> >
>
>
>
> Did you check the logs? It's possible that something failed with your
> SSL setup and so it's not listening on port 8443. From your
> configuration, I'd guess that it's not able to find your keystore. See the "keystore*"
>
> attributes here, specifically keystoreFile.
>
>
>
>
>
> <
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-
> _BIO_and_NIO>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-
> _BIO_and_NIO
>
>
>
> Dan
>
>
>
>
>
> >
>
> >
>
> >
>
> > I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
>
> >
>
> >
>
> >
>
> > Any suggestions are appreciated.
>
> >
>
> >
>
> >
>
> > Thanks,
>
> >
>
> >
>
> >
>
> > Jerome Wendell
>
> >
>
> >
>
> >
>
> >
>
>
>
> Daniel,
>
> In reviewing the documentation, since I am just using Tomcat as a
> container it seems that I should not have to implement SSL as shown below:
>
> Is there any additional configuration in Tomcat to operate as
> described above, or is all of the setup in Microsoft IIS?
>
If you want to have IIS (or another server like HTTP or Nginx) sit in front of Tomcat then all of your SSL configuration would typically be done in IIS. This results in a request flow that looks like this...
Client Browser <-> HTTPS <-> IIS <-> HTTP or AJP <-> Tomcat
I know nothing about IIS, so I can't comment on it's setup (although I'm sure others on the list can and certainly will help if needed). Best I can do is point you to the IIS docs for the Tomcat connector. This shows how to setup IIS so that it takes requests and forwards them via AJP to your Tomcat server.
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
Dan
Dan,
Thank you very much for your reply and the information provided. I will review the documentation and see what I need to do.
Thanks,
Jerome
>
> SSL and Tomcat
>
> It is important to note that configuring Tomcat to take advantage of
> secure sockets is usually only necessary when running it as a
> stand-alone web server. When running Tomcat primarily as a Servlet/JSP
> container behind another web server, such as Apache or Microsoft IIS,
> it is usually necessary to configure the primary web server to handle
> the SSL connections from users. Typically, this server will negotiate
> all SSL-related functionality, then pass on any requests destined for
> the Tomcat container only after decrypting those requests. Likewise,
> Tomcat will return cleartext responses, that will be encrypted before
> being returned to the user's browser. In this environment, Tomcat
> knows that communications between the primary web server and the
> client are taking place over a secure connection (because your
> application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
>
> Thanks,
>
>
>
> Jerome Wendell
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Using SSL with Tomcat
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Fri, Jun 27, 2014 at 4:52 PM, Jerome A. Wendell <jawendell@suddenlink.net
> wrote:
> From: Jerome A. Wendell [mailto:jawendell@suddenlink.net]
> Sent: Friday, June 27, 2014 4:48 PM
> To: 'Tomcat Users List'
> Subject: RE: Using SSL with Tomcat
>
>
>
> From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
> Sent: Friday, June 27, 2014 2:49 PM
> To: Tomcat Users List; jawendell@suddenlink.net
> Subject: Re: Using SSL with Tomcat
>
>
>
> On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell < <mailto:
> jawendell@suddenlink.net> jawendell@suddenlink.net> wrote:
>
>
>
> > I am new to Tomcat, and just recently installed it as a container to
>
> > run GeoServer. Everything is running fine, but now I have been asked
>
> > to setup GeoServer to run using SSL. An EV Certificate is already
>
> > installed on the server.
>
>
>
>
>
> Where does this exist? What format is it in? Keep in mind that when
> using Tomcat and the BIO (default) or NIO connectors, you'll need a
> keystore in either Java Keystore or PKCS12 format.
>
>
>
>
>
> <
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore>
>
> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
>
>
>
> Based on the documentation the default port for running Tomcat
>
> > using SSL is 8443. I have configured the firewall to use port 8443,
>
> > and edited the server.xml by removing the commenting from the
>
> > following
>
> > section:
>
> >
>
> >
>
> >
>
> > <Connector port="8443"
>
> > protocol="org.apache.coyote.http11.Http11Protocol"
>
> >
>
> > maxThreads="150" SSLEnabled="true" scheme="https"
>
> > secure="true"
>
> >
>
> > clientAuth="false" sslProtocol="TLS" />
>
> >
>
> >
>
> >
>
> > I restarted Tomcat, but it is still not listening on port 8443. Is
>
> > there something else that I need to do to get Tomcat working on port
> 8443?
>
> >
>
>
>
> Did you check the logs? It's possible that something failed with your SSL
> setup and so it's not listening on port 8443. From your configuration, I'd
> guess that it's not able to find your keystore. See the "keystore*"
>
> attributes here, specifically keystoreFile.
>
>
>
>
>
> <
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO>
>
> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO
>
>
>
> Dan
>
>
>
>
>
> >
>
> >
>
> >
>
> > I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
>
> >
>
> >
>
> >
>
> > Any suggestions are appreciated.
