You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Torleif <to...@askedal.net> on 2009/11/03 21:50:57 UTC
tomcat https
Hi
I am trying to set up tomcat to use https.
I used "keytool -genkey -alias tomcat -keyalg RSA"
If I use "changeit" as password for keystore everything works ok.
If I use a different password it does not work.
I have modified "server.xml" with keystorePass="newpassword"
My .keystore is located in default place.
If I use "changeit" as password, will this be a security risk since this
is a widely known password?
Also I run a mailserver with https web interface.
Can I use a different https certificate in tomcat or must it be the same
as my mailserver?
Thank you!!
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat https
Posted by Nilesh Patil <ni...@gmail.com>.
Dear Torleif
Why you r Using Default Location to Store Keystore..
ypu can Use following command to generate keystore
* c:/keytool -genkey -keyalg RSA -alias tomcat -keystore tomcat.keystore
-storepass tomcat*
Then above command will generate tomcat keystore in current working
directory.
and now you can change password in server.xml as *tomcat. *
Regards,
Nilesh P
On Wed, Nov 4, 2009 at 2:20 AM, Torleif <to...@askedal.net> wrote:
> Hi
>
> I am trying to set up tomcat to use https.
> I used "keytool -genkey -alias tomcat -keyalg RSA"
> If I use "changeit" as password for keystore everything works ok.
> If I use a different password it does not work.
> I have modified "server.xml" with keystorePass="newpassword"
> My .keystore is located in default place.
>
> If I use "changeit" as password, will this be a security risk since this
> is a widely known password?
>
> Also I run a mailserver with https web interface.
> Can I use a different https certificate in tomcat or must it be the same
> as my mailserver?
>
> Thank you!!
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
Re: tomcat https
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Torleif,
On 11/4/2009 4:25 PM, Torleif wrote:
> My server.xml:
>
> <Connector
> port="8443" minProcessors="5" maxProcessors="75"
> enableLookups="true" disableUploadTimeout="true"
> acceptCount="100" debug="0" scheme="https" secure="true";
> clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user/.keystore" keystorePass="mypassword" />
> -->
That closing comment looks suspicious.
> Maybe my cert password is not the same as keystore??
The certificate can certainly have a different password as the keystore.
Does your certificate have a password at all? Ususally they do not.
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkry9OwACgkQ9CaO5/Lv0PDIXwCfYlpVeEOWMJoS+Upeahnh0ngB
Fg0AoKcid4Kq+nnUBmZr3C34/66UJNpO
=X0ST
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: tomcat https
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: Torleif [mailto:torleif@askedal.net]
> Subject: Re: tomcat https
>
> I think it may be my server.xml file that is wrong somewhere?
> Everything is ok if I use "changeit"
That suggests that perhaps your Tomcat is not running with the server.xml file you think it is. For example, if you start Tomcat via an IDE, the IDE often substitutes its own configuration, ignoring yours.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: tomcat https
Posted by Torleif <to...@askedal.net>.
Hi
That is what I used.
In the end it says "press enter for same password" and that is what I did
I also tried to enter same password instead of just pressing enter, but still
doesnt work.
I think it may be my server.xml file that is wrong somewhere? Everything is
ok if I use "changeit"
Torleif
> Thu Nov 05 2009 09:44:49 CET from "Ognjen Blagojevic"
><og...@etf.bg.ac.rs> Subject: Re: tomcat https
>
> Torleif wrote:
>
>>Maybe my cert password is not the same as keystore??
>> I thougt my keystore containing the cert was created with
>> "keytool -genkey -alias tomcat -keyalg RSA" ??
>>
>>
> You must use the same password for both keystore and certificate.
> Keytool asks you for keystore password at the begining, and for the
> certificate password at the end.
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
Re: tomcat https
Posted by Ognjen Blagojevic <og...@etf.bg.ac.rs>.
Torleif wrote:
> Maybe my cert password is not the same as keystore??
> I thougt my keystore containing the cert was created with
> "keytool -genkey -alias tomcat -keyalg RSA" ??
You must use the same password for both keystore and certificate.
Keytool asks you for keystore password at the begining, and for the
certificate password at the end.
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat https
Posted by Torleif <to...@askedal.net>.
Hi again.
My server.xml:
<Connector
port="8443" minProcessors="5" maxProcessors="75"
enableLookups="true" disableUploadTimeout="true"
acceptCount="100" debug="0" scheme="https" secure="true";
clientAuth="false" sslProtocol="TLS" keystoreFile="/home/user/.keystore" keystorePass="mypassword" />
-->
I run Tomcat as "user".
