You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by "Miller, Gerald" <Ge...@Vistronix.com> on 2016/06/21 18:03:50 UTC
How to force keystoreFile and truststoreFile to be absolute paths
I'm seeing errors from attempts to append uncorrected paths (e.g., C:\out\) and corrected ones (e.g., ~/out/) onto some arbitrary path. Assuming a relative path in a case like this makes about as much sense as using relative branching in non-relocatable code. I've wasted hours trying to get rid of errors in catalina.2016-06-21.log, and after I got fed up with the ridiculous assumption that the directory within Tomcat would also be accessed by the web services developed in an entirely separate directory hierarchy, that's when I decided to cut out the asinine duplication once and for all and define one central absolute path. So much for that idea. It's complaining tha /home/iaadmin/IA/apache-tomcat-8.0.24/~/out/servicetlsstore.jks isn't found! (Yes, I also have to deal with the fact that the equivalence of servicetlsstore.jks and ServiceTlsStore.jks in Windows is used so carelessly that converting to Ubuntu is a nightmare.
This communication, along with its attachments, is considered confidential and proprietary to Vistronix. It is intended only for the use of the person(s) named above. Note that unauthorized disclosure or distribution of information not generally known to the public is strictly prohibited. If you are not the intended recipient, please notify the sender immediately.
Re: How to force keystoreFile and truststoreFile to be absolute paths
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
Chris,
On 6/24/2016 9:07 AM, Christopher Schultz wrote:
> Mark,
>
> On 6/21/16 3:46 PM, Mark Eggers wrote:
>> On 6/21/2016 11:03 AM, Miller, Gerald wrote:
>>> I'm seeing errors from attempts to append uncorrected paths
>>> (e.g., C:\out\) and corrected ones (e.g., ~/out/) onto some
>>> arbitrary path.
>>>
>>> [snip]
>
>> [snip]
>
>> keystoreFile="${user.home}/Apache/apache-tomcat-8.0.36/conf/keystore.j
> ks"
>
> One
>
> of the problems is that "~", while often used to mean "the current
> user's home directory" is really only a CLI shell concept. Mark's use
> of ${user.home} id correct, here, and should always be fully-qualified.
>
> I think this is the core of the problem.
>
> -chris
Exactly.
The path needs to be absolute rather than relative. I don't know where
relative paths start from (should read the documentation or experiment
to find out).
As you noted, tildes are a shell concept. I don't know which shells
(most likely all tcsh, sh, bash, csh shells at this point but certainly
not Windows).
Using shortcuts (even if they worked) would certainly make the
configuration file non-portable between systems.
I was going to let the original poster read the docs and the example I
gave to figure out the details. Starting a question with a rant even if
you are frustrated doesn't engender volunteer help . . . :-)
. . . just my two cents
/mde/
Re: How to force keystoreFile and truststoreFile to be absolute paths
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Mark,
On 6/21/16 3:46 PM, Mark Eggers wrote:
> On 6/21/2016 11:03 AM, Miller, Gerald wrote:
>> I'm seeing errors from attempts to append uncorrected paths
>> (e.g., C:\out\) and corrected ones (e.g., ~/out/) onto some
>> arbitrary path.
>>
>> [snip]
>
> [snip]
>
> keystoreFile="${user.home}/Apache/apache-tomcat-8.0.36/conf/keystore.j
ks"
One
>
of the problems is that "~", while often used to mean "the current
user's home directory" is really only a CLI shell concept. Mark's use
of ${user.home} id correct, here, and should always be fully-qualified.
I think this is the core of the problem.
