You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Roger Roger <rx...@gmail.com> on 2007/05/23 11:32:05 UTC

Tomcat 6 + SSL

I would like to install Tomcat 6.0 with SSL. Tomcat 6.0 works, and I can get
Tomcat 5.5 working with SSL. For some reason I cannot get this to work with
6.0. Do you have any ideas or suggestions what might cause this? I'm working
on a Windows machine.

Thanks, Roger

Re: Tomcat 6 + SSL

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Markus Schönhaber wrote:

> setup wouldn't help you at all wrt creating a HTTP Connector.

Sorry, HTTP*S* Connector was what I wanted to say.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Filip Hanik - Dev Lists <de...@hanik.com>.

if you are using APR, then you need a different set of options in the 
<Connector> element,
take a look at the SSL documentation again

Filip

Roger Roger wrote:
> Yes I'm using APR. The dll is in de bin directory. Thanks for pointing 
> this
> out. Deleting the dll didn't resolve the problem though. I'll try this 
> again
> tomorrow.
>
> I would like to know what is better to use, and more secure. If APR is 
> more
> secure, I will use that, even if it means more work. I suppose it's
> something you have to do one time.
>
> Cheers, Roger
>
>
> On 5/23/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>>
>> > From: Roger Roger [mailto:rxt360@gmail.com]
>> > Subject: Re: Tomcat 6 + SSL
>> >
>> > I've installed Tomcat 6.0, the default installation
>>
>> Look in Tomcat's bin directory; if there's a tcnative-1.dll there, you
>> have APR installed and are using it.  If you want to avoid use of APR to
>> continue with your prior SSL configuration, just rename or delete the
>> .dll file.  If you want to configure APR for SSL, look here:
>> http://tomcat.apache.org/tomcat-6.0-doc/apr.html
>>
>> > <Listener className="org.apache.catalina.core.AprLifecycleListener"
>> > SSLEngine="on" />
>>
>> The Listener for APR is always there, whether the .dll exists or not.
>>
>> - Chuck
>>
>>
>> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
>> MATERIAL and is thus for use only by the intended recipient. If you
>> received this in error, please contact the sender and delete the e-mail
>> and its attachments from all computers.
>>
>> ---------------------------------------------------------------------
>> To start a new topic, e-mail: users@tomcat.apache.org
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>
> ------------------------------------------------------------------------
>
> No virus found in this incoming message.
> Checked by AVG Free Edition. 
> Version: 7.5.467 / Virus Database: 269.7.6/815 - Release Date: 5/22/2007 3:49 PM
>   


---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6 + SSL

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Roger Roger [mailto:rxt360@gmail.com] 
> Subject: Re: Tomcat 6 + SSL
> 
> I would like to know what is better to use, and more secure. 

Security should be the same, regardless of the connector flavor.  APR
should perform better, if that's a concern.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Roger Roger <rx...@gmail.com>.

Yes I'm using APR. The dll is in de bin directory. Thanks for pointing this
out. Deleting the dll didn't resolve the problem though. I'll try this again
tomorrow.

I would like to know what is better to use, and more secure. If APR is more
secure, I will use that, even if it means more work. I suppose it's
something you have to do one time.

Cheers, Roger


On 5/23/07, Caldarale, Charles R <Ch...@unisys.com> wrote:
>
> > From: Roger Roger [mailto:rxt360@gmail.com]
> > Subject: Re: Tomcat 6 + SSL
> >
> > I've installed Tomcat 6.0, the default installation
>
> Look in Tomcat's bin directory; if there's a tcnative-1.dll there, you
> have APR installed and are using it.  If you want to avoid use of APR to
> continue with your prior SSL configuration, just rename or delete the
> .dll file.  If you want to configure APR for SSL, look here:
> http://tomcat.apache.org/tomcat-6.0-doc/apr.html
>
> > <Listener className="org.apache.catalina.core.AprLifecycleListener"
> > SSLEngine="on" />
>
> The Listener for APR is always there, whether the .dll exists or not.
>
> - Chuck
>
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete the e-mail
> and its attachments from all computers.
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

RE: Tomcat 6 + SSL

Posted by "Caldarale, Charles R" <Ch...@unisys.com>.

