• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

[Update - Success] Adding SSL certificate to Server.xml

 
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Preface: I know nothing about web servers as you will soon understand but still I am the one that has to get this done. I am walking into this blind.

I am trying to update our Server.xml as per these instructions. But our Server.xml file doesn't have this section to uncomment. I will post or Server.xml below.


___________________________________________
Open the server.xml file.
After uncommenting the SSL/TLS connector from server.xml, locate the following text section:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" />
Add the "keystoreFile" and "keystorePass directives:
<Factory className="org.apache.coyote.tomcat4.CoyoteServerSocketFactory" clientAuth="false" protocol="TLS" keystoreFile="/full/path/to/tomcat.keystore" keystorePass="changeit" />
Restart Tomcat.
________________________________________________





Any help really appreciated. I am totally lost. I have been reading at apache.tomcat.org and have tried to paste some examples in but then Tomcat Service won't start.

[ August 27, 2007: Message edited by: Marty Finn ]
[ August 27, 2007: Message edited by: Marty Finn ]
 
Ranch Hand
Posts: 1179
Mac OS X Eclipse IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
You can read about the configuration here SSL Configuration HOW-TO

It look like an easy job just take the section that should have been uncomment from the documentation (see above) and copy/paste to server.xml below <Service name="Catalina">
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Yes I did read that yesterday and tried to paste that in right where you mentioned but afterwards the Tomcat service would not load.
 
Rene Larsen
Ranch Hand
Posts: 1179
Mac OS X Eclipse IDE
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Which version of Tomcat do you have 4.0.x or 4.1.x?

Your first post show a description for 4.0.x (<Factory className="or...), but your server.xml is from a Tomcat v4.1.x to v6.x
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
5.0 I think..
 
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
With 5, you don't need the <factory ..> tag.
You only need to enter the keystoreFile and keystorePass attributes.

 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thank you. Am I supposed to close this with </Connector>? When I do the service won't start. When I dont it starts but Https:// to the site does not work.

How can I tell if I have the .java components running that are needed to facilitate this?

-Sorry for being a total noob
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
It's an XML document so each tag has to be closed.
The example above has no body and doesn't need a separate closing tag.

 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Marty Finn:

How can I tell if I have the .java components running that are needed to facilitate this?



If you have a valid certificate, all you need to do is tell Tomcat where it is and it should work. You don't need any .java components.
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
Thanks again.
I feel like I am getting closer. This is what I have in my server.xml.

I have tried to put the tomcat.keystore in different locations. Can it be copied from where it was created by the keytool commands? The certificate we got from GoDaddy.com had 2 options for creating the .keystore file.

Use the following OpenSSL command to combine the ca bundle (gd_bundle.crt) and your SSL certificate:

openssl pkcs12 -export -chain -CAfile gd_bundle.crt -in <name of your certificate> -inkey <name of your certificate private key file> -out keystore.tomcat -name tomcat -passout pass:changeit

OR

Installing Root and Intermediate Certificates
Root:
keytool -import -alias root -keystore tomcat.keystore -trustcacerts -file valicert_class2_root.crt.

First intermediate (gd_cross_intermediate.crt):
keytool -import -alias cross -keystore tomcat.keystore -trustcacerts -file gd_cross_intermediate.crt

Second intermediate (gd_intermediate.crt):
keytool -import -alias intermed -keystore tomcat.keystore -trustcacerts -file gd_intermediate.crt

I chose the second option because "OPENSSL" was an invalid command.

Anyways this is the error I now get in the stdout.log


Thanks Again
[ August 27, 2007: Message edited by: Marty Finn ]
 
Marty Finn
Greenhorn
Posts: 7
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?
 
Ben Souther
Sheriff
Posts: 13411
Firefox Browser VI Editor Redhat
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator

Originally posted by Marty Finn:
OK thanks for all the help. I was importing the certificates into the wrong .keystore file.

When I now go to https://localhost:8443 I am prompted about certificate and our webpage loads. However from outside the just going to https://ourwebsite.com gives "page cannot be displayed" but plain http:// works.

Any ideas on my next step?



Congrats with the keystore file.
TIP: Document what you did. You won't remember this stuff a year from now when you need to do it again.


If Tomcat is serving up your pages under SSL from within your network or on the local machine, it's working.
Check your firewall settings and/or your port forwarding to make sure that 8443 is both open to the outside world and pointing to the correct machine.
 
Politics is a circus designed to distract you from what is really going on. So is this tiny ad:
a bit of art, as a gift, the permaculture playing cards
https://gardener-gift.com
reply
    Bookmark Topic Watch Topic
  • New Topic