You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by rk...@metamagix.net on 2005/01/17 16:00:43 UTC
multiple ips, multiple ssl certificates and port forwarding
hello everybody!
i'm new to this list and dont have too much tomcat expericence but i've
been searching for a while to solve the following problem - unfortunately
up to date without success:
here is my little mind bender ;-)
i have tomcat 4.1.31 running on a linux server, to use multiple ssl
keystores i built the following server.xml, i have port-forwarding on
(script follows). my problem is, that i always get the same certificate, no
matter what ip/domain i use.
server xml
-------------------------------
<Server port="8005" shutdown="SHUTDOWN" debug="0">
<!-- Comment these entries out to disable JMX MBeans support -->
<!-- You may also configure custom components (e.g. Valves/Realms) by
including your own mbean-descriptor file(s), and setting the
"descriptors" attribute to point to a ';' seperated list of paths
(in the ClassLoader sense) of files to add to the default list.
e.g. descriptors="/com/myfirm/mypackage/mbean-descriptor.xml"
-->
<Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
debug="0"/>
<Listener
className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
debug="0"/>
<!-- Global JNDI resources -->
<GlobalNamingResources>
<!-- Test entry for demonstration purposes -->
<Environment name="simpleValue" type="java.lang.Integer" value="30"/>
<!-- Editable user database that can also be used by
UserDatabaseRealm to authenticate users -->
<Resource name="UserDatabase" auth="Container"
type="org.apache.catalina.UserDatabase"
description="User database that can be updated and saved">
</Resource>
<ResourceParams name="UserDatabase">
<name>factory</name>
<value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
</parameter>
<parameter>
<name>pathname</name>
<value>conf/tomcat-users.xml</value>
</parameter>
</ResourceParams>
</GlobalNamingResources>
<Service name="Service C">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" address="100.100.100.3" minProcessors="10"
maxProcessors="100"
enableLookups="true" redirectPort="8080"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="30"
address="100.100.100.3"
enableLookups="true"
acceptCount="30" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="/home/essence/essence/KEYS/c.keystore"
keystorePass="xxx"
clientAuth="false" protocol="TLS" />
</Connector>
<Engine defaultHost="www.domainc.at" debug="0">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Define the default virtual host -->
<Host name="www.domainc.at" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="domainc_log." suffix=".txt"
timestamp="true"/>
<!-- Tomcat Root Context -->
<Context path="" docBase="essence" debug="0"/>
</Host>
</Engine>
</Service>
<Service name="service b">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" address="100.100.100.2" minProcessors="10"
maxProcessors="100"
enableLookups="true" redirectPort="8080"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="50"
address="100.100.100.2"
enableLookups="true"
acceptCount="50" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="/home/essence/essence/KEYS/b.keystore"
keystorePass="xxxx"
clientAuth="false" protocol="TLS" />
</Connector>
<Engine defaultHost="www.domainb.at" debug="0">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Define the default virtual host -->
<Host name="www.domainb.at" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="domainb_log." suffix=".txt"
timestamp="true"/>
<!-- Tomcat Root Context -->
<Context path="" docBase="essence" debug="0"/>
</Host>
</Engine>
</Service>
<Service name="ServiceA">
<!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8080" address="100.100.100.1" minProcessors="10"
maxProcessors="100"
enableLookups="true" redirectPort="8080"
acceptCount="100" debug="0" connectionTimeout="20000"
useURIValidationHack="false" disableUploadTimeout="true" />
<!-- Note : To disable connection timeouts, set connectionTimeout value
to 0 -->
<!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
<Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
port="8443" minProcessors="5" maxProcessors="30"
address="100.100.100.1"
enableLookups="true"
acceptCount="30" debug="0" scheme="https" secure="true"
useURIValidationHack="false" disableUploadTimeout="true">
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
keystoreFile="/home/essence/essence/KEYS/a.keystore"
keystorePass="xxxxx"
clientAuth="false" protocol="TLS" />
</Connector>
<Engine defaultHost="www.domaina.at" debug="0">
<Logger className="org.apache.catalina.logger.FileLogger"
prefix="catalina_log." suffix=".txt"
timestamp="true"/>
<Realm className="org.apache.catalina.realm.UserDatabaseRealm"
debug="0" resourceName="UserDatabase"/>
<!-- Define the default virtual host -->
<Host name="www.domaina.at" debug="0" appBase="webapps"
unpackWARs="true" autoDeploy="true">
<Logger className="org.apache.catalina.logger.FileLogger"
directory="logs" prefix="domaina_log." suffix=".txt"
timestamp="true"/>
<!-- Tomcat Root Context -->
<Context path="" docBase="essence" debug="0"/>
</Host>
</Engine>
</Service>
</Server>
----------------------------
the multiple ips work and my portforwarding script looks as follows:
iptables -t nat -A PREROUTING -j REDIRECT -p tcp
--destination-port 80:80 --to-ports 8080
iptables -t nat -A PREROUTING -j REDIRECT -p tcp
--destination-port 443:443 --to-ports 8443
does anybody have a hint what is wrong with this?