I followed this guide:
http://tomcat.apache.org/tomcat-5.5-doc/ssl-howto.html
Maybe my cert password is not the same as keystore??
I thougt my keystore containing the cert was created with
"keytool -genkey -alias tomcat -keyalg RSA" ??
Thanks everyone!!
On Wed, 2009-11-04 at 17:47 +0100, Ognjen Blagojevic wrote:
> Torleif wrote:
> > By "default place" I mean /home/user/.keystore
>
> /home/user/.keystore? That's strange. Is it maybe
> /home/tomcat/.keystore? Or you have a user "user" on your system? Under
> what user did you create .keystore file?
>
>
> > If I choose a different password and modify "server.xml" accordingly it does
> > not work.
>
> Did you choose the same password for bot keystore AND certificate, as
> pointed in the Tomcat docs?
>
>
> > maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
> > -keyalg RSA -keystore /home/user/.keystore
> > -storepass mypassword" ) ??
>
> No, that is not the source of the problem.
>
>
> > I am ok with using "changeit" as password if this is no security risk. No one
> > has access to my computer, but can they get access through https if they know
> > the "changeit" password?
>
> Well, anyone could access to you webapps (not to the entire file system)
> regardless of the keystore password.
>
>
> > I also have a mailserver on the same ip "citadel" witch uses "webcit" for
> > webmail.
> >
> > The ports on my mailserver and Tomcat are different.
>
> Then you can use different certificates.
>
>
> Regards,
> Ognjen
>
>
> >
> >
> >
> > Thanks again for all help!!
> >
> >
> >
> > Torleif
> >> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic"
> >> <og...@etf.bg.ac.rs> Subject: Re: tomcat https
> >>
> >> Torleif wrote:
> >>
> >>> I am trying to set up tomcat to use https.
> >>> I used "keytool -genkey -alias tomcat -keyalg RSA"
> >>> If I use "changeit" as password for keystore everything works ok.
> >>> If I use a different password it does not work.
> >>> I have modified "server.xml" with keystorePass="newpassword"
> >>> My .keystore is located in default place.
> >>>
> >>>
> >
> >> It could help if you tell us what Tomcat version, OS and version are you
> >> using and what is "default place".
> >>
> >> .keystore file should be on the home directory of the user running
> >> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
> >> Settings\ognjen\" on Windows XP.
> >>
> >> Also note: "Finally, you will be prompted for the key password, which is
> >> the password specifically for this Certificate (as opposed to any other
> >> Certificates stored in the same keystore file). You MUST use the same
> >> password here as was used for the keystore password itself. (Currently,
> >> the keytool prompt will tell you that pressing the ENTER key does this
> >> for you automatically.)" (tomcat SSL docs)
> >>
> >>
> >>
> >>> If I use "changeit" as password, will this be a security risk since this
> >>> is a widely known password?
> >>>
> >>>
> >
> >> The way I see it, the security risk is not too big. .keystore file will
> >> most probably have the same access rights as your server.xml where the
> >> keystore password is stored in cleartext. So, if the unauthorized user
> >> is able to access .keystore file it will also be able to access the
> >> server.xml, and read the keystore password.
> >>
> >> However, if your configuration, backup strategy, or anything else
> >> introduces the possibility for unauthorized person to access only the
> >> .keystore file (and not server.xml) - or you are simply paranoid - you
> >> should change the default password.
> >>
> >>
> >>
> >>> Also I run a mailserver with https web interface.
> >>> Can I use a different https certificate in tomcat or must it be the same
> >>> as my mailserver?
> >>>
> >>>
> >
> >> It really depends of your configuration.
> >>
> >> Are both webmail and Tomcat on the same port? Do you run webmail
> >> application under Tomcat or not? Do you use httpd or not? Do you have
> >> more than one IP address available for the server?
> >>
> >> If you use two servers, two different IP addresses OR two different
> >> ports on the same IP address, you can have different certificates. In
> >> other cases, you can't.
> >>
> >> Regards,
> >> Ognjen
> >>
> >> ---------------------------------------------------------------------
> >> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> >> For additional commands, e-mail: users-help@tomcat.apache.org
> >>
> >>
> >>
> >>
> >>
> >
> >
> >
> >
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat https
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
All,
On 11/4/2009 11:47 AM, Ognjen Blagojevic wrote:
> Torleif wrote:
>> By "default place" I mean /home/user/.keystore
>
> /home/user/.keystore? That's strange. Is it maybe
> /home/tomcat/.keystore? Or you have a user "user" on your system? Under
> what user did you create .keystore file?