> From: Roger Roger [mailto:rxt360@gmail.com] 
> Subject: Re: Tomcat 6 + SSL
> 
> I've installed Tomcat 6.0, the default installation

Look in Tomcat's bin directory; if there's a tcnative-1.dll there, you
have APR installed and are using it.  If you want to avoid use of APR to
continue with your prior SSL configuration, just rename or delete the
.dll file.  If you want to configure APR for SSL, look here:
http://tomcat.apache.org/tomcat-6.0-doc/apr.html

> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />

The Listener for APR is always there, whether the .dll exists or not.

 - Chuck


THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY
MATERIAL and is thus for use only by the intended recipient. If you
received this in error, please contact the sender and delete the e-mail
and its attachments from all computers.

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Roger Roger wrote:

> Hi Markus, I'm not sure. I've installed Tomcat 6.0, the default
> installation, and don't know about APR. Googling for it I see it refers to
> Apache Portable Runtime.

Yep.

> When I look at the server.xml I find the following:
> 
> <Listener className="org.apache.catalina.core.AprLifecycleListener"
> SSLEngine="on" />
> 
> So it looks like it does use APR but I'm not sure about it. If I comment
> this out and restart, it still doesn't work.

Don't comment the Listener! It doesn't turn on APR but simply logs
useful information about whether or not APR is used. Look into the log
files to see whether or not Tomcat has found tcnative-1.dll which is
needed to use APR functionality.
If you're indeed using APR and did a "default installation" as you say
above, you'll propably find tcnative-1.dll in Tomcat's bin/ directory.
If this is the case, move the DLL out of the way to make Tomcat use the
pure Java implementation of the HTTP(S) Connectors.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Roger Roger <rx...@gmail.com>.

Hi Markus, I'm not sure. I've installed Tomcat 6.0, the default
installation, and don't know about APR. Googling for it I see it refers to
Apache Portable Runtime.

When I look at the server.xml I find the following:

<Listener className="org.apache.catalina.core.AprLifecycleListener"
SSLEngine="on" />

So it looks like it does use APR but I'm not sure about it. If I comment
this out and restart, it still doesn't work.

R.

On 5/23/07, Markus Schönhaber <ma...@schoenhaber.de> wrote:
>
> Roger Roger wrote:
>
> > I used the following connector:
> > <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > keystoreFile="C:\Tomcat\keystore\.keystore"
> >                maxThreads="150" scheme="https" secure="true"
> >                clientAuth="false" sslProtocol="TLS" />
> >
> > I tried this with a keystore filename without the starting dot, but that
> > didn't change anything. Remember that this setup works with Tomcat 5.5.
>
> Just to exclude a frequent reason for problems like this:
> you're not using APR, are you? Because if you were using APR the above
> setup wouldn't help you at all wrt creating a HTTP Connector.
>
> Regards
>   mks
>
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: Tomcat 6 + SSL

Posted by Markus Schönhaber <ma...@schoenhaber.de>.

Roger Roger wrote:

> I used the following connector:
> <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> keystoreFile="C:\Tomcat\keystore\.keystore"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
> 
> I tried this with a keystore filename without the starting dot, but that
> didn't change anything. Remember that this setup works with Tomcat 5.5.

Just to exclude a frequent reason for problems like this:
you're not using APR, are you? Because if you were using APR the above
setup wouldn't help you at all wrt creating a HTTP Connector.

Regards
  mks

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Roger Roger <rx...@gmail.com>.

Hi Srinivas, I used that manual to setup SSL on Tomcat 5.5. That worked. I
created a keystore key, and put it in:

C:\Tomcat\keystore\.keystore

I used the following connector:
<Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
keystoreFile="C:\Tomcat\keystore\.keystore"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />

I tried this with a keystore filename without the starting dot, but that
didn't change anything. Remember that this setup works with Tomcat 5.5.