>
> >
>
> >
>
> >
>
> > Thanks,
>
> >
>
> >
>
> >
>
> > Jerome Wendell
>
> >
>
> >
>
> >
>
> >
>
>
>
> Daniel,
>
> In reviewing the documentation, since I am just using Tomcat as a
> container it seems that I should not have to implement SSL as shown below:
>
> Is there any additional configuration in Tomcat to operate as described
> above, or is all of the setup in Microsoft IIS?
>
If you want to have IIS (or another server like HTTP or Nginx) sit in front
of Tomcat then all of your SSL configuration would typically be done in
IIS. This results in a request flow that looks like this...
Client Browser <-> HTTPS <-> IIS <-> HTTP or AJP <-> Tomcat
I know nothing about IIS, so I can't comment on it's setup (although I'm
sure others on the list can and certainly will help if needed). Best I can
do is point you to the IIS docs for the Tomcat connector. This shows how
to setup IIS so that it takes requests and forwards them via AJP to your
Tomcat server.
http://tomcat.apache.org/connectors-doc/webserver_howto/iis.html
Dan
>
> SSL and Tomcat
>
> It is important to note that configuring Tomcat to take advantage of
> secure sockets is usually only necessary when running it as a stand-alone
> web server. When running Tomcat primarily as a Servlet/JSP container behind
> another web server, such as Apache or Microsoft IIS, it is usually
> necessary to configure the primary web server to handle the SSL connections
> from users. Typically, this server will negotiate all SSL-related
> functionality, then pass on any requests destined for the Tomcat container
> only after decrypting those requests. Likewise, Tomcat will return
> cleartext responses, that will be encrypted before being returned to the
> user's browser. In this environment, Tomcat knows that communications
> between the primary web server and the client are taking place over a
> secure connection (because your application needs to be able to ask about
> this), but it does not participate in the encryption or decryption itself.
>
> Thanks,
>
>
>
> Jerome Wendell
>
>
>
>
RE: Using SSL with Tomcat
Posted by "Jerome A. Wendell" <ja...@suddenlink.net>.
From: Jerome A. Wendell [mailto:jawendell@suddenlink.net]
Sent: Friday, June 27, 2014 4:48 PM
To: 'Tomcat Users List'
Subject: RE: Using SSL with Tomcat
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawendell@suddenlink.net
Subject: Re: Using SSL with Tomcat
On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell < <ma...@suddenlink.net> jawendell@suddenlink.net> wrote:
> I am new to Tomcat, and just recently installed it as a container to
> run GeoServer. Everything is running fine, but now I have been asked
> to setup GeoServer to run using SSL. An EV Certificate is already
> installed on the server.
Where does this exist? What format is it in? Keep in mind that when using Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in either Java Keystore or PKCS12 format.
<http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
Based on the documentation the default port for running Tomcat
> using SSL is 8443. I have configured the firewall to use port 8443,
> and edited the server.xml by removing the commenting from the
> following
> section:
>
>
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
>
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>
> clientAuth="false" sslProtocol="TLS" />
>
>
>
> I restarted Tomcat, but it is still not listening on port 8443. Is
> there something else that I need to do to get Tomcat working on port 8443?
>
Did you check the logs? It's possible that something failed with your SSL setup and so it's not listening on port 8443. From your configuration, I'd guess that it's not able to find your keystore. See the "keystore*"
attributes here, specifically keystoreFile.
<http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO
Dan
>
>
>
> I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
>
>
>
> Any suggestions are appreciated.
>
>
>
> Thanks,
>
>
>
> Jerome Wendell
>
>
>
>
Daniel,
In reviewing the documentation, since I am just using Tomcat as a container it seems that I should not have to implement SSL as shown below:
Is there any additional configuration in Tomcat to operate as described above, or is all of the setup in Microsoft IIS?
Thanks,
Jerome Wendell
Sorry, I did not realize the image would not come through. The section of the documentation that I was referring to is below:
SSL and Tomcat
It is important to note that configuring Tomcat to take advantage of secure sockets is usually only necessary when running it as a stand-alone web server. When running Tomcat primarily as a Servlet/JSP container behind another web server, such as Apache or Microsoft IIS, it is usually necessary to configure the primary web server to handle the SSL connections from users. Typically, this server will negotiate all SSL-related functionality, then pass on any requests destined for the Tomcat container only after decrypting those requests. Likewise, Tomcat will return cleartext responses, that will be encrypted before being returned to the user's browser. In this environment, Tomcat knows that communications between the primary web server and the client are taking place over a secure connection (because your application needs to be able to ask about this), but it does not participate in the encryption or decryption itself.
Thanks,
Jerome Wendell
RE: Using SSL with Tomcat
Posted by "Jerome A. Wendell" <ja...@suddenlink.net>.
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawendell@suddenlink.net
Subject: Re: Using SSL with Tomcat
On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell < <ma...@suddenlink.net> jawendell@suddenlink.net> wrote:
> I am new to Tomcat, and just recently installed it as a container to
> run GeoServer. Everything is running fine, but now I have been asked
> to setup GeoServer to run using SSL. An EV Certificate is already
> installed on the server.