kind regards
randolph
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
hello hassan!
thanks for your input ... i guess i finally found out what it was, though
it still seems a little bit strange to me:
the portforwarding is the problem, without it, the right ssl certificate is
chosen, otherwise the system takes the one of the ip adress associated with
eth0.
hmm - it's strange though as this seems to work with other java servlet
engines like jetty.
i will try to find a way to run tomcat as a normal user on priviledged
ports, this should fix it.
kind regards
randolph
At 17:52 17.01.2005, you wrote:
>Parsons Technical Services wrote:
>>>unfortunately this does not seem to solve the problem ... but results in
>>>the following error (as the given keystore cannot be used)
>
>>>java.io.FileNotFoundException: /home/essence/.keystore (No such file or
>>>directory)
>
>First, the give server.xml showed the keystore file (originally)
>as "/home/essence/essence/KEYS/c.keystore" which doesn't match the
>reported error above -- check for typos.
>
>>Tomcat needs the name of the keystore to be .keystore
>
>No it doesn't. The name (and path) is arbitrary, which is why
>there *is* a keystoreFile attribute.
>
>>As I said before, I haven't done this myself.
>
>I have, and none of my installations use ".keystore" as the file
>name...
>
>--
>Hassan Schroeder ----------------------------- hassan@webtuitive.com
>Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
>
> dream. code.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-----------------------------------------------------------------------
di randolph kepplinger, mba
rk@metamagix.net / 0676-844899-800
metamagix - better online solutions
favoritenstrasse 19 / 1040 wien / +43.1.9902804
buero: hackengasse 27 / 1150 wien / +43.1.9902804
http://www.metamagix.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Parsons Technical Services <pa...@earthlink.net>.
>> Tomcat needs the name of the keystore to be .keystore
>
> No it doesn't. The name (and path) is arbitrary, which is why
> there *is* a keystoreFile attribute.
>
>> As I said before, I haven't done this myself.
>
> I have, and none of my installations use ".keystore" as the file
> name...
That is why I made the statement. Thanks for correcting me on that. Now I
know.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Hassan Schroeder <ha...@webtuitive.com>.
Parsons Technical Services wrote:
>> unfortunately this does not seem to solve the problem ... but results
>> in the following error (as the given keystore cannot be used)
>> java.io.FileNotFoundException: /home/essence/.keystore (No such file
>> or directory)
First, the give server.xml showed the keystore file (originally)
as "/home/essence/essence/KEYS/c.keystore" which doesn't match the
reported error above -- check for typos.
> Tomcat needs the name of the keystore to be .keystore
No it doesn't. The name (and path) is arbitrary, which is why
there *is* a keystoreFile attribute.
> As I said before, I haven't done this myself.
I have, and none of my installations use ".keystore" as the file
name...
--
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
hello!
At 17:58 17.01.2005, you wrote:
>rk@metamagix.net wrote:
>>the keystore syntax is correct, as it works with one keytore ... the
>>problem arises when there are multiple virtual hosts, it takes always one
>>of them, but not the corresponding
>
>I'm puzzled by two aspects of your setup:
>
>1) why don't you just assign the proper ports in the Connectors
> instead of redirecting through iptables?
i don't want to run tomcat as root, so i cannot use ports<1024 ... therfore
i do the portforwarding.