When I run netstat and open a page, I see the following:

TCP    DESKTOP1:8443            localhost:1510         CLOSE_WAIT
TCP    DESKTOP1:8443            localhost:wins         CLOSE_WAIT
TCP    DESKTOP1:8443            localhost:1513         CLOSE_WAIT

Can you confirm that you have SSL working with Tomcat 6.0?

On 5/23/07, Velidanda Srinivas <sr...@singularity.co.uk> wrote:
>
> I think you know, but still check if something missing as mentioned at
> below URL
> http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html
>
> Let me know if you resolve the problem.
>
>
> > -----Original Message-----
> > From: Velidanda Srinivas [mailto:srinivas.velidanda@singularity.co.uk]
> > Sent: 23 May 2007 15:30
> > To: Tomcat Users List
> > Subject: RE: Tomcat 6 + SSL
> >
> >
> > Do you have valid .keystore file in the required path,
> > usually it refers to C:\Documents and Settings\Default
> > User\.keystore file.
> >
> > Check it out..
>
>

RE: Tomcat 6 + SSL

Posted by Velidanda Srinivas <sr...@singularity.co.uk>.

I think you know, but still check if something missing as mentioned at below URL
http://tomcat.apache.org/tomcat-6.0-doc/ssl-howto.html

Let me know if you resolve the problem.


> -----Original Message-----
> From: Velidanda Srinivas [mailto:srinivas.velidanda@singularity.co.uk]
> Sent: 23 May 2007 15:30
> To: Tomcat Users List
> Subject: RE: Tomcat 6 + SSL
> 
> 
> Do you have valid .keystore file in the required path, 
> usually it refers to C:\Documents and Settings\Default 
> User\.keystore file.
> 
> Check it out..
> 
> > -----Original Message-----
> > From: Roger Roger [mailto:rxt360@gmail.com]
> > Sent: 23 May 2007 15:27
> > To: Tomcat Users List
> > Subject: Re: Tomcat 6 + SSL
> > 
> > 
> > Thanks Srinivas. I did that, then restarted Tomcat, then if I open
> > https://127.0.0.1:8443/ or https://localhost:8443/ nothing 
> > happens. I get an
> > error after a long time (more than a minute). Running netstat 
> > I see port
> > 8443 is "established". If I try to open a page on a 
> > non-existent port, I get
> > an error quickly, after a few seconds. So it seems something 
> > is happening.
> > And I got it working on 5.5. Stopping the firewall doesn't 
> > help. I opened
> > port 8443.
> > 
> > R.
> > 
> > On 5/23/07, Velidanda Srinivas 
> > <sr...@singularity.co.uk> wrote:
> > >
> > > I think you need to uncomment the below
> > >
> > > <!--
> > >     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> > >                maxThreads="150" scheme="https" secure="true"
> > >                clientAuth="false" sslProtocol="TLS" />
> > >     -->
> > >
> > > in conf\server.xml as this will be commented by default.
> > >
> > > Srinivas.
> > >
> > >
> > 
> > 
> > ______________________________________________________________
> > __________
> > This e-mail has been scanned for all viruses by MessageLabs.
> > ______________________________________________________________
> > __________
> > 
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by MessageLabs.
> 
> Singularity operates globally through its offices in New 
> York, London, Singapore, Ireland and India. Singularity 
> Limited is incorporated in the United Kingdom with 
> Registration Number NI 31519 and its Registered Office at 100 
> Patrick Street, Derry, BT48 7EL, United Kingdom.
> ______________________________________________________________
> __________
> 
> ---------------------------------------------------------------------
> To start a new topic, e-mail: users@tomcat.apache.org
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by MessageLabs.
> ______________________________________________________________
> __________
> 

________________________________________________________________________
This e-mail has been scanned for all viruses by MessageLabs.

Singularity operates globally through its offices in New York, London, Singapore, Ireland and India. Singularity Limited is incorporated in the United Kingdom with Registration Number NI 31519 and its Registered Office at 100 Patrick Street, Derry, BT48 7EL, United Kingdom.
________________________________________________________________________

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

RE: Tomcat 6 + SSL

Posted by Velidanda Srinivas <sr...@singularity.co.uk>.