- -chris
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iQIcBAEBCAAGBQJXbVrSAAoJEBzwKT+lPKRY5OsQAJQSQws5p/IzxSa4nWPpXy6+
t7i1UhJH+AkkaD3kLNG/55NWjUYEm9B8ig65qy4Kw3LNKbtZKkS2WsXJzzKZil50
wsC82jU0F3uXgp3iRC2LfSnlrOPFq8YI38P8zP1EBDSgIGNwhaAhTITkm0/VTMlB
lroEl5br700HU0A0U+79koA+Lx9POV0e/VEzseCTmwZye2RTqnZHgz0bEYyNzNqr
h13idflc+jx695eQXiDdQXYQbYJbrBlAkxz7nnxcS+peToe+94mZK7+vY9Aas3zo
HT0j7ThqZp2VWAxV1Kjh+AaADfqapYLNRAxsKszkiZXeMa2bu2KiPCba9BnZFjuZ
SyLYDEHCCH/+enf390tY4A0Ip3XkdGAEmleDdR/5KJE3v01Vso3SYUuqztdUc3VD
3eVXPPYHxjYjacwJq4+Xm+13bfyNSXhU1rJ7DpGi21Krok+BUi0CNrwGB2Ha1Z3Z
mlaBpFDp2l1vSvuwJFTR0eRTa2v7ng73unbpt1/lnNv98PCRRo3214uPzS5kvARW
ofmqQfOubhxdY87teYp+dBFyLkHDBDkLqeM5G7TWHzwlkkN5hNJpPFDVQjSr7S/v
uLhJSBNL+OZ2/W9isQVud+KQgvdM0R8877xr8oZEVKsYMR0IBButHga6m+h9XQcl
/w1MhDgcyH9hT9oRbOAA
=vayW
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: How to force keystoreFile and truststoreFile to be absolute paths
Posted by Mark Eggers <it...@yahoo.com.INVALID>.
Gerald,
On 6/21/2016 11:03 AM, Miller, Gerald wrote:
> I'm seeing errors from attempts to append uncorrected paths (e.g.,
> C:\out\) and corrected ones (e.g., ~/out/) onto some arbitrary path.
> Assuming a relative path in a case like this makes about as much
> sense as using relative branching in non-relocatable code. I've
> wasted hours trying to get rid of errors in catalina.2016-06-21.log,
> and after I got fed up with the ridiculous assumption that the
> directory within Tomcat would also be accessed by the web services
> developed in an entirely separate directory hierarchy, that's when I
> decided to cut out the asinine duplication once and for all and
> define one central absolute path. So much for that idea. It's
> complaining tha
> /home/iaadmin/IA/apache-tomcat-8.0.24/~/out/servicetlsstore.jks isn't
> found! (Yes, I also have to deal with the fact that the equivalence
> of servicetlsstore.jks and ServiceTlsStore.jks in Windows is used so
> carelessly that converting to Ubuntu is a nightmare.
I just played with this using Apache Tomcat 8.0.36, JRE 1.8.0_92, and
Windows 7 64 bit.
I followed the fine documentation here:
http://tomcat.apache.org/tomcat-8.0-doc/ssl-howto.html
Here is my server.xml connector configuration:
<Connector port="8443"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxThreads="150"
SSLEnabled="true"
scheme="https"
secure="true"
keystoreFile="${user.home}/Apache/apache-tomcat-8.0.36/conf/keystore.jks"
keystorePass="changeit"
clientAuth="false"
sslProtocol="TLS" />
(sorry for the word wrap).
Please note that I've moved and renamed the keystore file from the
defaults as generated by the keytool utility.
This works fine, tastes great.
Since I install Tomcat in the same place (for development) regardless of
platform, I then copied the keystore file and Connector configuration to
my 64 bit CentOS 6.8 system running the same version of Tomcat and Java.
This works fine, tastes great. OK, so I changed the ports on the CentOS
system since I already run a production Tomcat on that system with the
default ports. I also had to open up the firewall on that system.
Without seeing your Connector configuration, we have no idea what is
going on. Actually I do, but I'm not going to use Pid's crystal ball at
this junction (for reasons - see below).
We had to intuit your Tomcat version (please upgrade). We don't know
your Java version (please provide).
As an aside, we're all volunteers on this mailing list. We use Tomcat
because it's an awesome platform maintained by awesome, responsive, and
talented people. Vitriol, while certainly understandable after spending
hours working on a problem, is not the best way to win friends,
influence enemies, nor get volunteers to respond to questions.
. . . just my two cents
/mde/