...and what do you actually have in your server.xml for keystore
configuration?
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkrxtDgACgkQ9CaO5/Lv0PD+ZgCdHRHNp7ryxfMI6ZHgYX1d8Zx1
MdUAn1zd+PfL215yv4IRi8xFyfmCWTfU
=9xK7
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat https
Posted by Ognjen Blagojevic <og...@etf.bg.ac.rs>.
Torleif wrote:
> By "default place" I mean /home/user/.keystore
/home/user/.keystore? That's strange. Is it maybe
/home/tomcat/.keystore? Or you have a user "user" on your system? Under
what user did you create .keystore file?
> If I choose a different password and modify "server.xml" accordingly it does
> not work.
Did you choose the same password for bot keystore AND certificate, as
pointed in the Tomcat docs?
> maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
> -keyalg RSA -keystore /home/user/.keystore
> -storepass mypassword" ) ??
No, that is not the source of the problem.
> I am ok with using "changeit" as password if this is no security risk. No one
> has access to my computer, but can they get access through https if they know
> the "changeit" password?
Well, anyone could access to you webapps (not to the entire file system)
regardless of the keystore password.
> I also have a mailserver on the same ip "citadel" witch uses "webcit" for
> webmail.
>
> The ports on my mailserver and Tomcat are different.
Then you can use different certificates.
Regards,
Ognjen
>
>
>
> Thanks again for all help!!
>
>
>
> Torleif
>> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic"
>> <og...@etf.bg.ac.rs> Subject: Re: tomcat https
>>
>> Torleif wrote:
>>
>>> I am trying to set up tomcat to use https.
>>> I used "keytool -genkey -alias tomcat -keyalg RSA"
>>> If I use "changeit" as password for keystore everything works ok.
>>> If I use a different password it does not work.
>>> I have modified "server.xml" with keystorePass="newpassword"
>>> My .keystore is located in default place.
>>>
>>>
>
>> It could help if you tell us what Tomcat version, OS and version are you
>> using and what is "default place".
>>
>> .keystore file should be on the home directory of the user running
>> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
>> Settings\ognjen\" on Windows XP.
>>
>> Also note: "Finally, you will be prompted for the key password, which is
>> the password specifically for this Certificate (as opposed to any other
>> Certificates stored in the same keystore file). You MUST use the same
>> password here as was used for the keystore password itself. (Currently,
>> the keytool prompt will tell you that pressing the ENTER key does this
>> for you automatically.)" (tomcat SSL docs)
>>
>>
>>
>>> If I use "changeit" as password, will this be a security risk since this
>>> is a widely known password?
>>>
>>>
>
>> The way I see it, the security risk is not too big. .keystore file will
>> most probably have the same access rights as your server.xml where the
>> keystore password is stored in cleartext. So, if the unauthorized user
>> is able to access .keystore file it will also be able to access the
>> server.xml, and read the keystore password.
>>
>> However, if your configuration, backup strategy, or anything else
>> introduces the possibility for unauthorized person to access only the
>> .keystore file (and not server.xml) - or you are simply paranoid - you
>> should change the default password.
>>
>>
>>
>>> Also I run a mailserver with https web interface.
>>> Can I use a different https certificate in tomcat or must it be the same
>>> as my mailserver?
>>>
>>>
>
>> It really depends of your configuration.
>>
>> Are both webmail and Tomcat on the same port? Do you run webmail
>> application under Tomcat or not? Do you use httpd or not? Do you have
>> more than one IP address available for the server?
>>
>> If you use two servers, two different IP addresses OR two different
>> ports on the same IP address, you can have different certificates. In
>> other cases, you can't.
>>
>> Regards,
>> Ognjen
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
>> For additional commands, e-mail: users-help@tomcat.apache.org
>>
>>
>>
>>
>>
>
>
>
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: tomcat https
Posted by Torleif <to...@askedal.net>.
Hi
Thanks for all your help!!
I am using Debian Lenny as OS.
I am trying to set up a funambol server witch use Tomcat. (
http://bionicmessage.net/?q=node/18 )
I am not sure witch version of Tomcat it uses. (I am at work right now and
cant check)
By "default place" I mean /home/user/.keystore
I run "keytool -genkey -alias tomcat -keyalg RSA"
When I run this command it asks for password witch is "changeit" as default
and everything works ok.
If I choose a different password and modify "server.xml" accordingly it does
not work.
maybe I shuld use this command instead? ( "keytool -genkey -alias tomcat
-keyalg RSA -keystore /home/user/.keystore
-storepass mypassword" ) ??