>2) what's the point of the multiple Services?
as i said, i have multiple domains/ips and for each of them i'd like to use
a different keystore.
multiple connectors in one service did not seem to work as well. (but i may
retry)
regards
randolph
>--
>Hassan Schroeder ----------------------------- hassan@webtuitive.com
>Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
>
> dream. code.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-----------------------------------------------------------------------
di randolph kepplinger, mba
rk@metamagix.net / 0676-844899-800
metamagix - better online solutions
favoritenstrasse 19 / 1040 wien / +43.1.9902804
buero: hackengasse 27 / 1150 wien / +43.1.9902804
http://www.metamagix.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Hassan Schroeder <ha...@webtuitive.com>.
rk@metamagix.net wrote:
> the keystore syntax is correct, as it works with one keytore ... the
> problem arises when there are multiple virtual hosts, it takes always
> one of them, but not the corresponding
I'm puzzled by two aspects of your setup:
1) why don't you just assign the proper ports in the Connectors
instead of redirecting through iptables?
2) what's the point of the multiple Services?
--
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
the keystore syntax is correct, as it works with one keytore ... the
problem arises when there are multiple virtual hosts, it takes always one
of them, but not the corresponding
At 17:30 17.01.2005, you wrote:
>>unfortunately this does not seem to solve the problem ... but results in
>>the following error (as the given keystore cannot be used)
>>
>>Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
>>INFO: Initializing Coyote HTTP/1.1 on http-62.116.64.7-8080
>>Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
>>SEVERE: Error initializing endpoint
>>java.io.FileNotFoundException: /home/essence/.keystore (No such file or
>>directory)
>
>Tomcat needs the name of the keystore to be .keystore You have it as a.
>b. c. The keystore file is for the path and not the name (as I
>understand the docs). So setup all the keystores with the default name but
>in dir a, b and c.
>
>keystoreFile="/home/essence/essence/KEYS/c/.keystore"
>or maybe
>keystoreFile="/home/essence/essence/c/KEYS/.keystore"
>
>As I said before, I haven't done this myself.
>
>Doug
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-----------------------------------------------------------------------
di randolph kepplinger, mba
rk@metamagix.net / 0676-844899-800
metamagix - better online solutions
favoritenstrasse 19 / 1040 wien / +43.1.9902804
buero: hackengasse 27 / 1150 wien / +43.1.9902804
http://www.metamagix.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Parsons Technical Services <pa...@earthlink.net>.
> unfortunately this does not seem to solve the problem ... but results in
> the following error (as the given keystore cannot be used)
>
> Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
> INFO: Initializing Coyote HTTP/1.1 on http-62.116.64.7-8080
> Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
> SEVERE: Error initializing endpoint
> java.io.FileNotFoundException: /home/essence/.keystore (No such file or
> directory)
>
Tomcat needs the name of the keystore to be .keystore You have it as a.
b. c. The keystore file is for the path and not the name (as I understand
the docs). So setup all the keystores with the default name but in dir a, b
and c.
keystoreFile="/home/essence/essence/KEYS/c/.keystore"
or maybe
keystoreFile="/home/essence/essence/c/KEYS/.keystore"
As I said before, I haven't done this myself.
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
unfortunately this does not seem to solve the problem ... but results in
the following error (as the given keystore cannot be used)
Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
INFO: Initializing Coyote HTTP/1.1 on http-62.116.64.7-8080
Jan 17, 2005 4:59:29 PM org.apache.coyote.http11.Http11Protocol init
SEVERE: Error initializing endpoint
java.io.FileNotFoundException: /home/essence/.keystore (No such file or
directory)
at java.io.FileInputStream.open(Native Method)
at java.io.FileInputStream.<init>(FileInputStream.java:106)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getStore(JSSESocketFactory.java:276)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.getKeystore(JSSESocketFactory.java:220)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.getKeyManagers(JSSE14SocketFactory.java:143)
at
org.apache.tomcat.util.net.jsse.JSSE14SocketFactory.init(JSSE14SocketFactory.java:109)
at
org.apache.tomcat.util.net.jsse.JSSESocketFactory.createSocket(JSSESocketFactory.java:98)
at
org.apache.tomcat.util.net.PoolTcpEndpoint.initEndpoint(PoolTcpEndpoint.java:261)
at
org.apache.coyote.http11.Http11Protocol.init(Http11Protocol.java:137)
at
org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.java:1238)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:532)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2199)
at org.apache.catalina.startup.Catalina.start(Catalina.java:462)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:350)
at org.apache.catalina.startup.Catalina.process(Catalina.java:129)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156)
Catalina.start: LifecycleException: Protocol handler initialization
failed: java.io.FileNotFoundException: /home/essence/.ke
ystore (No such file or directory)
LifecycleException: Protocol handler initialization failed:
java.io.FileNotFoundException: /home/essence/.keystore (No such
file or directory)
at
org.apache.coyote.tomcat4.CoyoteConnector.initialize(CoyoteConnector.java:1240)
at
org.apache.catalina.core.StandardService.initialize(StandardService.java:532)
at
org.apache.catalina.core.StandardServer.initialize(StandardServer.java:2199)
at org.apache.catalina.startup.Catalina.start(Catalina.java:462)
at org.apache.catalina.startup.Catalina.execute(Catalina.java:350)
at org.apache.catalina.startup.Catalina.process(Catalina.java:129)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:324)
at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:156)
Catalina.stop: LifecycleException: This server has not yet been started
LifecycleException: This server has not yet been started
At 16:35 17.01.2005, you wrote:
>I think you have an error in your server.xml. The path to the keystore and
>other SSL fields are in the Factory element instead of the connector element.