Do you have valid .keystore file in the required path, 
usually it refers to C:\Documents and Settings\Default User\.keystore file.

Check it out..

> -----Original Message-----
> From: Roger Roger [mailto:rxt360@gmail.com]
> Sent: 23 May 2007 15:27
> To: Tomcat Users List
> Subject: Re: Tomcat 6 + SSL
> 
> 
> Thanks Srinivas. I did that, then restarted Tomcat, then if I open
> https://127.0.0.1:8443/ or https://localhost:8443/ nothing 
> happens. I get an
> error after a long time (more than a minute). Running netstat 
> I see port
> 8443 is "established". If I try to open a page on a 
> non-existent port, I get
> an error quickly, after a few seconds. So it seems something 
> is happening.
> And I got it working on 5.5. Stopping the firewall doesn't 
> help. I opened
> port 8443.
> 
> R.
> 
> On 5/23/07, Velidanda Srinivas 
> <sr...@singularity.co.uk> wrote:
> >
> > I think you need to uncomment the below
> >
> > <!--
> >     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
> >                maxThreads="150" scheme="https" secure="true"
> >                clientAuth="false" sslProtocol="TLS" />
> >     -->
> >
> > in conf\server.xml as this will be commented by default.
> >
> > Srinivas.
> >
> >
> 
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by MessageLabs.
> ______________________________________________________________
> __________
> 

________________________________________________________________________
This e-mail has been scanned for all viruses by MessageLabs.

Singularity operates globally through its offices in New York, London, Singapore, Ireland and India. Singularity Limited is incorporated in the United Kingdom with Registration Number NI 31519 and its Registered Office at 100 Patrick Street, Derry, BT48 7EL, United Kingdom.
________________________________________________________________________

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: Tomcat 6 + SSL

Posted by Roger Roger <rx...@gmail.com>.

Thanks Srinivas. I did that, then restarted Tomcat, then if I open
https://127.0.0.1:8443/ or https://localhost:8443/ nothing happens. I get an
error after a long time (more than a minute). Running netstat I see port
8443 is "established". If I try to open a page on a non-existent port, I get
an error quickly, after a few seconds. So it seems something is happening.
And I got it working on 5.5. Stopping the firewall doesn't help. I opened
port 8443.

R.

On 5/23/07, Velidanda Srinivas <sr...@singularity.co.uk> wrote:
>
> I think you need to uncomment the below
>
> <!--
>     <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
>                maxThreads="150" scheme="https" secure="true"
>                clientAuth="false" sslProtocol="TLS" />
>     -->
>
> in conf\server.xml as this will be commented by default.
>
> Srinivas.
>
>

RE: Tomcat 6 + SSL

Posted by Velidanda Srinivas <sr...@singularity.co.uk>.

I think you need to uncomment the below

<!--
    <Connector port="8443" protocol="HTTP/1.1" SSLEnabled="true"
               maxThreads="150" scheme="https" secure="true"
               clientAuth="false" sslProtocol="TLS" />
    -->

in conf\server.xml as this will be commented by default.

Srinivas.

> -----Original Message-----
> From: Roger Roger [mailto:rxt360@gmail.com]
> Sent: 23 May 2007 15:02
> To: users@tomcat.apache.org
> Subject: Tomcat 6 + SSL
> 
> 
> I would like to install Tomcat 6.0 with SSL. Tomcat 6.0 
> works, and I can get
> Tomcat 5.5 working with SSL. For some reason I cannot get 
> this to work with
> 6.0. Do you have any ideas or suggestions what might cause 
> this? I'm working
> on a Windows machine.
> 
> Thanks, Roger
> 
> 
> ______________________________________________________________
> __________
> This e-mail has been scanned for all viruses by MessageLabs.
> ______________________________________________________________
> __________
> 

________________________________________________________________________
This e-mail has been scanned for all viruses by MessageLabs.

Singularity operates globally through its offices in New York, London, Singapore, Ireland and India. Singularity Limited is incorporated in the United Kingdom with Registration Number NI 31519 and its Registered Office at 100 Patrick Street, Derry, BT48 7EL, United Kingdom.
________________________________________________________________________

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org