I am ok with using "changeit" as password if this is no security risk. No one
has access to my computer, but can they get access through https if they know
the "changeit" password?
I also have a mailserver on the same ip "citadel" witch uses "webcit" for
webmail.
The ports on my mailserver and Tomcat are different.
Thanks again for all help!!
Torleif
> Wed Nov 04 2009 10:28:22 CET from "Ognjen Blagojevic"
><og...@etf.bg.ac.rs> Subject: Re: tomcat https
>
> Torleif wrote:
>
>>I am trying to set up tomcat to use https.
>> I used "keytool -genkey -alias tomcat -keyalg RSA"
>> If I use "changeit" as password for keystore everything works ok.
>> If I use a different password it does not work.
>> I have modified "server.xml" with keystorePass="newpassword"
>> My .keystore is located in default place.
>>
>>
> It could help if you tell us what Tomcat version, OS and version are you
> using and what is "default place".
>
> .keystore file should be on the home directory of the user running
> Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
> Settings\ognjen\" on Windows XP.
>
> Also note: "Finally, you will be prompted for the key password, which is
> the password specifically for this Certificate (as opposed to any other
> Certificates stored in the same keystore file). You MUST use the same
> password here as was used for the keystore password itself. (Currently,
> the keytool prompt will tell you that pressing the ENTER key does this
> for you automatically.)" (tomcat SSL docs)
>
>
>
>>If I use "changeit" as password, will this be a security risk since this
>> is a widely known password?
>>
>>
> The way I see it, the security risk is not too big. .keystore file will
> most probably have the same access rights as your server.xml where the
> keystore password is stored in cleartext. So, if the unauthorized user
> is able to access .keystore file it will also be able to access the
> server.xml, and read the keystore password.
>
> However, if your configuration, backup strategy, or anything else
> introduces the possibility for unauthorized person to access only the
> .keystore file (and not server.xml) - or you are simply paranoid - you
> should change the default password.
>
>
>
>>Also I run a mailserver with https web interface.
>> Can I use a different https certificate in tomcat or must it be the same
>> as my mailserver?
>>
>>
> It really depends of your configuration.
>
> Are both webmail and Tomcat on the same port? Do you run webmail
> application under Tomcat or not? Do you use httpd or not? Do you have
> more than one IP address available for the server?
>
> If you use two servers, two different IP addresses OR two different
> ports on the same IP address, you can have different certificates. In
> other cases, you can't.
>
> Regards,
> Ognjen
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
>
>
>
Re: tomcat https
Posted by Ognjen Blagojevic <og...@etf.bg.ac.rs>.
Torleif wrote:
> I am trying to set up tomcat to use https.
> I used "keytool -genkey -alias tomcat -keyalg RSA"
> If I use "changeit" as password for keystore everything works ok.
> If I use a different password it does not work.
> I have modified "server.xml" with keystorePass="newpassword"
> My .keystore is located in default place.
It could help if you tell us what Tomcat version, OS and version are you
using and what is "default place".
.keystore file should be on the home directory of the user running
Tomcat. E.g. /home/tomcat on Linux, or "C:\Documents and
Settings\ognjen\" on Windows XP.
Also note: "Finally, you will be prompted for the key password, which is
the password specifically for this Certificate (as opposed to any other
Certificates stored in the same keystore file). You MUST use the same
password here as was used for the keystore password itself. (Currently,
the keytool prompt will tell you that pressing the ENTER key does this
for you automatically.)" (tomcat SSL docs)
> If I use "changeit" as password, will this be a security risk since this
> is a widely known password?
The way I see it, the security risk is not too big. .keystore file will
most probably have the same access rights as your server.xml where the
keystore password is stored in cleartext. So, if the unauthorized user
is able to access .keystore file it will also be able to access the
server.xml, and read the keystore password.
However, if your configuration, backup strategy, or anything else
introduces the possibility for unauthorized person to access only the
.keystore file (and not server.xml) - or you are simply paranoid - you
should change the default password.
> Also I run a mailserver with https web interface.
> Can I use a different https certificate in tomcat or must it be the same
> as my mailserver?
It really depends of your configuration.
Are both webmail and Tomcat on the same port? Do you run webmail
application under Tomcat or not? Do you use httpd or not? Do you have
more than one IP address available for the server?
If you use two servers, two different IP addresses OR two different
ports on the same IP address, you can have different certificates. In
other cases, you can't.
Regards,
Ognjen
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org