>
>> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="8443" minProcessors="5" maxProcessors="30"
>> address="100.100.100.3"
>> enableLookups="true"
>> acceptCount="30" debug="0" scheme="https" secure="true"
>> useURIValidationHack="false" disableUploadTimeout="true">
>> <Factory
>> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
>> keystoreFile="/home/essence/essence/KEYS/c.keystore"
>> keystorePass="xxx"
>> clientAuth="false" protocol="TLS" />
>> </Connector>
>
>
>Should read:
>
>> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
>> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
>> port="8443" minProcessors="5" maxProcessors="30"
>> address="100.100.100.3"
>> enableLookups="true"
>> acceptCount="30" debug="0" scheme="https" secure="true"
>> useURIValidationHack="false" disableUploadTimeout="true">
>> keystoreFile="/home/essence/essence/KEYS/c.keystore"
>> keystorePass="xxx"
>> clientAuth="false" protocol="TLS" <Factory
>> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"/>
>> </Connector>
>
>
>Doug
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Parsons Technical Services <pa...@earthlink.net>.
I think you have an error in your server.xml. The path to the keystore and
other SSL fields are in the Factory element instead of the connector
element.
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="30"
> address="100.100.100.3"
> enableLookups="true"
> acceptCount="30" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> keystoreFile="/home/essence/essence/KEYS/c.keystore"
> keystorePass="xxx"
> clientAuth="false" protocol="TLS" />
> </Connector>
>
Should read:
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="30"
> address="100.100.100.3"
> enableLookups="true"
> acceptCount="30" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> keystoreFile="/home/essence/essence/KEYS/c.keystore"
> keystorePass="xxx"
> clientAuth="false" protocol="TLS" <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"/>
> </Connector>
Doug
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Hassan Schroeder <ha...@webtuitive.com>.
rk@metamagix.net wrote:
> hmm ... portforwarding works with jetty (on the same ports), so it
> should also work with tomcat, and i'd rather have tomcat on a non
> privileged port.
You can always add it back in, once you've resolved the problem
(and confirmed that's *not* part of it). But that's just my approach.
> which tomcat version are you using?
> could you send me an anonymized version of your config?
I'll send you a sample server.xml offlist (for a 4.1.x install).
--
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
hello hassan!
hmm ... portforwarding works with jetty (on the same ports), so it should
also work with tomcat, and i'd rather have tomcat on a non privileged port.
which tomcat version are you using?
could you send me an anonymized version of your config?
kind regards
randolph
At 16:06 18.01.2005, you wrote:
>rk@metamagix.net wrote:
>
>>i also tried it with one service and multiple connectors with the same
>>result ... only one of the keystore-files is taken ... as it is the one
>>of the webservers original name i tend to think that this may be a
>>portforward-problem (i.e. all forwardes port/ips are mapped to the one
>>associated with the used keystore)
>>.. has anybody a working tomcat 4.1.x configuration with multiple ips and
>>ssl keystores?
>
>Yes, one service with multiple connectors for different IPs using
>different keystores. It works fine, and I don't see any significant
>difference between my server.xml and the one you previously sent.
>
>I would seriously urge you to turn off the port-forwarding, change
>the connectors to standard ports 80 and 443 and test again. :-)
>
>FWIW!
>--
>Hassan Schroeder ----------------------------- hassan@webtuitive.com
>Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
>
> dream. code.