Where does this exist? What format is it in? Keep in mind that when using Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in either Java Keystore or PKCS12 format.
<http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore> http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
Based on the documentation the default port for running Tomcat
> using SSL is 8443. I have configured the firewall to use port 8443,
> and edited the server.xml by removing the commenting from the
> following
> section:
>
>
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
>
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>
> clientAuth="false" sslProtocol="TLS" />
>
>
>
> I restarted Tomcat, but it is still not listening on port 8443. Is
> there something else that I need to do to get Tomcat working on port 8443?
>
Did you check the logs? It's possible that something failed with your SSL setup and so it's not listening on port 8443. From your configuration, I'd guess that it's not able to find your keystore. See the "keystore*"
attributes here, specifically keystoreFile.
<http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO> http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO
Dan
>
>
>
> I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
>
>
>
> Any suggestions are appreciated.
>
>
>
> Thanks,
>
>
>
> Jerome Wendell
>
>
>
>
Daniel,
In reviewing the documentation, since I am just using Tomcat as a container it seems that I should not have to implement SSL as shown below:
Is there any additional configuration in Tomcat to operate as described above, or is all of the setup in Microsoft IIS?
Thanks,
Jerome Wendell
RE: Using SSL with Tomcat
Posted by "Jerome A. Wendell" <ja...@suddenlink.net>.
From: Daniel Mikusa [mailto:dmikusa@gopivotal.com]
Sent: Friday, June 27, 2014 2:49 PM
To: Tomcat Users List; jawendell@suddenlink.net
Subject: Re: Using SSL with Tomcat
On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell <ja...@suddenlink.net> wrote:
I am new to Tomcat, and just recently installed it as a container to run
GeoServer. Everything is running fine, but now I have been asked to setup
GeoServer to run using SSL. An EV Certificate is already installed on the
server.
Where does this exist? What format is it in? Keep in mind that when using Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in either Java Keystore or PKCS12 format.
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
Based on the documentation the default port for running Tomcat
using SSL is 8443. I have configured the firewall to use port 8443, and
edited the server.xml by removing the commenting from the following section:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11Protocol"
maxThreads="150" SSLEnabled="true" scheme="https"
secure="true"
clientAuth="false" sslProtocol="TLS" />
I restarted Tomcat, but it is still not listening on port 8443. Is there
something else that I need to do to get Tomcat working on port 8443?
Did you check the logs? It's possible that something failed with your SSL setup and so it's not listening on port 8443. From your configuration, I'd guess that it's not able to find your keystore. See the "keystore*" attributes here, specifically keystoreFile.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO
Dan
I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
Any suggestions are appreciated.
Thanks,
Jerome Wendell
Daniel,
Thank you very much for your reply. I will check the logs and see if they show anything. I am not sure about the format, so I will have to look into that also.
Thanks,
Jerome Wendell
Re: Using SSL with Tomcat
Posted by Daniel Mikusa <dm...@gopivotal.com>.
On Fri, Jun 27, 2014 at 11:48 AM, Jerome A. Wendell <
jawendell@suddenlink.net> wrote:
> I am new to Tomcat, and just recently installed it as a container to run
> GeoServer. Everything is running fine, but now I have been asked to setup
> GeoServer to run using SSL. An EV Certificate is already installed on the
> server.
Where does this exist? What format is it in? Keep in mind that when using
Tomcat and the BIO (default) or NIO connectors, you'll need a keystore in
either Java Keystore or PKCS12 format.
http://tomcat.apache.org/tomcat-7.0-doc/ssl-howto.html#Prepare_the_Certificate_Keystore
Based on the documentation the default port for running Tomcat
> using SSL is 8443. I have configured the firewall to use port 8443, and
> edited the server.xml by removing the commenting from the following
> section:
>
>
>
> <Connector port="8443"
> protocol="org.apache.coyote.http11.Http11Protocol"
>
> maxThreads="150" SSLEnabled="true" scheme="https"
> secure="true"
>
> clientAuth="false" sslProtocol="TLS" />
>
>
>
> I restarted Tomcat, but it is still not listening on port 8443. Is there
> something else that I need to do to get Tomcat working on port 8443?
>
Did you check the logs? It's possible that something failed with your SSL
setup and so it's not listening on port 8443. From your configuration, I'd
guess that it's not able to find your keystore. See the "keystore*"
attributes here, specifically keystoreFile.
http://tomcat.apache.org/tomcat-7.0-doc/config/http.html#SSL_Support_-_BIO_and_NIO
Dan
>
>
>
> I am using Tomcat 7.0.54 on a Windows 2008 R2 64 bit server.
>
>
>
> Any suggestions are appreciated.
>
>
>
> Thanks,
>
>
>
> Jerome Wendell
>
>
>
>