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-----------------------------------------------------------------------
di randolph kepplinger, mba
rk@metamagix.net / 0676-844899-800
metamagix - better online solutions
favoritenstrasse 19 / 1040 wien / +43.1.9902804
buero: hackengasse 27 / 1150 wien / +43.1.9902804
http://www.metamagix.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by Hassan Schroeder <ha...@webtuitive.com>.
rk@metamagix.net wrote:
> i also tried it with one service and multiple connectors with the same
> result ... only one of the keystore-files is taken ... as it is the one
> of the webservers original name i tend to think that this may be a
> portforward-problem (i.e. all forwardes port/ips are mapped to the one
> associated with the used keystore)
> .. has anybody a working tomcat 4.1.x configuration with multiple ips
> and ssl keystores?
Yes, one service with multiple connectors for different IPs using
different keystores. It works fine, and I don't see any significant
difference between my server.xml and the one you previously sent.
I would seriously urge you to turn off the port-forwarding, change
the connectors to standard ports 80 and 443 and test again. :-)
FWIW!
--
Hassan Schroeder ----------------------------- hassan@webtuitive.com
Webtuitive Design === (+1) 408-938-0567 === http://webtuitive.com
dream. code.
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
Re: multiple ips, multiple ssl certificates and port forwarding
Posted by rk...@metamagix.net.
hello again!
i also tried it with one service and multiple connectors with the same
result ... only one of the keystore-files is taken ... as it is the one of
the webservers original name i tend to think that this may be a
portforward-problem (i.e. all forwardes port/ips are mapped to the one
associated with the used keystore)
.. has anybody a working tomcat 4.1.x configuration with multiple ips and
ssl keystores?
kind regards
randolph
At 16:00 17.01.2005, you wrote:
>hello everybody!
>
>i'm new to this list and dont have too much tomcat expericence but i've
>been searching for a while to solve the following problem - unfortunately
>up to date without success:
>here is my little mind bender ;-)
>
>i have tomcat 4.1.31 running on a linux server, to use multiple ssl
>keystores i built the following server.xml, i have port-forwarding on
>(script follows). my problem is, that i always get the same certificate,
>no matter what ip/domain i use.
>
>server xml
>-------------------------------
><Server port="8005" shutdown="SHUTDOWN" debug="0">
>
>
> <!-- Comment these entries out to disable JMX MBeans support -->
> <!-- You may also configure custom components (e.g. Valves/Realms) by
> including your own mbean-descriptor file(s), and setting the
> "descriptors" attribute to point to a ';' seperated list of paths
> (in the ClassLoader sense) of files to add to the default list.
> e.g. descriptors="/com/myfirm/mypackage/mbean-descriptor.xml"
> -->
> <Listener className="org.apache.catalina.mbeans.ServerLifecycleListener"
> debug="0"/>
> <Listener
> className="org.apache.catalina.mbeans.GlobalResourcesLifecycleListener"
> debug="0"/>
>
> <!-- Global JNDI resources -->
> <GlobalNamingResources>
>
> <!-- Test entry for demonstration purposes -->
> <Environment name="simpleValue" type="java.lang.Integer" value="30"/>
>
> <!-- Editable user database that can also be used by
> UserDatabaseRealm to authenticate users -->
> <Resource name="UserDatabase" auth="Container"
> type="org.apache.catalina.UserDatabase"
> description="User database that can be updated and saved">
> </Resource>
> <ResourceParams name="UserDatabase">
> <name>factory</name>
> <value>org.apache.catalina.users.MemoryUserDatabaseFactory</value>
> </parameter>
> <parameter>
> <name>pathname</name>
> <value>conf/tomcat-users.xml</value>
> </parameter>
> </ResourceParams>
>
> </GlobalNamingResources>
>
> <Service name="Service C">
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" address="100.100.100.3" minProcessors="10"
> maxProcessors="100"
> enableLookups="true" redirectPort="8080"
> acceptCount="100" debug="0" connectionTimeout="20000"
> useURIValidationHack="false" disableUploadTimeout="true" />
> <!-- Note : To disable connection timeouts, set connectionTimeout value
> to 0 -->
>
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="30"
> address="100.100.100.3"
> enableLookups="true"
> acceptCount="30" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> keystoreFile="/home/essence/essence/KEYS/c.keystore"
> keystorePass="xxx"
> clientAuth="false" protocol="TLS" />
> </Connector>
>
>
> <Engine defaultHost="www.domainc.at" debug="0">
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_log." suffix=".txt"
> timestamp="true"/>
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
>
> <!-- Define the default virtual host -->
> <Host name="www.domainc.at" debug="0" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="domainc_log." suffix=".txt"
> timestamp="true"/>
>
> <!-- Tomcat Root Context -->
> <Context path="" docBase="essence" debug="0"/>
>
> </Host>
></Engine>
> </Service>
>
>
>
> <Service name="service b">
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" address="100.100.100.2" minProcessors="10"
> maxProcessors="100"
> enableLookups="true" redirectPort="8080"
> acceptCount="100" debug="0" connectionTimeout="20000"
> useURIValidationHack="false" disableUploadTimeout="true" />
> <!-- Note : To disable connection timeouts, set connectionTimeout value
> to 0 -->
>
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="50"
> address="100.100.100.2"
> enableLookups="true"
> acceptCount="50" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> keystoreFile="/home/essence/essence/KEYS/b.keystore"
> keystorePass="xxxx"
> clientAuth="false" protocol="TLS" />
> </Connector>
>
>
> <Engine defaultHost="www.domainb.at" debug="0">
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_log." suffix=".txt"
> timestamp="true"/>
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
>
> <!-- Define the default virtual host -->
> <Host name="www.domainb.at" debug="0" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="domainb_log." suffix=".txt"
> timestamp="true"/>
>
> <!-- Tomcat Root Context -->
> <Context path="" docBase="essence" debug="0"/>
>
> </Host>
> </Engine>
> </Service>
>
>
> <Service name="ServiceA">
> <!-- Define a non-SSL Coyote HTTP/1.1 Connector on port 8080 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8080" address="100.100.100.1" minProcessors="10"
> maxProcessors="100"
> enableLookups="true" redirectPort="8080"
> acceptCount="100" debug="0" connectionTimeout="20000"
> useURIValidationHack="false" disableUploadTimeout="true" />
> <!-- Note : To disable connection timeouts, set connectionTimeout value
> to 0 -->
>
> <!-- Define a SSL Coyote HTTP/1.1 Connector on port 8443 -->
> <Connector className="org.apache.coyote.tomcat4.CoyoteConnector"
> port="8443" minProcessors="5" maxProcessors="30"
> address="100.100.100.1"
> enableLookups="true"
> acceptCount="30" debug="0" scheme="https" secure="true"
> useURIValidationHack="false" disableUploadTimeout="true">
> <Factory
> className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory"
> keystoreFile="/home/essence/essence/KEYS/a.keystore"
> keystorePass="xxxxx"
> clientAuth="false" protocol="TLS" />
> </Connector>
>
> <Engine defaultHost="www.domaina.at" debug="0">
> <Logger className="org.apache.catalina.logger.FileLogger"
> prefix="catalina_log." suffix=".txt"
> timestamp="true"/>
>
> <Realm className="org.apache.catalina.realm.UserDatabaseRealm"
> debug="0" resourceName="UserDatabase"/>
>
> <!-- Define the default virtual host -->
> <Host name="www.domaina.at" debug="0" appBase="webapps"
> unpackWARs="true" autoDeploy="true">
>
> <Logger className="org.apache.catalina.logger.FileLogger"
> directory="logs" prefix="domaina_log." suffix=".txt"
> timestamp="true"/>
>
> <!-- Tomcat Root Context -->
> <Context path="" docBase="essence" debug="0"/>
>
> </Host>
> </Engine>
> </Service>
>
></Server>
>
>----------------------------
>
>the multiple ips work and my portforwarding script looks as follows:
>
> iptables -t nat -A PREROUTING -j REDIRECT -p tcp
> --destination-port 80:80 --to-ports 8080
> iptables -t nat -A PREROUTING -j REDIRECT -p tcp
> --destination-port 443:443 --to-ports 8443
>
>does anybody have a hint what is wrong with this?
>
>kind regards
>
>randolph
>
>
>
>
>
>---------------------------------------------------------------------
>To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
>For additional commands, e-mail: tomcat-user-help@jakarta.apache.org
-----------------------------------------------------------------------
di randolph kepplinger, mba
rk@metamagix.net / 0676-844899-800
metamagix - better online solutions
favoritenstrasse 19 / 1040 wien / +43.1.9902804
buero: hackengasse 27 / 1150 wien / +43.1.9902804
http://www.metamagix.net
---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-user-help@jakarta.apache.org